e65a3146e49fc221f505163a4e9857754b476d2849d8604d1b892df5838ec099

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Size

24.3MB
MD5

a054b67857f5084b885bdab0e8df5353
SHA1

c3ae4d817ad876198cf37c6600698c921d077bf0
SHA256

e65a3146e49fc221f505163a4e9857754b476d2849d8604d1b892df5838ec099
SHA512

0ae63f4d410813f5fa1c8151e89f1a3df51614f79f2a83e131fc0acbad08f822f22e9ac176e11c83390053969f06e1c71de59cd513cc9bf652a0ed4a69bf4055
SSDEEP

196608:8P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018:8PboGX8a/jWWu3cI2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3672	alg.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
824	fxssvc.exe
3772	elevation_service.exe
3280	elevation_service.exe
992	maintenanceservice.exe
2472	msdtc.exe
4016	OSE.EXE
4428	PerceptionSimulationService.exe
3684	perfhost.exe
5084	locator.exe
4312	SensorDataService.exe
3832	snmptrap.exe
4944	spectrum.exe
4508	ssh-agent.exe
3352	TieringEngineService.exe
3588	AgentService.exe
3224	vds.exe
4564	vssvc.exe
1788	wbengine.exe
5132	WmiApSrv.exe
5184	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

msdtc.exe2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\809c5156c3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098b92135fdadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060f09835fdadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c14bf35fdadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb836f36fdadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069ca7235fdadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018c12c36fdadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	824	fxssvc.exe
Token: SeRestorePrivilege	3352	TieringEngineService.exe
Token: SeManageVolumePrivilege	3352	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3588	AgentService.exe
Token: SeBackupPrivilege	4564	vssvc.exe
Token: SeRestorePrivilege	4564	vssvc.exe
Token: SeAuditPrivilege	4564	vssvc.exe
Token: SeBackupPrivilege	1788	wbengine.exe
Token: SeRestorePrivilege	1788	wbengine.exe
Token: SeSecurityPrivilege	1788	wbengine.exe
Token: 33	5184	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeDebugPrivilege	1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1616	2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1000	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 5184 wrote to memory of 5756	5184	SearchIndexer.exe	SearchProtocolHost.exe
PID 5184 wrote to memory of 5756	5184	SearchIndexer.exe	SearchProtocolHost.exe
PID 5184 wrote to memory of 5824	5184	SearchIndexer.exe	SearchFilterHost.exe
PID 5184 wrote to memory of 5824	5184	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_a054b67857f5084b885bdab0e8df5353_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1740

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3280

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:992

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2472

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4312

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3832

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4944

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2576

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5132

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5184

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5756

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:5588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
Filesize
2.3MB

MD5
b18f8907e48422c9a7b1adc5957473c4

SHA1
5e20747c50544744c0a727d94dd451fc21559bfd

SHA256
805708214bbc4104c6e9dc71f0cbb3ce700f0f394e753a9588d3e2a7bbaa1a76

SHA512
fd3d4cbe49b2a7f04d1a19e4fb2a76881dec4838962d2f097fda5507a2677be4d5497a5eec7dd520dfd1506f565c53a54091531ebe1dd3da8a722c7a9c867f1b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
4e62f264eafd0063058b9bb25091d946

SHA1
12520867e5ab1fbeea67ae386b3312c9f2fcafa2

SHA256
875a2f25bacb926b6559fb3f17674574c1d2d4918601add40ffbe921138466fc

SHA512
58e16b9b0ece3c85aff24f631cf4699990ed95565d38816d1d639a026933d493565d6aae17aed901d323a561ecbca43870e754b102835eb22cffedbb6c08ef96

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
53bdfb08d80c3d1279b025772a294e3b

