6e575732a39b57884d1513de1617dc72a0efd331b2ccdb0378fe16e23cc3a1a3

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
Size

24.3MB
MD5

ad01b0b753a88d547fc13a136f2ee9ce
SHA1

6d7829d73cc944321437dfe84d2cb8ba9765c625
SHA256

6e575732a39b57884d1513de1617dc72a0efd331b2ccdb0378fe16e23cc3a1a3
SHA512

89c8d798e3a2ba17d37c5911374d34cbe1264467b6b00dc76291edb966490fcab350fcb0dce866376df545db327e8d666783cd4922aa011bfaee494e6f521a84
SSDEEP

196608:7P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018O:7PboGX8a/jWWu3cI2D/cWcls1R

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1372	alg.exe
456	DiagnosticsHub.StandardCollector.Service.exe
2700	fxssvc.exe
436	elevation_service.exe
3380	elevation_service.exe
1592	maintenanceservice.exe
1708	msdtc.exe
1016	OSE.EXE
3884	PerceptionSimulationService.exe
3464	perfhost.exe
2376	locator.exe
3472	SensorDataService.exe
1044	snmptrap.exe
4492	spectrum.exe
4252	ssh-agent.exe
2720	TieringEngineService.exe
3528	AgentService.exe
1140	vds.exe
3572	vssvc.exe
3736	wbengine.exe
4344	WmiApSrv.exe
5044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1da57fbcc3136770.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cf29b66d2adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b28db866d2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d0bc862d2adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076080663d2adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018b73563d2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa838062d2adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fd1ad62d2adda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048b91663d2adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
456	DiagnosticsHub.StandardCollector.Service.exe
456	DiagnosticsHub.StandardCollector.Service.exe
456	DiagnosticsHub.StandardCollector.Service.exe
456	DiagnosticsHub.StandardCollector.Service.exe
456	DiagnosticsHub.StandardCollector.Service.exe
456	DiagnosticsHub.StandardCollector.Service.exe
456	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2700	fxssvc.exe
Token: SeRestorePrivilege	2720	TieringEngineService.exe
Token: SeManageVolumePrivilege	2720	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3528	AgentService.exe
Token: SeBackupPrivilege	3572	vssvc.exe
Token: SeRestorePrivilege	3572	vssvc.exe
Token: SeAuditPrivilege	3572	vssvc.exe
Token: SeBackupPrivilege	3736	wbengine.exe
Token: SeRestorePrivilege	3736	wbengine.exe
Token: SeSecurityPrivilege	3736	wbengine.exe
Token: 33	5044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5044	SearchIndexer.exe
Token: SeDebugPrivilege	452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	452	2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	456	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5044 wrote to memory of 4708	5044	SearchIndexer.exe	SearchProtocolHost.exe
PID 5044 wrote to memory of 4708	5044	SearchIndexer.exe	SearchProtocolHost.exe
PID 5044 wrote to memory of 2856	5044	SearchIndexer.exe	SearchFilterHost.exe
PID 5044 wrote to memory of 2856	5044	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_ad01b0b753a88d547fc13a136f2ee9ce_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4700

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3380

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1592

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1708

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1016

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3472

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4708

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
6d59feaa9c7f225190d4d07d5318824a

SHA1
2b51707c8cb567866fb697ed96eafa9587ff8e66

SHA256
b0c73d2f4ab53f8ecb8cafe45fb5159cdec0673d67dd66481e07d01b302278ee

SHA512
a9d2430dfcf426c8d1c2154f5a4865ca55bb6a6c511646d85bf4478f8983b0e318042b655df2b104f53f6fb815b1032daa95c34bacecf4bfb1c3a06674bf60d2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.5MB

MD5
d750f2d6dd30e1b927765c086dec8fc4

SHA1
ce9a878624f505060df1ef7770b2abbd41c69cae

SHA256
18fa785beb695f21514de8da9f4b6af2c2248113afc012bbd7484d189035dffc

SHA512
868477b8f93c1b6e3ee4eb52aef11a5bbbef4f5c0f1f41f0251098bddab65535f8b22ddecea283ed4b5aa0c7363fdb3f1fb791bb3f235491ce31b938934ff2d8

