1cf148ca064acfe320873e50707bcfde6e653b6a783c432faf0d660684447325

Analysis

max time kernel
158s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
Size

24.3MB
MD5

d65a5838b4b2db0fdc22f32c40c8fa1d
SHA1

208b4d9982136b513f22000b70ddf731eb654810
SHA256

1cf148ca064acfe320873e50707bcfde6e653b6a783c432faf0d660684447325
SHA512

dd58d8af352857d50c91426ad0bd7909ce9f1fcc89356ac90a727aeb259fe3087282a71062743d35b86c1760ccd4fe74e304c74d074abd99ba871fb1883fb9ef
SSDEEP

196608:rP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpUH2SAmGcWqnlv018QS:rPboGX8a/jWWu3cP2D/cWcls1pS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3456	alg.exe
3440	DiagnosticsHub.StandardCollector.Service.exe
2020	fxssvc.exe
3092	elevation_service.exe
2744	elevation_service.exe
4584	maintenanceservice.exe
3052	msdtc.exe
4284	OSE.EXE
1132	PerceptionSimulationService.exe
4944	perfhost.exe
1972	locator.exe
2652	SensorDataService.exe
2244	snmptrap.exe
1436	spectrum.exe
3040	ssh-agent.exe
2960	TieringEngineService.exe
3488	AgentService.exe
3724	vds.exe
764	vssvc.exe
4324	wbengine.exe
4896	WmiApSrv.exe
1112	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2b257d89b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9a0273b9bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027c26c339bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008eeeec419bacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a56e6c269bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed41d93f9bacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe

pid	process
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2020	fxssvc.exe
Token: SeRestorePrivilege	2960	TieringEngineService.exe
Token: SeManageVolumePrivilege	2960	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3488	AgentService.exe
Token: SeBackupPrivilege	764	vssvc.exe
Token: SeRestorePrivilege	764	vssvc.exe
Token: SeAuditPrivilege	764	vssvc.exe
Token: SeBackupPrivilege	4324	wbengine.exe
Token: SeRestorePrivilege	4324	wbengine.exe
Token: SeSecurityPrivilege	4324	wbengine.exe
Token: 33	1112	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1112	SearchIndexer.exe
Token: SeDebugPrivilege	4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4440	2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1112 wrote to memory of 5340	1112	SearchIndexer.exe	SearchProtocolHost.exe
PID 1112 wrote to memory of 5340	1112	SearchIndexer.exe	SearchProtocolHost.exe
PID 1112 wrote to memory of 5400	1112	SearchIndexer.exe	SearchFilterHost.exe
PID 1112 wrote to memory of 5400	1112	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_d65a5838b4b2db0fdc22f32c40c8fa1d_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:232

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2744

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3052

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2652

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1436

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4912

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5340

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
00744fd19b7c3e7690b7d4772ab1797a

SHA1
4913b0c669523f47751e2808d2635b72f611839c

SHA256
f8679a405cb1205109dcbb1dac9719759df057096fb2bb5e4d2d059966ec96b6

SHA512
dc5d51a08b0841dfae8529fc4f92e84f6a2b368fb4938fe549774c67157692f1fd28260dadcfae991509d28263f533333f294357dcce037ed8fd7602067fea81

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6fbd4a0fa7e6b088ede0dac3c1be8417

SHA1
4a3ea93f31ab983dad6d9ba526038a16f6380c22

SHA256
3e87939359ef44565361d5b657bc7cf17fc2f6ac5eee3be835435ea0f3d35ca8

SHA512
fd7cdd9c70f00a49e67dd27874939b2132498c5308dcca13f9f374cebf1ac68c9b0022f4ad85bfa3279cd5ebce09a908b66cc7c48cc2883894607089e3c2edb8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
11719105d3890024563e4ec2b2857481

SHA1
2dda259f0030b1e6d67ce853d092ec7a5d07bc13

SHA256
39df888cade15c1ff099abd69faeae86d81931b7b0eff9a5dafff0f210283e89

SHA512
4c1e042cb90f16c4d9b89976187de64c5a12d1453f2b3d2fd7f786686776ae21df70ec6fac2e8a8e8479cafca0e8e882f21738a4a1b8b0c4500bbffc2ca3addb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
caa18fcccf2a92998e3e9a1985c7f86b

SHA1
21f5b8896842b0be625633e1e7d2e83595a81598

SHA256
020be6248c311590937fd8633210a92ed36ffef600081bc62e7e0eb2da0e4ac1

SHA512
d77ab1f7c18664c63041be1480947d830bd9ce47b83e1d59ccb47b7c61a9d9ecbd12f65e8da5928e082056d88023b0e1b2aa35fc0ffe7070b0cc4c778be284f4

Download Submit
C:\Users\Admin\.node_repl_history

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4181c31326f4d245fde036e9e41f1b3c