SHA1
56c7d35f14c7d6ff9845b09c1eaba37ace5c26a0

SHA256
d96c53f0708b4a891ab346e30c8f7a2afdb0dd895c1aa9fd3bc1f1f2bd6395bc

SHA512
a4109266575e564b999590229e6bb375daa1ab587317eb2fa9bf4874c84b34d8441c03367830e7c9170fbea0800d00e3494610fab6a40c6b6cacf3c0a5c986a2

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
4e46a0cf1a2c30eca5738405ea41a4be

SHA1
7d7551d22123782caf7be811518a2343eb49302d

SHA256
da94949bfe3d337ae21e8a7e3acbf41399b4df3816023c3cd18e3cde38098a93

SHA512
09d683a2beeadcf9ebd05f1815a9aaa74118c402f2ac86c4fcd00f3a36d88491b976948d2e1bd7de304512129fb44647e4add268a7a806fb2ce5855706c241b4

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
fa7bbc2b7fb2569aa111c16f35a74d6c

SHA1
16d0fc27234cf730513a82ab3c3df21bece17672

SHA256
20c681a7848195e4362c425159c307abaa7c6e29afeb8c912aa9895917449537

SHA512
be2b5657ae9336f307088185fb40db3b681e1a4eae9a849983ca3dc44f4ffe3a208561147aebb19bf99f5e623f1c93ae3725a71b54d3a055b4cc243dcdd71d92

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
6c218aba4103c7f605d832a423e635f1

SHA1
739e7f4106dce924196806b8b94655c5c08dd7da

SHA256
91cc266fb6effabc610a14573ff8936b6977f6eef3ff4d2bbed83dd52a3319b0

SHA512
4fc364329478782a6bc36f8063551fa382cde79fde2e2765fff5d6519ee2842408848d348e9d11efea54473139e1323b13f0230c496fa25d7d816e6819aa5b1b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
8eeeda58dae541b05cefb6af12f739bd

SHA1
99e576283013c81edbb129b12f1f49b493e18270

SHA256
5ca97dcec7a488f3b780f5992928d550ec556b69724df1e5798219b10c77fe63

SHA512
ad6982d9c18f8da52b75d6f2b10c11893514780b26cab25dbfb3da2ddaa288ff90de8a1f564693e88bc3c1659d929c02a715526699056accbd0fe4456aeb8cd0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
5b3eb44d1ccfde5f85cabe8c7284ff1a

SHA1
0f51a6731135a1fbf3c8613c1f94bceee4b9f672

SHA256
f4253c2666751bfb25c33751d028d0343cc13d5cc3184741267534ae9fb875df

SHA512
252577e32845db81c8407af973e92b944648e5ea2e7826583d4127a4a343c110458819640e764e1808d11f567eb18435e2946de2c6beb535ae86b98605589564

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
3db607117ba6bf9a497a433d08073e6d

SHA1
a937dd0416bec0b2da53070cb712d7df8df9dd1f

SHA256
e5b5755a9645d3df9caacabc62eb45501901812a77c4951f908fd44b2b663d62

SHA512
64c252c64d5f891c63f4ae08366aade49ca49d872549d199945e9824820fe46deda655f499f1a8f4dd5d148c30fee2d4d5a5ecdebc03ade99bd9969c3e147141

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
79020e3f82da913deb1b6d90ded95fbb

SHA1
e6b3b7dc2f32606ee83c434565ef566331c82529

SHA256
ae8ac7541ef4fbe41094f88b44068c24f975d4c71a282a7449539068442268f5

SHA512
fd7178c536ea4c7462ab4d6f6253a4a30c20d15d15be627906015de5e7eba46a6ecc15638b221530854ae48ecb20c84f7b60a2e5ce3d5932737b490dc188a388

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
0b9fcb64a158e54934a4b216b614fb68

SHA1
f81e674ebdeed95d9b82ba26dd9b252ea97a2b05

SHA256
78625a4deeb81ea7c4dc884b689693dd731d19eedee701651bd930ab2707ecf4

SHA512
e97371306ad8b8f422f8c972633ce89d862411ed6b657db0f255394adc154eb83ed9375485f295e25db585ae686142f8b75ee7fcdaa9b0709ce527f336b1c812

