219ee270e9983f506616eb17c24704f324cfe5de7d236f4eb94d29a5c6262d77

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
Size

24.3MB
MD5

d53efa453e187cf04de34b58ca7e36d1
SHA1

573b69a914165b40f46f17a0529da4aec34811a8
SHA256

219ee270e9983f506616eb17c24704f324cfe5de7d236f4eb94d29a5c6262d77
SHA512

980e276ec9e8325bf0e93acca132cf9242f3127d4a686ecf64f087b6a5f5d80076585954933b8131d9e6a70238e11bb75f6ce22f1bf2bb995e4d8639e9c7d10e
SSDEEP

196608:XP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018C11wl2:XPboGX8a/jWWu3cI2D/cWcls1TS2

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1524	alg.exe
1460	DiagnosticsHub.StandardCollector.Service.exe
2236	fxssvc.exe
3316	elevation_service.exe
2104	elevation_service.exe
4020	maintenanceservice.exe
4364	msdtc.exe
4912	OSE.EXE
5088	PerceptionSimulationService.exe
4304	perfhost.exe
4108	locator.exe
3632	SensorDataService.exe
1240	snmptrap.exe
3212	spectrum.exe
3640	ssh-agent.exe
3656	TieringEngineService.exe
5068	AgentService.exe
1040	vds.exe
3976	vssvc.exe
4808	wbengine.exe
796	WmiApSrv.exe
4492	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5cd31701ed82f9f.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcda255cf8abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001170dd5cf8abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d19b875cf8abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d4c985cf8abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067ae9a5cf8abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000007dc65bf8abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd24915cf8abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000301ac45bf8abda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072b33d5cf8abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebb6e05bf8abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
1460	DiagnosticsHub.StandardCollector.Service.exe
1460	DiagnosticsHub.StandardCollector.Service.exe
1460	DiagnosticsHub.StandardCollector.Service.exe
1460	DiagnosticsHub.StandardCollector.Service.exe
1460	DiagnosticsHub.StandardCollector.Service.exe
1460	DiagnosticsHub.StandardCollector.Service.exe
1460	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2236	fxssvc.exe
Token: SeRestorePrivilege	3656	TieringEngineService.exe
Token: SeManageVolumePrivilege	3656	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5068	AgentService.exe
Token: SeBackupPrivilege	3976	vssvc.exe
Token: SeRestorePrivilege	3976	vssvc.exe
Token: SeAuditPrivilege	3976	vssvc.exe
Token: SeBackupPrivilege	4808	wbengine.exe
Token: SeRestorePrivilege	4808	wbengine.exe
Token: SeSecurityPrivilege	4808	wbengine.exe
Token: 33	4492	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeDebugPrivilege	3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3092	2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1460	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4492 wrote to memory of 4700	4492	SearchIndexer.exe	SearchProtocolHost.exe
PID 4492 wrote to memory of 4700	4492	SearchIndexer.exe	SearchProtocolHost.exe
PID 4492 wrote to memory of 1956	4492	SearchIndexer.exe	SearchFilterHost.exe
PID 4492 wrote to memory of 1956	4492	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_d53efa453e187cf04de34b58ca7e36d1_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:872

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4020

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4364

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3212

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1080

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:796

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4700

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
f07637071935563aa58017a22107b667

SHA1
951367f14a08ffd03fae8be635348dc7b4f25a54

SHA256
4e7b1eea4405d09a5020c56b549a4fb2159dcdb3b8acf73bfa77fc8bd307b131

SHA512
6cd299fe91445bcecdb46ed52bd4a357a1c4ab9f655df45b1f956c3895caf7b1513687496caaa029cf0762e8a98fa429782ba543cfffea8241d30e8ba8a1b9e1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
23f338d42f79b427551d4cb8dd89017e

SHA1
e72155abccf626ba7cd49217b0db37e6514eb7a2

SHA256
9d418197632c796c04416b66ad78cef27308d17eace8166cb96e98a08ab1a051

SHA512
34dae75790fcd8fe6c32d3cfad01bd7ee629c1a9d2bace67413f15243d2a3db0c33106de28cc001ae7fe47f5cee5e23b5e4303550445ec642d34e16de733a786