SHA1
ae7f561197ea618d408b9b8fefdddbe08dc529a3

SHA256
d4e7d22aac71ef20b4aef5a7111bcb08f4ad8919d4a816a56c30162c30456e00

SHA512
3bcf2cc56b2b154375a24d7645aef3ac0d2fc41d0cac790f2e1f1675fa651ded0c00119f30ed14157abfdad38c8f41ba1a9bb3a37cf4c026ad2dbf1eed8282c1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ce1e0ed14bac97374d454dddeccbf345

SHA1
dd206143cf0312a0acf6a0c1f3609bb11db8daf2

SHA256
952d27d19636b81f23f9ca35d5c56088b59d59116932d3ff1bc168659f2e5ecb

SHA512
0a9db7e06b19f321812e7192ba7a07afb7f015ca846ec3ae936faa4f35b002ca33abee8929679579334a378138454e000680c1eb89ec363472ead5eccb5e4c07

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
62854fa77cb953219610d98e6d6802c8

SHA1
fa0ddcaef5262d95303824510a0d4d54f78c4663

SHA256
b0d86218d6ed3340744e3935ec7376036a882dc528168bc10a18ca6fbba8c7c5

SHA512
a6b9ea6d2cad1221cb10655b31b6268c60483d1908913aa540eed73ee50534f06998844d558de0106ce00c99bb54a680da7462aa4b0615fe9e446bbd6a03e5c0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6abf4200de7c086fd86bf77c117c55c8

SHA1
b93afe4f119f001f1b3bcfd3cc47d1b117db8826

SHA256
7c095bb85b207c8d4304b044d62e45a21b2cb34e65b3738c517a4c6d605f5690

SHA512
3dafb5d59bb0ab212b7cd1f46929f50382e2d48beb8141d369e6dd6c6ec010158cb348502ea36d4ed4d02ae1408497df1a06b3c1975b4b0a5b3647dc7eca846e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f2e09884e1e3d73d0daefbeca93bcb64

SHA1
6a4bd8f4776b311931ca2c80b9dfb939fbbda0d1

SHA256
095f840b5b6bc571aeaa61ae40a3f921a2e006f24b84037efa4a22e4824bac76

SHA512
bf11a6a4d6212d5faeba896cf9486c93894fcdcdc089abe0485c06f35a23915d64354490f0502b62f51423658347e203c344f47410ec341c5135dbefcb18c6f2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
2d7c7ec404be594469e303d902e04844

SHA1
7de10f1fd4a4a8e5236f24ee24b82e7c2f07d770

SHA256
21bf74e25f2e0559ac9cb79b5bb063e4e0566af82f9fe46391cbce8fda73a711

SHA512
ef9237826d720931d62866d7432ca4f10fdc530e92663c0759b55aedcf0b2ed3d96091c5542324779d15cf2a213e94583925be23aaa948ba3d1afa549ca188f0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
c38aed9e75200164c27b26fc357b796b

SHA1
29938e3ba6904b953a913c646670ebd2c3bfce1a

SHA256
bf9be66906907144f6b283a8e7dd65678e4f4f15054d106b24b06f1907bafcf7

SHA512
503e85b3fd7746304ed17d3d3df3c7f89ec3f3e8378a2ae1ba88a3032c84782ddae18215a8c938f69ddbcbc64417175241d3216f90e67be28dd7f60c1dfb80c0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
891801841950fddc1dd707d2fc68b25d

SHA1
7f301adfdc129cf40c7d0b889b68870fbe3df727

SHA256
e7855091b2fe84883fff4ebb48afb9ceaf0dded8f8058322f73365b667be006c

SHA512
19b518ff3566ace8b5feb24221e597d8fafa2a117f5204d73e474ab58c6b8349c68c98ee2e0a58b47c19de0a5eac205b2ffbb6d4b616aa8d4a3476ae4504ddb2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9ad858210afaad5f014f4604bcd3b14b

SHA1
fa652e549c7aea7d87d4e6bd813ca7e010473175

SHA256
315ef50594513d3bc8c39ef5a386f83966f22b52a652c2f6def96b042f68df1f

SHA512
74f478141b7774b481eaa664c116f1a0cab7f4c799bcd9842070a87da3c2bd0a0f83a0a036975d23075cae437d1e9b0f4edda108dbf69796a61179d2f3cb9493

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2a57df14761b054828d5ff91060a41a7

SHA1
44840ab0f836ce5b5d30b501941a07624448a4b9

SHA256
1438013e76d0f787a5ac552a6e2caed95af128e9913e2818fa0ee3fe45f34fee

SHA512
af60b3ee498bea5ed19815a18ddedaad69f1ad9b07a7e5424db0bd12e66ab63d5fee8e8947556eb91929319cf06abc117c62ca348e55776896b13a74141d7073

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
02a0d85bc00675a61a4401ced2a44978