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.8MB

MD5
495c0a69e3007fd0d2638f9280aac6c7

SHA1
370c967c6f8d59f3b68b57a7d641d741b0dbeda0

SHA256
744a2d61f6ce575f19f80cd43dfd00a69483a9ba87c8c0a42305fd0bbd698e3c

SHA512
57902929b070f843cbf327fb1c2542fbeeaa22376d0734a06fa61e4bdb3671c976686ba019c1099f202b952b8a1f876725b7b02d0e9f11163a2bd5a3fbdea895

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
6bfcbefde23205868fab6c9b4c6ad529

SHA1
8b6a3f8f972e3a45ae68df9eae2a24a24c69f5a1

SHA256
10f83ca6246fcb3b74e8a9d7f25d2f9bd51bb45b384608b53128225c62d8744d

SHA512
fdbe62c623b281d309ed1c3fbdd7b635ed3e1a8e5e9a64cb62ac79a556d6b813846b2d953f55a9e1d96a44de1f9c4096f6dada395936adf85eadd9532ff1252a

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
bc4e88de44f71856b9ff2e2d9d580dad

SHA1
ea96377fe5648698bb6eda2b998e2104c93e0e94

SHA256
02f73fa9c19ad81f59852770a5dee750134f8f68e8c13a9675b6f9a91fddba06

SHA512
5a564c02ac7d5fc9d03fa30dedfe48fbbac056a10049f6c45796d7f51783d7d226755e516523ff73e286d7794b4c73dbd6feea86c71d6e30a531da3fad4854ff

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.2MB

MD5
4b68e8b187940769167e89180e580f27

SHA1
7a6e99ce0a8b0fd6be322a789881efb438f74266

SHA256
1fc6ef99eb0fd29e76aa662065e99d10126f1c6af697b3b667c6cbddee1ffee3

SHA512
7e00c764cd11fb7e770e6997be4fdd271b75fe7d7bb2b81adb51ab2ddbcbc8b489cbc24be1540c8593394d1f5d7c18e9f8f9ab1b180c54434548785f27a315d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.5MB

MD5
6f1de8d383254aacb6c6b38caf73b616

SHA1
c139b4c340e206d735d49929d3e25ef9c78f8f36

SHA256
685755f5f986e4e9e6da72b429521634ed7ac58f4f7a529cfd49c65368a6bbc9

SHA512
f0c4595cab9598389f4bfab487cdbab99ce4af3ffc34ff860ec1e94d75fb51f49ceedc78def3b5c145a0dd434545d710e207dc2ac954bd3175389d2ac62e971f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
d119b4feb9711f736f8aff3cb63e0584

SHA1
b353aa3e9c72918a0580c640f1946aca2f2e9775

SHA256
5fb378b47b3b28e085a6a00a87cbcf5293be7e4168d207415c5dc15ad870cdc0

SHA512
8843dbedc8ec513e315f65c7e22be281666d5e492266f382ab1481e25086c43f416f298801b36e2e8656db1d260ccfaea7f073d61959c30d9772ae487e99e321

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.6MB

MD5
bbff68acc7a7a8ddc22e7be68941e3aa

SHA1
acaae11e7d47c2dcdbc3eae1ccca541d8f9c2687

SHA256
dd6ee63bb33fe259dcb85c884ff13685931197eee52afc31c048454a1878799c

SHA512
26563a31d4d2893a2655d2192edff746b4b71479d73a5a623768c1433dbec2c1ec09f2a14a28acea94d99dda5419a56f1a2196452ce30a5cca83b02d50af54ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ea68077f7d35a538174dce567cf8d1b9

SHA1
3fc2b2d494d929a231da5189f7015d2dfe662277

SHA256
fd3629f13633e3f507d4fbddf3a6aa482a1e648bb7eb02512c1dc89cabfd6d26

SHA512
c0bed607336316423e328c3d0e16fb68cccf9a910a9a21fd9859fdb370606e5208d1e71cce0071157af065bfa861471caf94f04204f0b15baa45b77661b5224e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
810aaaab7cb4c89d4269dd8cc1383747