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
3563633de82ba301be0aaa71aa97bc40

SHA1
f97e2c435bd0f04c68b6f33887a65f79e74082ab

SHA256
dda9d76a9d215817ccf170e9c77280af1a41109ce3988b269d8a5d5857cbb6d2

SHA512
a9a96e1153a93b317b4bb2262d84089e5f7ed7d10a7ba40292ba8720ebadf12979c9da8784cd1df3e45458362148f5872a0019d1ec682930c54627b6d93ed89f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
b40b7de4bf45aa00312d3c6e6e4b6cd5

SHA1
788a235d8506deedfa8bda20b2d6e0e64aa75ff1

SHA256
ec8cad0ca0cac26ca1eb540984426adbd18bc57865fb42b07fd1418bde5b1277

SHA512
03e957f8ceb35a63675ad8ce69418253fec063b940aee95a65eba71047a450f6b73c8d86b21cd1ee355a665b24da1b066a6f77959f59930f4c3b7ad6d1bccf6e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
84ca202456d8e3346e3989ea74cc614b

SHA1
f606a3a54f3ba52e93dc01f20ffb69ec4bb11c2b

SHA256
978dbd2ab09c5f656737ba7f0993a412df779f677d56bb6633915a73bd0b4d74

SHA512
c1735a9545a0008bb27f5db6cc3d8e956a9df19675a6fa3579069bb3d703076a5c8e0b7ec9d3d94078580700863185f70884f8003afb16b0a7db85053c1b757d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
f28aa22559e0e1666ee30438584bba4d

SHA1
a5cbb222eefe502dc63ecdf7f0dcafd5444d86b2

SHA256
ccea2a3b9db5021f44c4b40eefcae1af347df1bfb99baad6442598a221c9874d

SHA512
52ecb59a3a002545d48bf774182c869a4c1b6fc4d85db423dafbe08606e928e4055b0723c3e6b35de4b8011055363611e67578d07ddac2518450444c65e97631

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
687532434c22e41f18092aa584272635

SHA1
b37d74c8dff449ddd840a20e4b06deac3e612035

SHA256
a4df879b5992a2eedf294a4f91f681ca280da18f5a1b2fe86241a227084d5b6a

SHA512
0eed98421c6486f3332055ee2c8322f805b5ae366888d0736b0166e3c211977e3ad87cc5a711bdf573e1bd0d4c9f81944d63049966329334ab6ac01e4cbdef94

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
4bfe0aaa7989b48e9423c7682be73a14

SHA1
cd9abb0111e726e826f82d402529c28453501e49

SHA256
c3445041e3b98223dec0b3dbd3634292f4eed2d2af83080053c77c53a10d9cf2

SHA512
b8bb8b327d40707d1fb119a350cc371a946d8a49eefcf34bf9a035ef9c4f20cf3c8af239551f173979550afefb752ece568ffdaffafa956f913fb4a8d14e3c29

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
ba207d05e5fad75204fee9309a11976b

SHA1
0ed08b93b8d0dd8f930d7324b36f9d230a3e93dd

SHA256
d51e2d3708d858638aece5ee7b0869730b3b3b7d14aa49acc7c2925e166fabde

SHA512
80193156e076c91c3cd907b41a1c9571dc669dff369f9c924841ec622183938151fce5d4c806fdaf382146dfc52bbe449eda9af1a590489860d933cf63d2279a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
e2a624f9753379735012a6b37d23a6a8

SHA1
b6225bede4ec3e437ae06bfed23b84eafe7d5019

SHA256
d1da022800ff89dfbe93c6396a887c1924aa3327195877fe59777cc3b3fe0687

SHA512
c7c8ea1f16239f88196b35d6c1ea4efc74e0a31629cdc83b224f66a3f6bb10d554c8b94d6eb169adec222f776da674a9291159007f39c809482b0d2d00fedbf6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
caecb88d19d4eab1a8d901b47e5018c1