SHA1
433b513880fc45cf1f54c825746b3976b67182e8

SHA256
d638b05e8abd745da0c9ca78dc51af6e7e4fb889f77c3a1c20f4fa5f7ef02c64

SHA512
72cb1d22f00b9a6619b3dde96a561fe57d053b016428789ef42f5453820859d7ffc6a128f18963d6694a0654982c74436fa76fad06fdc64b001da7cb0da393bb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
91632286c193e8d968e6fd2cff1fb065

SHA1
36eda54d6a0358707802e5caea2298b82eb7cb3a

SHA256
13612ed46d0466e496f2ebd905d1dd1329c48769c8c2e48adb71360b7c5a7f83

SHA512
bf26a52144018108f467e11997b45241c28bccf4b7310c035d4f73ffc808a68cfe6107c1112abf139223a05afb24ef0e52fc9838619c45212f047a0f3173ad8e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
fc001fd3e0693cfdd731126b98ce226e

SHA1
e50acb25bb635a56ab26ec7edbc3d3a36c1ef173

SHA256
290cd8ba524ec2fd849ff3deb2d33c461d7538df50cc91f786b0c670da669f87

SHA512
c6a1490d25afbca36362241f71280aa9b74260abfdf7bef4177da34e3f5602c6cdcb29850129aefbbb2d23a97208020930e2da0f6d2fbe1738ea7781469e0ace

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
722fb3160ba97dbf64bc4b778e2ef2ce

SHA1
5c94f1e208d8717c9a122c6da32fb366c07b5b83

SHA256
9c27d4bd71a182783a49bada4b2c5be94660e70eae4f329035f64494fb91f235

SHA512
53a5337fd4bf398ff66eabab61a964d3e4712309576b92b5a6eac925a9c3d1cad055ebbdfd0d962b0cf2c78b87d1b4983483aa9180aadd16b92241a14ab91685

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
404decb76723037db1ea13454a5b8831

SHA1
635ead38114b3dd7f92b281d574f2c91e0aac20d

SHA256
48d6fe6eaa87e75128d42104e38b522476f9601025c455b2703fbfd48c77a43c

SHA512
6788b1b25273e4e9d86ec7675945e42e357563640f7c684269f5911025b38ca7effcccea57e448b8c5247eccb7462bb0198d46ac58a082230a7c9a089af5813a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c5e68c5122fce7c0f6617a9c68438386

SHA1
cfa27d3e900ad7f09ab693609ec37b2d70d50710

SHA256
223ce98b66734f54c7a8cf7fd55f076bbbcbcec06e133444e725d8bad59bfe96

SHA512
df30f8d102fb97583503ee9140ab54e9aaf41878b7f95db0a079cb3223436f15a9571485b8cf08b38ec5929b1bb3ab32b1b65f21d7a3bb70e7bc78c6eaca06cf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
addff70a45ad5096242ccb8c46da9bbb

SHA1
6f81a8ba3c47fa656cc5f5e6dd9c76a3b7e313e1

SHA256
1c1101de562f83122ef9c0391b849bdd410c047376fa3ee01c6ff1ce072aee44

SHA512
d5735ea2f5d507fd3a47ec2b7cc007c922a8ffd10fd0954878f4a1bff537a8ce717d3d22f2e8ad7901feb2dfb8be86fc185da000dce654f976370183594e89a0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a8a69c2e161f0884eb7b0add9e51ed39

SHA1
d9039840a5d92af566d795a4ac6446112f9bb9ec

SHA256
27af0dcf68e392cddc45ef5e54481383aa2d8964c6d38ad7e99db3c604cf9a08

SHA512
66f42e8532b3554ccd95d933fea4ed79f4a19b5de8e29b838d85be65d07038a61d1dd3620f04bdd6d2fccb68360a52380be7b06bc4f0d752bef1be11f61a3eb2

Download Submit
memory/764-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/764-305-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1112-334-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1112-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1132-157-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1132-94-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1132-88-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1132-87-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1436-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1436-227-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1972-110-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1972-165-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2020-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2020-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2244-117-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2244-214-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2652-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2652-213-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2652-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2744-133-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2744-43-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2744-51-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2744-49-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2960-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2960-145-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3040-258-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3040-134-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3052-148-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3052-69-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3092-32-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3092-120-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3092-38-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3092-40-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3440-22-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3440-23-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3440-99-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3440-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3456-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3456-98-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3488-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3488-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3724-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3724-300-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4284-153-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4284-73-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4284-79-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4284-80-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4324-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4324-313-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4440-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4440-1-0x00000000024B0000-0x0000000002516000-memory.dmp

Filesize
408KB

Download
memory/4440-6-0x00000000024B0000-0x0000000002516000-memory.dmp

Filesize
408KB

Download
memory/4440-7-0x00000000024B0000-0x0000000002516000-memory.dmp

Filesize
408KB

Download
memory/4440-67-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4584-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4584-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4584-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4584-65-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4896-166-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4896-323-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4944-100-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4944-106-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download
memory/4944-161-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4944-101-0x0000000000600000-0x0000000000666000-memory.dmp

Filesize
408KB

Download