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
a70cd9a60723f01f65e5da09af4dd434

SHA1
0451bad9c5ad2f7c00e928e18b20d03a8d53041b

SHA256
b2faf55ef98ef17f2936b001b7b7122c15c914f091297aa1446a742d5dd975df

SHA512
47a20cb3d4047992e587947835785b87dd8ba35a481060ec64f88a836652bbe978b5c534f272ab70470cfb2a4b97387683d2085485ec9ddae24e941048fd47d9

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
76443d39678a4b11fbc9d35ddbb4346b

SHA1
d9e11cf5067e167b82161305ede9938964bd0730

SHA256
bbbcb3240301197d15dcc0c4f27a68c8ba8c58229bd735aa264465eeed4f0a6d

SHA512
b2a2753fe88bba547ec357c70edd9f086feadb6e484d646897388c912222d0de4391846907d6203b74600c9a7c62259d8b7d23a0bc6202763d8acfbc9bf443bf

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
75bcffaeb7d152099852e108482e580c

SHA1
79f3786bf32966bbe1070ebc117551d2357c2617

SHA256
469033e063352f0e13b9620a25f286c2769daafed78fc02cf8dd2f828ca34403

SHA512
43f9b8331f65df2e308651943c4e4e81bd4a8ae5f5b432afd353dd9ec41ee6ed9f4ad0894038c60acd8131917f9429811b27f439658e756c009f222190fe42ec

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
43d038de89ff16fa5d36738ffd407486

SHA1
68a6a7fc278a86e9aa240a0a821b1d1fac1725cb

SHA256
946aa1182a5756819fe336ac87adad92db15d94f4c7161d15d472c063856635d

SHA512
bb080241ce57c92d2c14fed8825bdf3013812f729e132ff7a82549bac533836966b74f305f5f507ccb321bdea48e80326addff23f1964330520ddf195da8bd52

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
1a84897e9824e6f59798ffb0eed374f1

SHA1
ed2565c0e883851fac549a25048b0bc1d3026ced

SHA256
4531237bcbf9ae85afbdd37f1912940dcf369137702f440fd91a2de59407eb82

SHA512
1fc6ed667394dced67b3d3fdc8143f2e3eb26d398b8094c97f1bc9decff4505df39b06da0e6ff87db982ef4ce7606efe1d3c55ebdca67aeee9c0ab9f08f7cb8d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
dad4241003f64f2171fc1a25dcc0c8b3

SHA1
f36fa4482efcc978310f3fd953069e4922bd5f05

SHA256
180870704a3aa195d2bd671b1ca9f40842e547f5c733b678532a5f9a68a69310

SHA512
134dc087a61d71dcaf7f8abac9241c8b713e252df6af671b6405586d5a421ae8f41fcd4ee9b449952d6243bcff5aeac3bb9de5a3ba18a29771f5ad5cd7b17af2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
d7629ac375fc36d20a191733014a771c

SHA1
8738e332dd2422323ea2bd572530d1b5d8387293

SHA256
0c6d18767a074af7de683db5dcf543b144dd1a409949330d088176601e5a82a5

SHA512
0f879aaae6625552b2094f28a78b942b8ec75575ccc47c40867074de528b3643bb44a58d152ab8d819d9de46dab541d222e7385e33dfe9025deefa2e14f298d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
7f8936611161c17b7bbba9b7c18655b9

SHA1
f7e2629e5aa3238c9410b008f0d7777e4b1fc0ce

SHA256
f6ffbf518205326abccca2a568868ea39ce23773508008bbe991f361ebb82b78

SHA512
4d085fc24ea31ad63d027ed083f4019fd60f8ee67391f66ac86628d928a5fc1666afc62d601f0e03d57f181b8d26a4b3725777bc0d1ad00a032a5a90fb13473a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
ff77cf47a77f68fe307b19b6f3704930