SHA1
ac60fc41785a7a038d380fe239ff51ba094310b9

SHA256
cfd2dcfb3511cf7f96e4a5390b4833021aee5957dd4a6482ba007ff4098d803a

SHA512
c6de9fc571a90fd76b900a4c94577ce6889c8036091ef7068b151b2295ebe802a993fcbfd203755da63deec40d561fa4977af08fac40bb0a877352eb09683b36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
d38f78066d5997a880157ea1628549af

SHA1
8fadcaaf2e05a58282ca62ecbe32328ba73a5ec3

SHA256
c621dac4dc33552de59368a920c1d7bbea208f250c15e378feb03206a882ad96

SHA512
f879cffdbb397df69253664d62bfe08c5dddbb9dfa661b0c539412d3240536409450a79e8e5b4d667bfe6b44714e37c889920e8b467cba0fe2ea473e0db92000

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
92c0a9e00070a66268e2e996c8e65761

SHA1
c726bb06bef1c7bc91004d09936f387c4c075754

SHA256
f244e15b5098d9cf26a0c553c40b937ed909c30f4be470136164a49b520d4936

SHA512
3927663ccf0c59ec068810ddac0002733656c9a76eb671fc090765c2a950b493e0e86a95e664d36088fd662310f9098655ab2f9a377866171bf19fa6f668427e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
861927bfef67368092346ea2e743e0c9

SHA1
c4787eab4ddb259b73e5e03daa592da3431e2284

SHA256
a349e14bd1fb5ba7653ba42d75c5e34a5cc5f8f41f3d5d2c81331c9471e9e911

SHA512
32e1c7c338d83f9aa1ddddd959e220f2b065d027172bc816fdf4a04c54eb72e941033b38243c0bee03845302cb8bed719bf62b0ee6bf2930a6dc28a11b473925

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
3c6afc3c918861417446c283bd4ab1b5

SHA1
b4a8b7d436be0d5ebb30a22705aafec0f8729eda

SHA256
65401ecde8a6e4a6d67da51a77527222941fe4d4cb9f1702024badddc749dfdc

SHA512
02bfdddbac2bccdf93cb4485b52ba2b15809a91d9cc958c5bbf531f59a31a13fc36b47528c699a4760e86243f61ccbcf3b4865b92d175f89b498af25047c7fe5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
96cd3490c57e21db31ded87408f409e6

SHA1
aaf09633913a7d21b3e01df6c0f606919439b36e

SHA256
7b62d46f74662566c86996b07c5835e2b1328014c54ceaa426da348fdd46e335

SHA512
50bf6a67841fb7970e824c1d4a470abe59d1e3ac6a15a26c3ee0f9f0ca1ca8823733b07c7446db662eb09e5bb733bd8cb925251098972f27937cd36ab614a479

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
d317d4679753e5096c5054e38a728c23

SHA1
724760991bf199c0ffeb73295ec547e6f7ba4d38

SHA256
fa97f88789bb26bae1f294e69efe0c971680486120b76b903a3b65d811f3d254

SHA512
ce70b661c6dc71db3369b256b1d2d5c90b927b244c44eef9a17bbd25bc28a82afed1d1e4b5b4a1eaf3063ddedb85cb145b5cef8e136c043afaf0b3b069c5ffa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
da3e9d643268c70bbc1a964c84d80789

SHA1
9f68a4a3d26c009e883d98a2c9b3e00eee7141ca

SHA256
7c4877c4b5fcb566becf7626794905f04c40ed2529194c985d6b1b65134bcf23

SHA512
22f7061a3de092a3d68926c9cbdb460c31c5b74d07ce8d848642641a8d46c356b9dbe1492ee992d3aa419e864bffeb4f9e1131722b8c4d6576dd7dbb2e1b3ab5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
84e91609b9364dedc71b402916c990be