SHA1
1c121eedd3564e3322cf8404786329274a6cc0b5

SHA256
f251326a008eeb7b444569fb4f053e8c3d4f8365898cfaab4d4d6f9cec0805ec

SHA512
42401ced8c92c4db3400185aec2f40988e600cd454e0607dd240316a8fb97f7ab7b84692eb7472bb7021ae65b10e94b5e9694638f844cba28eed62f28953e44e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
27192e1e1f3c06805afd204c6457a374

SHA1
10b5f11e7766ec967d40d62573c6b34e32f88d81

SHA256
9583f9c65a4b7c89fb3e04cde487b2013d187361302732a88859cbc792726970

SHA512
20802fa2be1bd921b58e0c803f1daab49f8061e1e15f79669a91d40e858716145c61f40ecadab195a6bc475a7d7b5d6a23eed79a85f685ccd137c1487b527eba

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.5MB

MD5
5752408cc70646497bd24746c1b0e721

SHA1
0e20406d0d3c043adda59e7b0c26ede13bf96840

SHA256
9def51e9ec455c0ded1a3cdf509d4fe38cc4b0ab24a8019f7ceacff004b1d893

SHA512
315a36035b4df1b82d0c161765e6b40ae5c41cb4006f4be2322d9f7681afc7cc773bc5485d038595b3607d28b5f1f0ebdbe40218e95d29f749be813926da0556

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.3MB

MD5
f9d4ba88093542ef612581e713307975

SHA1
3b98a3e38df5d41f0ccaa710620a2c065cb02018

SHA256
b19952df9482aa74edc426458d5728b097f1a2add6f28466d7115bcf60e4e3be

SHA512
f0c7b5362988f2e580e50f535ef7aaeefaf525e3f06ed0bc6e80cfbdff6ddad4a0cef7d42e1e7bf42bcb2edf7427a799a884e2331cf7f6d631b6941222d88cc9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
bcef8e0f44aebc7ac228402e94e14054

SHA1
6c3b18279a4e8e26b67e0ab6609e818a0e92c380

SHA256
7034d70e9a673a46d16e449173db8c9ac857a66a1952bd6db6dccd0ed9fa1621

SHA512
41ad97d776a60bc9a0fb3d22c7e28ccc04a35c41eda42345377213cf7fc7d20c5ede042f93bc08e004915a75553eb2b4b0f46e200e211dd79d5b211a30334297

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
cdaf1fc564921c82fcff1f18375cef2f

SHA1
901c7918dac986378811e2abe1d556b4f9b65c7f

SHA256
6577cecfb1c0049c37d2899684876a196a507074d0443aa1cfb0f7b76bb131d6

SHA512
c5aab73fb6286cb606614d5fe72f8f9506e8b7a2453f25c89a44a21faf99dd5fbea07d572ee88fd266f8d001b2ad39f9b05eb1062bd986f2b31343dc6c83dd45

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
f93b7129f7dffd9da97fa1669a459e03

SHA1
51da86559cc98d706a10d43ef33da1811e94ecc2

SHA256
ca95ae69b429a5f076b1ff03cb547a83cd3d46f8fe49f0a32886c91fb20c1ebd

SHA512
0b6ff8710d64463040d0aa2b66c5d399f5da0f114cce2682e8e52d8a61228e2cf8c83c5852e7956085a4ea066054ab32dbfc3818a4ae309bc9d76b640f648d74

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
69e50b024acf81f9c1b1f94e1f155762

SHA1
da748f0f2aeed4788f0fae42de092e235411f3c5

SHA256
534b727251122d3ac9817d4880bb2cfe66324a4a67b62cb3dcdd439b19e35f72

SHA512
61ad9b339706923266443664913910d4c06994ae892424cd2ff236ef3549b65e045816c863cc0f3390affce376b1d627c07580fa9a23976ac5258649c0610684

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
910e499f533dd704a41e84187f96ffc2