SHA1
ecfaaa6ba7287665f1d0b2308be6fcf1cafa43f8

SHA256
ab21814582b6c95e85c678012c62243a0d0b5bdfa8128ca22110c1a7008d7c9f

SHA512
ff2d321c8dfb4f6e985a9074a2f7cf2d5b5d8dbdfb1a5d54f7264e2da47695cc4ccaace24170033997206c25b1cd16e89a08872626fe018d5a8edef13a3c57af

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
c35a2784b3436792dfcfe804d837efd1

SHA1
7862016a43543da3128a27673099bee443c67809

SHA256
e46a8cb68aead884226b82f6d1ca8ca08974a0ee12653b26fdcf9fd8f7e85123

SHA512
cd51f83e9ca3c508fab66fe2027b966f12cb0dc05314e1a7a6f9b6d6492c6fbb2f758abf37ab9e224016e506d978416f0816ab73a169f95acb2adb6575dc2378

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
753ec2edbc085f1a6f18cc91a4792f61

SHA1
86f7999a12c36ac50f2529e22d419fe33708b697

SHA256
237bbc441599f6c3a6c09041309419aae0f35ea30aa5876d6571414f7dbeac70

SHA512
fc11fc075d7d00f649328ada32094486dc9e3a05a44689272fa0fb364cbc43fc6c9e2bf641ca77f01bbd87676e3c90f8268e891b130685fb6aeed6f5cb69f479

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
2bb3148aea94798a07e5c35536fb04d5

SHA1
6e12c6c2cc0e23103b5daa4abb3c3ddc073b1fa7

SHA256
9a4fd2f69aae378efabc788fb89e8d5156ffe3492405d26af313f1c7d7d731b6

SHA512
432319029ef1346d922b33927cea448da36511492b0f6542a2ccd0f5c7f047ad2161cc4305c3121b7f0de89babf3be6541bb253d609845ce841b3f692331c6bd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
05926eb04361525aedf915a7f01b20bf

SHA1
34c43a9ec35678e0f4e1d65a7312270187eac6c7

SHA256
d18d9520d8f5e4b98d72fe5314f2f81705e8cf8fbe7c9643a17d51ccff2230e4

SHA512
6a5a5cd68fcd29c77d756cc79246003090accbca432b09b06e0aea526cbec7863234accd2717e0228fc6cd21267bc850a4cdda2e584095381283f306b53799c5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
8c20f2083d374df46f05cd4ca0a23b2c

SHA1
ccafd7dfdcdd4a5a837beaca866c537431413670

SHA256
0fb7ca0524bff9ccfcc7520a5abd390690420a4b4c1954cd7706a2838944dfd0

SHA512
1d0c39b877d863df8abe1ca136338d8230c5ce5b5de64fcb632a94639a32d3593bc896257762dfce9b912690a293711feca4f9acf19b3f669a3db270832a76f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
31ddf22cb4649d37412f8987725265b7

SHA1
93926a2de5ddf77644d78395f0d8ff7d2df0969a

SHA256
95c3230a843efc83f766a52c46582e2fad292a27700c61cfade7629854c66728

SHA512
0205736f7a5e4a031568fdd2c2c7cfc91b8241858786b9146251529845879a96c6bec6293ff91868ba3eb42ed12b776c83abea08afe6b643cb239bceaeff736e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
1f0681257a37eeaabdaf9ef6b7c24f7b

SHA1
55e012f5683a03978d19c4ac5b452ab72b7bc568

SHA256
961c2ba114ac05d7d4346f87179f4caf62e6d075da1dc5e8b562ad9d3d58b4d0

SHA512
16b649885fabd1be46db0f1c05b887a9bd7386056bd3d7516c58a725b306f07615f2b5caa93048805775811f8713aa959708725c9b12502c9b25eba055264ccf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
e29138a49628c040e4d063c2c0af151c