SHA1
5d4b619fcde2353fb2cffb162a3f713684567f68

SHA256
826de58cc17f5522236880f20cf86aeea4d55bb3b5bca32a42b94ba1abce1181

SHA512
84eb5a031402a7c907de7978bfae8bb798ddd395d3b8ef4fbaae0d4fe10d78d1fd67b999da3bda475f39d3a703715e1156a489aae1ddf94711fbe6e2d2174ec7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
2aa39eaa4de89335a555901dfa7f56d4

SHA1
672c35a1574bef541620f0c7077cc7fbd788cbb0

SHA256
fcc961212dcbe5ab409fffe123c58c7ece70fb51bd4fb0348af62fc58f0312b4

SHA512
2cb61e7a1408a692b860956cb52a366ef436f96df97628d598f5f465daafa42849a8ca6b25eb12429b53d5cd6d45f199ad1e8b2b406d969d469edcf193edc4cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
f6b0cdd877802fce8762c8b5ce6d9b76

SHA1
3dd0083e416a0532821bc39a5e1951aa40134976

SHA256
1bd54ac70070472d5185d7347b9e80cc5d50c6fa6f36c8383ea6cb2d5a4b7e81

SHA512
1b5f2c722d348b76e56b48ea684c0c7d0b134a0b1b1b51f723a3dfb1a70c31bd1409b0bc81ad54107fb9dead48b451b07b1e9e5be5d7f48a9685ae7f4f0c337f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
95ff1f221746681c10e2242e415bac7d

SHA1
ba6cb9d6ded1114d35cc2d4011d4c133fd517cc5

SHA256
29555334c4efd37ce70775641bd609d59c42877adcba260df1bf2e5223ac45c8

SHA512
b5a57b6375402b81b6247c727634c3ca31d239c5fd34c178fa4675b28e92676fb2e710533cb8905d467394b9dd8b4ccce9045706cb65bd724694f7327f0db0dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
febcd04bd27f24c5438cb2d9fa0ee179

SHA1
80a2a92b5fa6865f9a972ae87e1c7b4fdb40553f

SHA256
4c7d5ab23abf2ab47f600ce4aed980cc8b2fb695da6e228dbd1eae28a0f85910

SHA512
c36071753d7e2cf027bf49ef460557fbc3175fe937649b06d0cb5a3eeb317a7ea97b58365500adc7bcc7501037e4d670e1db78a4d6965b9b311b9a219cc1890b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
2dc196258688ea86d9918ad95a94bf4c

SHA1
cb0bcb1b378d1a3acd95ba67609ac41592d72cc4

SHA256
b9fa2d8bb58b2ddcc0906d0031b6d80cd374cbc6afeb027092f9ac49b76a94f4

SHA512
b102dc1af0e7fea4bae02ca2e0e0894c0717221bdc855a7e34dfc61cb19816354df98d103585b51708d755e0d5e6b6d11b61ff8466d7d6fbb04a0be475bd5f42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
013ce20806bb503c40e18c33a990ccec

SHA1
8f0edc24bd616d125e67778ed02ad9e521eb840a

SHA256
ba977c901f3360b951dee9a76b899a8fdb3abf3e178f588bcbe5fed17213ab27

SHA512
ff1171742d9bfd499a6c89869c0e969901dd2a7a88a8d32e7b2c027ab6811f9687d3d23d53a37182769d7b0950925efe7e23ecc717f6c18edb1c29cd9703c56b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
c0b5bf0b26037a0ab2fd65e6ac6ed534

SHA1
45c2eb8285dae88455fd0609d4b550e00ae3ed96

SHA256
b1db221769c49df63a4979f58b5245ebd8aff10c8f39dca0422c527b5b1eabfa

SHA512
0ff5526fce67c9702166203f710e7f5e7202cf59f24fb986ac92e40dc22323ca747e3fe625abc041fbe24ece9db25e5ee50cc33f295f67d39ab85905738d388f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
3329b514165a6582473b298150ab71d2