SHA1
4a1af7f007e655481fa891b673e258664966dace

SHA256
3f6040220a8771bfb09bc3b01b032eee3773eb12b6e05012907d754722182957

SHA512
c7728e9d64797d50fc14d2a62d693e97c2e52a0f0196482d9c2e4b410986a0a2219a5c17117b78d1ee25434a06b498a89ed96787e2c42e1446867004deba6c96

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
786576bf8bd7301220671fd68af47272

SHA1
6a21ef85d8417b3be14938c13c653309dfd6a2e4

SHA256
a0695e1ffb25958c5b49d41e4131763d2803f8f187e9cec143d1156d124c9f13

SHA512
92ca3ed444402f86513705e0cf6c2e10a598ef5de384f6ba2634ad9e5bce759c070cf638a93d6d30f85b623ad9d9f9c5f6cd4778b2d507450aef62b853b9cc39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.2MB

MD5
581361e0e7aa7da435ebd421139ba0c9

SHA1
7cfc806d5367b182ed86898ca6a86eb37d3d278e

SHA256
d60da9e29ee492d6788a599f25fd141dfa52a19a12f92c6e228cbd56615c5f5c

SHA512
d5ba603d7afcc42a4d208be7f6347d90de9a9c8c6fa7358c89d9783c175811844abba2feaaafc2aac1aea1b9d2b850c4e0b1471701209581e972b2402068f5a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.2MB

MD5
46af93106253e67dd8d8dab8cc03fab3

SHA1
6178123ef203d6dc6743c6d138ac5ada27895eae

SHA256
c62a1892e08131a360a223488c18c2872967e3c4f03daa107bf87ca6bb2539e2

SHA512
120a29ad9383f94460513e7f01b7d618f10f3443667996e1d6252df60c2bf2ea0ce3ecf25cb3f5131c860c11fc935681c159d7e57bb572b89d7694100e9517f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.2MB

MD5
101bb6e721a4f698fca384f15a6109e8

SHA1
82aca44b39a635a8da7f909935330b80baec0c22

SHA256
c3864fcc8b0236fd74f9e807c3542cb3afd0ea103e09fbe6380392d3fd60d38d

SHA512
b2a30ec0170037eddac9697a92d65e274f410c9924d54c15cf5c0d7c6d5de52c6c331eb1775c8c964c193baeb4ca3848e75ae316ea85650483ea115b26b04f50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.3MB

MD5
e345d91a1a5df39b7b3d36dc18dd5f39

SHA1
ebec760136da06c9493816a5981057359183ff24

SHA256
ac518a00cb16694cc616ebfa6258124c51a7840660b62a67f13ea07961813362

SHA512
6ef0094c39f83529049c107fcc573d88a1521a25f33efe22dea951d45db96fb3dba98d95d9d26f86093cdea9c95d676ccb56b7609622350dd045b47ea7d15cf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.2MB

MD5
551937c76e43e9026e7bc055e302adde

SHA1
3d33e1476e2a0bc58e5b0987a04ad51e6c70567d

SHA256
979ff91dbf5c24f4f107aee003f6013dad05d6dc5bd4e59110b1f75e3c6b9c97

SHA512
12ebde43e58eb96bdfe034fab6295faa16ec3081b0e1d5ee628cda7be19563fea88ad9fad44b387c7bd7b9cf5c47cff03c43bf026eb318cea62f7502afa78325

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.2MB

MD5
b372e3d8a804e0d42a44a0cdedbf4ca7

SHA1
f9d92ff8b9b8718f1bc1283021e56ce2a6b8837b

SHA256
9bf664593cbf788e2be317945c805b6bd1d4536105e22b234476a3876d74607e

SHA512
7d2970c61f6f8d4ef2f89f8c6478f24ea9fa83719716223b31a73445c65968b0c2248120892b7bbeaca9c8e7f01442d41db92594f84aff837f7b4002b6eaf6cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.2MB

MD5
596fb5ec2b8a5798c985363950e935bd

SHA1
9b9df940d641a3197a196b5b6d75f070379f4733

SHA256
2fd68e7277abb03598324a00e81443dbbfbfa30126e534ee0d6e42167c53edfd

SHA512
80375ae092da9967235b63598ae00dfb77134dde8c51b52549365f87620c7259c610741d051fd339cfd4a1d881ddd9abab6ea1f720b6fb1d27893e7488605309