SHA1
b44de92faaa2f9e38fe04e10697522ad1cffaea1

SHA256
672e3f53dd19ef2f5938dd114a6b6bed7930f83e382132f3e7b12bf03d8d886c

SHA512
9cc53a8fcb1d99ee7490aec9d33da89629fc2a5ac5cdd15b5f943e380c1e897db6be5420c094186bf94100581bb10fcfae24b2f36f169b625cbe2558cc372b4d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
4968169ac6d59fb355484ba391246674

SHA1
fa349229c873f9e540a5b241463f0d52871e8918

SHA256
5d3b9cbc36eb3c0d4d768bc037f0c6812a81ebf96bfdf45c739aef6cbf1eb145

SHA512
ff8172e65681f35e0d74ba1694d3a314b92e712a0139f83f468df00d65dcf7bb1e8b595c247c4cba844bdcf40d6e16fec9b07708e9325523e3540a5cf50e42eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
cb6ec859104c1794dbaa956c922c871a

SHA1
93e7d02c6d2f27829baf339a3424d8d84fd94d75

SHA256
f9209aeea42a90d39dd1003510e92a310e179b5ab403ffd28412c89559acd4ab

SHA512
cbb33d2d1c28f62cbb8d0598fccd250e0a79794ceb2aaee382817125c18880f1b829e484582e56ac0833b335666b9fff1a8516320325fc39aed21c6b42346723

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
e9cb841019707d2f617265d984fc702c

SHA1
877287e3aba312beecddc634f22e9763f3deebf5

SHA256
a545c0e1f323b8d39219a25d28cd988f0c5e58854c538bff9a4c025e2f15b0a4

SHA512
25dd762cfc3996c063443ab97c0cf73ed30d22264262bc6caa5b89541dc3229289e96823455670a107cd6a148fadf185e742945a407912d3a0a0cbf6960a9a71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
80b616047198e4ebbc20a0ecfcbf79dc

SHA1
cdbfe18ace83d10224e9376a8378fdb13693390e

SHA256
d2bd2745396bc3c92dc6cc9e7883371c0546a2b4eeb399995603d2f50d86dfb3

SHA512
19fb719b66d6974faae78d5b858bfa657d7087c7f869921b543e7d3e2474c00fcebcc5bae99a8c41cdc967b5632c33b978e8916bc7a91cb2bdbb3f40f387fa1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
fa7e501a56d8cf209b069c1d38bba5f5

SHA1
3ebe5ae4cbe0505252a0d4134dfc499001d62f06

SHA256
1bcf617abcf4d2f112d843bd76424841a6d8f23d6c38e958102863b91c1577ee

SHA512
636ee7203eca6dd397b7db87c83a10b3134a448e9c07323e6aff910024483397fd22591f9473b04f86bb18ec9e0b3399e187d45bf8d27e3a05d81dbf88edae97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
9f032d302463c8dc68b4ea036c860795

SHA1
4ea6ac8665b725ef7ba7e465bad3a4ee15a97a00

SHA256
10d4059551fa262344c1ab6a5e478927af91af0683c500ee3adc88f9a589cfdb

SHA512
1891d20a802eddb27004936145e5c62bf1f9d37adb578ff0c163ef73f0ff4d3c5bbcb3acad50944a3505614349f799bed07d0f200eb6f2d0d5a6800b5c782f01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
c64bcc19c634587a939e88cfaceefc03

SHA1
beef00e069f6a53b096548f7eaef382db5bf3a24

SHA256
3946b6a4ed264f238f6e132ca7ab4df1c2590aed089e60fee9bf9a095fa0590f

SHA512
5d23449ff2d948240c1406a69ea89250e168bee85139ca89d511d9711cc33a9d3f0f558083a67eb5bb45f224f586569659118919a42e97d13ff56c103970ab6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
e2889e59e91be67c3150614782d93df7

SHA1
407d8695fe3353e9a3b2c8aeab2ed5a3c3ac79c1

SHA256
ae96c08aa0e6754f3c16820d44e5b221579ee97ac15fe35a618c32c143213d04

SHA512
452838424cd613a33d684cf13366a7e595e061a52296633f5737d5778ef267c90f0c9377ef37fc31bd5f3758907796189226d34bff9ecd3c47d46027381fea5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
55a810eaf2d9e754133bb4faa168e41f

SHA1
c0cbeda0c548b159d26efac6067c2291b7ad9e0e

SHA256
1a430f7edd862bc9bd8c0383ff61a840d227d5a0742c96c14d1b828f3e57db3c

SHA512
596cde102d4ab1da6bf3e0b6bda854971fce39046a07948481f29c4d80cac5f1f5174a5d10e1bfa8ca4ce595f1eea02a4795241c80f73096cc869ff78afbc7ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
1309fe623af7fba32147e6f232c3d529

SHA1
f29c3c1db6bcc38f8fc726ce5eba8e01a9970301

SHA256
56e99ef58ba72b225c6829b7c2f0a4636c6701311c827bf14693d97d41a7b869

SHA512
b03a9a86a9da6697f37e21f5ad937f2eeb4ad6859725599f5bf7e0e1f8c7a41d61d365c26f05e10b97df60f03ab51fbb89f8f04cdd4bba948cecc331816e090d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
3c2a9c5584c1bc672ec524d862fff562

SHA1
af54b50c1a73bbd9e892c09a947b1250d554127d

SHA256
cd9ed7ff571b6df6389de155c22d2376c13eea0741da68fe1f2b3172fd84e920

SHA512
ace3c43adde4943a800d8e6dad8909018b1d787fa2753a6db24fded6d225f16b1bca60879522753197c29d84bedfb6bc27d9c3b0191cb706d65e52fab66df9ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
9e7445576dd0666ff469161fd1ab45b5

SHA1
90ae7e27fcd8f03d980f9a96c48e6d3b7575526a

SHA256
07cff6a4ae39a8ca072937a694b2310394306b396f1fe748e4843f9fbecb1e7a

SHA512
4600566cd5e84d93dfd5899fd447731095a1ee3cdd35f93bd13a1958766db3fb9ff007a8541e696acae4bdc10fd25a5f406fbbfd3603a3447962cac5e51a783a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
87925666c46458e984e927bfd1bf57ab

SHA1
ff9514dc9d5ce9a3eb88d6ee19dbce9bedf02205

SHA256
fad5f040301265ca40242e7f1012acd4bfc7ce04b0dddbcd49b514ebca4e1481

SHA512
8c0c084c5e46028aa8ef39c01561c2adb77126638668a1261b25162239a8e65c2788bb8f19543cd5c0ce727b79f735b23e536eef70916381d36dd7d7218fee65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
a1d6c6451261aceaaad28af830b7c26e

SHA1
f9cb92b5ee3cef85aabf474d6cde414b9ab75394

SHA256
cd09c52c5ea00850b8584768ed6721a1aecc35ae0b6bf29b571e93490dfedcda

SHA512
1874b687928b7f8f04f094c229ed0f0e0540072953f7159d3fd2ab0122be18d4dc936436391e1fa871f5bcc684aea61d706ad13a738694ce72c59e41e923fc50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
3f990703be3f0383a4a31e9ed09c2bba

SHA1
5048ff9425c1f2b9a63dc2f16d6593742b3817f5

SHA256
0af333c8072c8ce8365811ad9b5b77c40b5647237857afd82fa77f3f908de9af

SHA512
cd599a806ac309930b18aed0b5f07fa7e0c22193ab55b0ef1741697328b8bd78f86ca57a8c2ceba50a2e8ceda349bb3751692c7ef6038ab32b442de8de570791

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
bc05b8426a851be7a4e85fb66b8ac2c1

SHA1
5a57bd9e1338e64ec036c1f70efef2407776e6d9

SHA256
fe17e4818ce05555b35ade8662978521e8cedccc7fd929b1239b5600b43e9d5e

SHA512
8bc43fe22a1b9f65599ba25552b194ceb1448b917d64e38427d6ca1899ed21ced2fb8d27ac1eac4d23294c72693867585354a43c2b192dc3f76018eb4175d0ab