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.5MB

MD5
e3e0b1f4a2af5233ad335e81c8bf92be

SHA1
00a2b056bb36b11ecf116b427030e7bc0cdd1471

SHA256
b452f3d6658d9229a27bd84a07076cabd9ffb83b437bc59be72fde4ae7d7dca3

SHA512
05052344507fb47f642d9a7a6c691050a3bce473959d0ca34d543fbd1bf931d0957485f18d1f4ba84ca1e5da73b562e4d8f7e9af47ef9ae0c3d033d10ef7a4a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.2MB

MD5
73f1bbae14204db3e99801f40f502ffb

SHA1
ca8a35345e224902131c76d19f82f3406a09e3a4

SHA256
ed8cb6da8b98d493ebda41a2e7e01a93c62b9a20319d50dca028a79136b82c50

SHA512
80bad6692f77feabdcf15df331bd412ca5b289936dfe5f84134135f9d401ce036df98473c84d64aba7909c9c5e1273d885cc1779380efa88b0bcf52d319bc028

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.2MB

MD5
243f23f585bdbed21c9a701d13bcfb81

SHA1
61c7f639713b3c6306334a11c1970d2347d2679f

SHA256
b250cd48603a5a39f8c1fef682e3a394d41bd6f4b37d0a932d6cea90ce891b39

SHA512
823529b1562acda8a6c9986ef0c3c16bd17271bc8b4724847ed6171888c3e161d30e64a8170279efb84cb279edfc31338aee16922fe1adaa83098e1abb276739

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.4MB

MD5
848d6980ab9ef31af03f63fbaeeb7c01

SHA1
799a2996d2ec85f4f327ef647f1beffe68a4565b

SHA256
f29cc633e18b343ebd7197bd941dc618964f69266c8cf10860d2f2b107047506

SHA512
5e35307955aa369d579a1ee9f58bc5a3fe90272eb740eda3ff1a21e52af390a74a7d4894a195c5362075f64f5406eb0c448b8d74e4c330e8057734b4fd77db8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.2MB

MD5
3e32609d2f8379324c33580191d7d98b

SHA1
6ce0b96e534e7763ad5cdcede2a2a00193c98713

SHA256
dd55158f35d923614d01878ccfd73381aed8c92baeb35f1f4f33713f57a9ba9d

SHA512
ee4404a6c044d60e50f2e7242ca67b48c3f42816fc7cd9bc5ce8a0ff78ae778e1a13151c32809613bbf031054ee6ecfd24add7b15ad3da1dbd326f6c24576aae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.2MB

MD5
4b39953f4e9dc5ee679cbbcb410e6e05

SHA1
9604cc1a11af3d3f8a256d0e0cc8b3e5ea5c756d

SHA256
124908f7f3e9ee94e656129fb7b38b5e5ee8cbd51f379f6d380cbcb7bac7daef

SHA512
e920f34e8ee209c401f7c1cff3c09b0847c45ad8cc0709f0a0c1259633405671dcd81fd35a24886db96cbc03b43c8d8ad554bbb7552f776c831b24b396103e4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.4MB

MD5
a316ce3ca26adc525beb5c96a09ad960

SHA1
70689af6b65a1ec71f37d3d2c8c9340276a81781

SHA256
7ae8342547b718cb4835669eaed6727fa2cb13c9983be37856311274b1cfb7b8

SHA512
65f0f5ea1d5f13a0ae1f096cb97c14fa514cbb57df8b62f104b422ab68a6726a945aab685e2d4e7b76530310b3fa219267a9f611de25d98f049e066d0a002d44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.5MB

MD5
eb0bc22d3653608d27dabfa1d7e365d6

SHA1
c7ca88d712e3919eae70fccb458827f14ec14a71

SHA256
9b1028514ef626ab33644c5c833a8add4e10171d54a3c699dab940524a34c280

SHA512
33b4a5557726beb055787bd1f5ec9fbfb3fb69ddfcd1662f2d94b12411b452713bba11afdff819691c94ff4668195bfb16e55285ce998ded5a8bec347048dbf8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
58bf69e66ecbd5a5a7b20a0cab83ac4e