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
0208b10a87de8267217f571399e305c9

SHA1
35702cb8bb08a280539351d880f848ac9f5ba456

SHA256
39cbcdf054384bbc21d2e7a49e209109169fc615885834bf361f62aacfc11247

SHA512
75cd2ce5d1d3d7d554fa8b2496db3cca58f5dbc965df60bbcfb722e70baef9e6ab811b2467e2bb3e6a45cd0db083ea98cd15a2451616775ea6cd0f58432eb0eb

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
11a238e3c7551675d138c5ae3e06ee5e

SHA1
a7e6a7d60d7a5dfe310cff1628c3e3c42d584912

SHA256
1ecf387642616a41672ef19d27a5ccf3001869c2e2ff6ec7081f7cf8bdf1326f

SHA512
d452e57ca1416846531b0d7b0a62a8cb1a378eab7af0a8be5c9c98b1557425a179baecb37b4e3eb361213ca443186f0ed612ba3e5960a8df7a4d41918d4c920d

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
06e799e2c998308e9408430c2ee61c44

SHA1
9cc1d60ce7be5a86ab585dc665b711b2ff5f017b

SHA256
86a046375278cd6377c21fccd9954c1ff0fe05993513dca296a7699c3419284c

SHA512
082267dfbc5941b99a87414abfaf055c6e763243e128ad158484201a73542036d942c5df94b7be9c3337b26add9c08d7042219c2c54f81356b825297c7c17f32

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
bbc340da47ce9734faf4479b0faf7602

SHA1
036b2b71a79f2932262d304cf86180a24f891a5c

SHA256
9d480b6cfba6b1188bfca1bd50cb596966ada1a700958c5d1ede2d0f8bfea943

SHA512
82eb7e52458f8e63fc90997180df830962eeb8ca8067bc24520b3e85ac19b35a191b5cc1ffbea8883d8cd0277933ff2de3265c020dbae21d6780d0040bcaaf3f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
86c6de8b57c7e85b07fa141c625460c1

SHA1
c061673413220645bb72018b4128846f5d3a8314

SHA256
543a355fa3a2e9dcf99898c218cf661a39fcc480b0e8c0e9fe3179e278870e5e

SHA512
596bbe95ebfbecd5a48d76cdbf9c75088febce07233f6a8a3cd86719d074df9c67ae7ec003911be642264f709866e31f2087ced02c5adf6001828c0bfd77e498

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
258697ad440263989a19020aa44f626e

SHA1
9ab3692a1032409e59cda90a35234ebc6a7922d6

SHA256
a0f1fa23b748712fb34a43b6fc8ea2ddec32fc83b72af3b71d80a6d28051e64b

SHA512
50dc33e2120bcb651d255bc2de1d3aa25a7c1cc6a91264d9f4ee69fd6004abacffa9a62a2b89fa4d7b994a61bb893c747cc776185b05844d57f3ce2a99e80071

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
c2111dda3e4a5f7e904eaf081353fe4f

SHA1
16d7d25cdc7f77118c5b221030f2ecce030032bc

SHA256
60751d944505979401f089b52c7d600858aa15fe9702bb7164facda61e233a04

SHA512
d28082a672d5a50771d909a9454836e0df7e428bd351ced4d514d10517739681e6d9fa7e5c2a0328fca94fea5ebaf3e1fbe362322a777ef598ba21f384bf3a0c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
e3312b3e2eeeaa042e0217baf8389add

SHA1
1b591de7a613871e842beba8f0676fee527d20d1

SHA256
f7c9794855ef7bdc464acd971a271ec2c3bb368fbe943e581b5f1adf12252ebf

SHA512
b0088253884f94eda69fb91fb3b722dd46f44f9b808dde93009ae665381788f8331dae59199591691e2e9b6c779b852f0161fe85ad572c47a53744dd6d14f6a4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
05c1fe642443e59451f3925ad8ddf1bb

SHA1
e1c2bfc2ac53606085cdbe5136d8877f160bdb0c

SHA256
ba78eaa8d59cc4fbb053116cf325386839990adae355553a8a20b8773f13afb4

SHA512
20de4a4559dd997fc780e332fd9916fb710913c7634109a240416bd4c593851e4786e1b6bddc580c544c9e4d71bbfd8241802159558811cc714ef9f414da7059

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
66b4ddba929885acf7def9409d7ebaae

SHA1
8ebf70fa71e6713db61e768ba397159750bd122d

SHA256
cc1f31a017a47fdec38cc09d26884c42d9ba0158defe47c810f67efc5e05d726

SHA512
ecae22f143f5492c72ce04b3d9fd343f7e9aa689b771be26d494cad9202ce622507ec9b3e0737c084d91b0d6d1a4f82e97fd70a49ba8dba92c8cb563875f1d6d

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
82668b002ea4aeb9d42f817f52f96518

SHA1
05bb8b152d6ab5d05b213f7df575c39b9282862c

SHA256
99a1ec0157fde433771bb8ef5032c64a7122922a6bd38c0e9c863caa823ee1ee

SHA512
36d529968cdc27c6b2aa775e254ef29754654ebacb06ec45059f6a35d5b302ca04b0c101c88680eb1df8ac254e491f72a93e0bf94b533f1401e17f75f7bd5578

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
a7319bce5ea9d73b5a5814cef4fd87e0

SHA1
a9ede5c1ed071a25c2d166e09058b4650a34b242

SHA256
18f5a6cea8caf7b33f4f52d7bef62b6c7d963591a0f1247ffd9142e87de0626e

SHA512
43d11245ee41c2dd5b2b06bc904ae362211aaccab5b2ad8b4a138ea15db19622fc0e9b1d08a6efc402e3d1db4acb6e9de97262107b0bd04bc3c0d21e0bc3ee1f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
5fec7afd4ce2171d0cbd9bed3691fa8c

SHA1
6386af902d4a1d518f57abf2c9a9176dac7be0e1

SHA256
85d20524cbc9e2dc2b9f4765423605f3bdcfc7d18ae4f1ebad5743c5408c39a5

SHA512
b73a90d3d0dbea5fc56c852125c8dd5075fa12d4ba251f2b1937be3188d0fa63b4734ed3a3d75fb5a0be20277ca1d465bbff607331d94a3dac25132e6efbbb58

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
a612fe7091bfc289d51eac4b589e9f93

SHA1
b73885499d4b994c758956c9d9d0c7be8fe1fe73

SHA256
602e8be39aa7bf1a1b7ab71dd1f82a839231c88b7481b9f672da3f15edca5277

SHA512
c6f0972e46671c8e859f83edcfcc1817b4564228e9b3b5aa9c353669a880e00f253b88502465b930ba76d0737e62cbd55b12c08a69b676220f74433e58efca2e

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
17a030fe3a2a738ad2b4d649e1424ef0

SHA1
1146b050af63bf30e65f6f7346470e557c4bfed3

SHA256
3476328f2d3ee0be8cdda08237179f11f54d9e379793f4192a35825a71f8f35a

SHA512
d9029b6a96eb406f9aee0f6a22a3b78764a0934ccb16ffe47bd22180db5afc015f7aa336aa78247bb11e52d9459c89a0e4da71782db35e831f35f2b83c11380f

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
66cc0b0285b021b43b1332e460406ebe

SHA1
a08cdff8b844485ad055f0622e5080a94a63a08e

SHA256
1309650a4b7a59016d2c1490609681aeb2977037b292410147b486503e71ad4b

SHA512
12e736b0c8cda1ede5dcc7735a52efdc56f29fa09cbcaa41ba700b6f675a23b848b328be814544b42cbe1069501e0f0e695736b2c57c52bdfdc8ae038c7defbc

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
42dad10eee115e04193b43c89eb17ebb