SHA1
d934c112afcd0bc98b7f3f6cc7db67220b827203

SHA256
ca30b2c52be77cf399b1d5920aa6d33b80a6b139c8144dd75cad603bcf67e660

SHA512
efe85d072d15fffc2b23527975f8a3ce93e085b7f8098b19dbb26c0033d2d466dc560ae5ba6e5f83079fefe16d6fd3d855ff2a43bacab861e08c2377eb57a8cc

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.4MB

MD5
9dc90ff2fb35b05a7118bd31a791ed90

SHA1
c4fb74d86605b6240e215fcbba0599a2b0ef0922

SHA256
c8309e07d19307d49c13dec2a2a82d7430dca1ee8e03db9ad28b596ebd7298eb

SHA512
98b0780a4ef3a82ca24253f3919a573a81d2dceb570a6ae677d793ad41df2680c656ccba355c5995dc4cd13342a5a0e0f3a2337a9e202a303d8b65d34f49a529

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.2MB

MD5
74cb8d00436b00bb6fe71d63eb6219e6

SHA1
1cf4a39bba7167745d7c52a17b9762eefdba2867

SHA256
a0086f6a11383cadaf7626fce146bb6418aa2c52c462ce0d08309407738439d5

SHA512
604c2415026b2cb870dc685b05d2e94e1cf87ecebb94db8a65c95c16af61ad921560eee5a1475d47b0046aa2400925924fb122c179e0d9d48f2fe9cba14c0712

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
f837ac6962b2b68919812b7e43917695

SHA1
35f1905a3963a23f17acdb0194a02e269e742b59

SHA256
e958b46818eb027e4db0c6fbe6a4e11e1a7d777950df301a831ba995e1bd2de3

SHA512
da25bebeaafd7b9ddb7a70d70c41215ebc97dba2262c3919e25b06e3142c5fd17627221562f9764c02b41e8e69de20a6556abcf43335b0aede93269ae1486a01

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.3MB

MD5
2211e95ba200ec858c91eb1244907f77

SHA1
7c87a5648295b788f5611f2533510880cd630b7c

SHA256
2221b68783fa70743149905f675dc9f58c06551d0e817b39932e75617006d253

SHA512
f9084aabde453e5b63f8eb8ed6175e4d0f9031f619bacb8c01d378dd2ec619d3395b062700da17221e201a638c76fe58319691aec28699945d87cd017ca9e338

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
feb8fa1f5a790b3fa9746e5692a99da3

SHA1
a90d7cf6e9c2adda762349df4d7010f3b29ee6a4

SHA256
e03ea202e38bd97c189f9b01fdf9f3e390010ea73d5fc74092ce2cfcd3b70d78

SHA512
147883eeebd06e4755116061b06834468d31a8e8c2cb5be7d1f8ad145f449fa932154951038c34114640f16acd65da90b63f4bf3e46f2d383d4fa27a44914ebf

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.2MB

MD5
c28072d274dff80cea5caa03a7c7dd2e

SHA1
467bda110d8c3b6648bd5602f30022d6764e4385

SHA256
0167d05158d38b672ba841145bdb036fe0b9355945b8a50e18d5c00ce71ce124

SHA512
43c3b77f4e26a042f9d468f30c41cace760865f038d64e8f7c9d7b14d007fe3262dae5a50c5dda21c1fe0ed4546a3a62cb981093c0edeaf8bc998d5f2ad6bebc

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.6MB

MD5
d5bd0a9c57115422345a5e15d1e671c6

SHA1
72d7180b1f6a0341da9a4dc438439fde24a73f8f

SHA256
97842fb4eed28f34a3a695377d2a36bfda663039aa1d8f5371fbbabf77b64eac

SHA512
b734ab374b90f2c203e902b9e12efc0a2c01e815bde775de6c2fe42b028264e43ae643a81b3e9fab8bf0b9eceb4a4c88e9254ec67d53d56efc727ec0a68a74b1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.3MB

MD5
5dd068a5bbf920f68d46497d30e72d34

SHA1
b382430b039c0f23c01edd81d2079256bc3cf132

SHA256
f31d2bed914c41cc17c5e45a32233d96774ca602c15e511cf088e9b2eca93839

SHA512
ef5832f6438147b2ba64b7e70bf23f911ae54b698400ed8d3632427f8e3c7130a3eff00b4285a5b7f8b53c2bf030077dbd102a283aec89eadb01809441b5fbd4

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
a1f5b8ca66279194ee5af4f2469a2bf7

SHA1
24fc9a1fcb5dde3633adafe6be9051a921854fbe

SHA256
cc44d86586bf50dd1f4804ff55240802bcdec56a1976ee7e8ae4e64d02750bb5

SHA512
f5a2d5f695f7bff0ce1bb8177a6d2d4772caaab0eb0d714e15a1f1805bec9e6303af7af181e3555730a4d666e2f269591507f119bbf760ebe31c14e983545917

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
67f7da1e87a0ac7ea653de9c4eae0a76

SHA1
c8b01f9001f3b8b1201b816496c241976b1ebc17

SHA256
81be7a5a5f195eee68bcb1a8e946a2b4f748b78f6fc4503b94f58aa7429e5f62

SHA512
2ff563fcee504a806871bbbe73d31a7217df52b70e6bf0ec302f07c1b13b97d04738653d63d744048c2487facc2547b06dc7841e8e12897c3412ac87ac578901

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
6f29abd8d6ce430f0b96d2173c015cf7

SHA1
90e72f2782bf8085caca2ee7f6febd69299b6904

SHA256
aaaa295b284f817de2189f18d5ac360995140a089c03e81d18db5076a17120ab

SHA512
07eac0384da9d2f92f8c93cfddb9c469eb14422839c40f1c92f4cd9aaa78415cb900a5a5ebb3b1bff733ae1315702336b04351525ffd4452729a58bc66a950dc

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.5MB

MD5
501bde63a1aef84e38196c55c404502a

SHA1
1a570e19af0fd4e1be8333deb8d088ac46bf3baa

SHA256
22e9d15202bd9cb5765eb14909d954cf4d38e8ef33f9aa6c57849970f759965a

SHA512
324883415754f8b873783201b7d24627c07632de33179d8229a342e13bddee09c74a05181736c196432cca66b940ced762faf8fac05eb96445aea89f235fb6a3

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
12c2404a80d0b7464d97f41264a02df4

SHA1
c753fa1843090fa8d8682adc593ae64d37ddacff

SHA256
3bca8ead67fd43c194e19fb887b54a4b7ee1d007d847d31d7df45e2e35d7bfd6

SHA512
d277f9afe4bee8d6049b9b67a0ed53e68b36302518ed39250da70aa96992817db69a777fa0917bea7db332a7a12775d1b4e01d87ea48997faa1bbf6774f2d32b

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.3MB

MD5
6bec579743d489021b631f1b9278a2fe

SHA1
0ae2cc30a32ceb9362f73816c46b53b15d98224f

SHA256
e67f8c730974f9068c58ace11b12ec96de326d1d2a3fcccb92d56685e9e159ab

SHA512
cfa4ceef0d78722c8e30349b7050f8cd28320325cd7e94a1525ddf8e5ba16c774d665bd18924e5170c563e6e3c752de03c784edda4f4e23b9788d5967f1bbb91

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.4MB

MD5
3f257fd4605168a55a5b4fff7d5e0aa7

SHA1
02522b41bf33b788ce30b58a8140ee2335530d6f

SHA256
bc90a128dd253a43ba42b947a867c4d146da3aac0996db67a0d6ffb8d04ca1f9

SHA512
7ab02264312a8cc9cdfdd7dd0924fa9489fc2859cb6851297290fa03d1f247dbce6fa7435143956d5dd9a9ea37ec237d400b05eba6d672ff7676b1782eb96469