SHA1
23b5033acd671d76cd6c5f0b80113fbacc944e5f

SHA256
57abd0f3e60fc291f9c4dfa4a98e7264ab92b3cde7c6e11aa220e5f747a6bfc8

SHA512
9f9ee46bc16fcf7c491a31522b94b0da953d477f3a8c207db50675157153002790d5846c45dd78bf06aa1878c7ebe84b45e76f2955664e476c20780300888dfc

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
cb34bb822cd6418742f89b53fed2d840

SHA1
a6791840ce06b39c64d8d6beeecdb1e169436d06

SHA256
02a2b143345c06c227e6bed9706c08c90a0438695690c58815dcb84e9e6a5c93

SHA512
38dbe951675194f9bfaa22b8e8a0606a36d4bf2da9477ade1182ddd082831145f8b0f6c7b636ffee800a70a12ed57e7756bc2bbf5705fd896a68bdd54c94a9d0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
a7c9cc6da4589f141d0faeacbdc3147f

SHA1
5f8cdedf42f36485d876efc2dbbfae7aa690f44f

SHA256
ed029be4bd08e1e921c5974cf1cfb3352905dd45a920dde2b60db302f38c7f5a

SHA512
66be9ba1bb26196254992a4e50cecd67ef242da9eb9d102b9b02c9aee8b567b76a5db25d4720459c8447dc7e836e6a0adc4392a120dc35aee2f454423fbe0497

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
fe51d20d98f39d1f333a72ac19cac07f

SHA1
51f214cb96b34cb603dcf289754d6cd848ccc2b8

SHA256
6f41b3efa07581949af2cafbf5af7adbcda4cbf0d7e6d6f14525eba964223d06

SHA512
6b3fdc1675bcc6b764459e7480fd89edea3c8422a96a2e395d907a7ecee45dbeaf4471623dea4d821bce7b740bdd4dae5555b593539559c9bcf49eeed0b3f642

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
5ed40b352b36d7fb1b028dde09cc56ab

SHA1
a5b05596add87eea78f84e5d3b3e70056944c332

SHA256
dfa9cdd21979c8d3b25a41981fde3f8bc5b3551987fe52daa417b491cdae85e4

SHA512
c118deda1b4dae0f80261255cde2459f71aba6ea52e9ab56b064d3640f473c5f1c06a98e4a9cae62c36f25c302f9de4b9e3b67ff1b19163bba11aec992b4821d

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
2503a28bd031dcc856641176a8f0d96b

SHA1
416679e76b1ca300690d2d8740ec2d13a33b2a34

SHA256
dc2d23cd5bfd34cd0bfab470465eca75e2c4a55e4e34620963988d87dc82ea65

SHA512
77606dbf7b1b2ed6979e25d5bc737203161f467428c2b1f2471b64c401f146b53799ac87c1570275a9ffe6d756feca011820f9a0c56ee90020d517b63efc2cb3

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
f0260601104edabea887bcccc950f728

SHA1
a3ea2028c2654b4c0c56b823f46bbda6d612ca87

SHA256
5d4e0c67d611d8421771cc079be009224b07b55c45f239d8ca541e0c0cf019fb

SHA512
0f9352ce90f6c8a5ec1b8d5f94e738a7b38f24541fd45e5e23c0f38d0e1676d99a526fb1fa0134adf10e8f7cf21520c2de59327ead1b3f571991a5f79b04034d

Download Submit
memory/796-449-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/796-198-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1040-195-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1240-191-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1460-15-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1460-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1460-24-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1524-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1524-356-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2104-444-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2104-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2104-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2104-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2236-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2236-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3092-5-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/3092-187-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3092-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3092-0-0x00000000024D0000-0x0000000002537000-memory.dmp

Filesize
412KB

Download
memory/3212-192-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3316-32-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3316-443-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3316-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3316-38-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3632-190-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3632-357-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3640-193-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3656-194-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3976-196-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4020-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4020-54-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4020-60-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4020-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4108-189-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4304-200-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4304-96-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4304-101-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4364-80-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4492-450-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4492-199-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4808-197-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4912-77-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4912-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4912-71-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4912-447-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5068-136-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5088-188-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5088-89-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/5088-83-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download