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.2MB

MD5
820a1ffa355e21b4a2fc2f6af21b1d99

SHA1
4efbfd05d6480cf171fc274a47c3b46704a82ed6

SHA256
49fbd1f6fa064437cf44710b6393f101bd6c6254b5387664d05c89c14507ff58

SHA512
fa97af62526487dbbe89d5a70f4a687264aa2cc1a5b1752a199551f48268d3b138ca0d3beb955de530fffbe785b20826ef3f4c4da65f5dbf1edd2b27fcb3960c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
81bdcaa336f7104bbb0f070099af6c86

SHA1
39d68215f2d687083d70ecb3a6c78dd9c089abc7

SHA256
7af4d960409b0e056ddd51883baebb09f8481c0308916fc8f5ae45985b257bc2

SHA512
5c799f10292d13efa5b323f8054d8a2737ab811cbafcf06db6f4e023c4317db71892b4689afdfb6490db639acffb487bdce620d17470e7c93d04071897d9e98a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.4MB

MD5
6a23137cfdce4c7838b93dfd2482d256

SHA1
12cc01bccc20ec3136f82e8161dc0cfd62e7a952

SHA256
426ea93c7b4258589e84cd8505062e573f66423ac3e4cad72031460a27cbae08

SHA512
47628cc223b1c6cf20494de45a7eac0c834c4e821f9e1e19cdea37cdb510f8f8b6dcc3423fe5e6bc38d3153e441a3d387e862942773d2b357419cfaec81aae32

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
796477c7bb9932a71b82a0d116a47ff7

SHA1
ba8e197efe276b269e5ef7f4ad5fe0f62e87199a

SHA256
28b6a3323e61b2f13a4c8337f46eccdedc22a27f7a836d088985cc542c6048a1

SHA512
2573e911e761f7c271a94c3ef06dce84dee4bc68f71476b57b84e0353c9998d87774d096b43850d1e4a2a818e513ea740bf76da7a80539e4735433b867094cea

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
7ae5eab6cd3f8fef291acc63a2c18a7f

SHA1
ef1248f675c8e7c9373c498f6c8ef6b3088413f3

SHA256
75f676d18e62d9fef4dc9661f068add516c80f25a09ebb7dfcc737c0c44e30ed

SHA512
b3703b668e76faced5dada53a4c30157cbfee2a4fd3290abc04fee74f21c6f5c656135cc38b932eb3e5c1e90752c7318900e622ede0b3d9144ed45d3ee68dc0a

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.5MB

MD5
d6e9d501369f91961757372c9e5064e8

SHA1
50e1e3e14ea7ca7e8a6f99818d6a3eada3680a26

SHA256
a535d13475e1d032842b7a60f374d862a744ea7ff635276addff37ef51ca683f

SHA512
fb1eba99fc21d9fed3d39d4c4d334e06718676de362b1a9f795370679dfb3dee3adb072aad37e712d57f9ce383caa5dacc30b68dae010b3ce49f69757dbbac89

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.3MB

MD5
0cacea4c4f6923f137caf1f8c4c17f2a

SHA1
286e0da2f2d7694f85a1317b4983713e33a7ead5

SHA256
9e7b7f2648bbd15fe24f777a1f4d0f2b681dd381153ebfb45f8b3c1e0208abcf

SHA512
793608dbebc939e605defbbae8ca3ea7ca9afd4a5ee5fef8bbd8476afd4a2d1fc8f098675859d68bb85c77ae38358ad4967da7343594f7bfb40a86f4c2876ad3

Download Submit
memory/436-105-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/436-36-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/436-30-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/436-472-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/452-49-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/452-0-0x00000000020A0000-0x0000000002106000-memory.dmp

Filesize
408KB

Download
memory/452-5-0x00000000020A0000-0x0000000002106000-memory.dmp

Filesize
408KB

Download
memory/452-12-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/456-20-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/456-14-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/456-25-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1016-68-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1016-101-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1016-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1044-218-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1140-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1372-23-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1592-51-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1592-63-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1592-57-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1592-61-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1708-100-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2376-107-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2700-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2720-225-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3380-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3380-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3380-99-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3380-471-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3464-91-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/3464-96-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/3464-104-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3472-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3472-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3528-138-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3572-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3736-228-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3884-87-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3884-103-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3884-81-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4252-223-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4344-229-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4492-219-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5044-230-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5044-473-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download