SHA1
9adea345e7af927ee2fcb31a5f996e5f75cefac3

SHA256
21aca39490c30ec7fe4d0c221c4ddda790da4f671619f6da89241aba5bdd050a

SHA512
b439545b74930a369e14650934d33ae6f4f1d4b2edc07f26a495ea7af3267101c86007629bd6c817e215c9c9a24a75457535d6097bb44677927f98c74a70c5a8

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
7486d39e2f72e01fbb000f779f781f06

SHA1
cf9d37ed6aa5a1ab44b39ad39f930cf9716c6c4b

SHA256
4a124932cca088c8fbf7da953380affff38576b0186262cd51f1fb7c54756b91

SHA512
6612733a9edf6eb7d1963c5db93b87293c973af017e3c83ebb12b18645d349a30365f691fcda943887004a7f2f723721d6a74a6d7d55dedb650f2a8362be6a05

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
e923611e95d0a1ef5abae8d15a0f3f4c

SHA1
13eebace2e911e603da83894733b67c75d682dae

SHA256
8648fe586094eaf8233a43eb09af38153b5a656fbce865d2a654f89187e856a7

SHA512
238ebae8cb3afa292cdc2acceb4cca87ec847795b8d1f37e2e22e52ac03c077c4206bdf18ef0082475c600b5e9d6320b4dec8cc093827b45e52f816a26a705a9

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
a76754b53fc3c22cc898774d98d9d25a

SHA1
15c44055dc51833262afcde5fe2e45fc367e3576

SHA256
04d547490c7218a35545875b26843366d7374f90d3b53431a4b6b0c46e19f515

SHA512
0c584ff6b7614460c0266172ad3a60850a1300001acc6df217dcb06aaf281aec72c2f2aa100de857d6b4a371311cd6c798a06bc53e3fe3ff5bbd5ef7be09bd48

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
5990271a99bffd8a0b9299d3b9b19705

SHA1
01c1f9ec326772ce54aad7951e4c83e374ec9d2b

SHA256
eb3932e6ef72cc0603a6656b110ccaa88ea08e42f9759cca906fbd3944dab679

SHA512
e6806507b7855a7a177e98d4ed582cc6ef01f7f71a9396135ac25eff79b6f4ea9272e9fd3b262453773721fa9629b0ddb7b6191808c45445c8e3a27897037a13

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
a459072e49918e6c8078a6622789ec26

SHA1
26d3d7761e10c314b4bdd1a117efa4a4d67291b6

SHA256
2b995b12a02140d3560eaf4111ad59f000f5cefd69f16ae6763ea7398c75bba4

SHA512
53838d411d02481fe5e8a7b9b397e5540b1affd60b55da4ea141a2a02f755a15c6e5b2b64f790967675945dc246accc8a997fddb255634954680a0e5dd0c5546

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
8a4a85146f032236d6822cd5fd81d30d

SHA1
ef73eb1d5fa2d6d7121455ac91f823799c6f4655

SHA256
aa4faf18e5847b6ae2533cbcc5b1b7a373697a6c3429f0c026df5f22a6974ca4

SHA512
e5968a8e3964c5774d31985fb8fdf75b41b8cd7bf498ae5af50e01a8e68408561f72efa0c1228dda240c2515a037da0d78ee19a27e19c9c34887758921389602

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
662816c5fc613761826e31092238cc3a

SHA1
973ff3bab7e5c62fd5b8216d9f90c7c4368b4f7c

SHA256
0f76c363cbf800363b80a7f661aeeb5df94e68d6a02b494cbc1724ea5406aa7a

SHA512
35832d9c7a47129d163fbb742a6f5ca7cc615ecc43f4e17172af7e90f12b961153477c0ed67cf26637c13133f3a382a85dcaa2eefb225db3b6993354baa3604b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
9cc15973c9c307071f3983b3a6fbbbf6

SHA1
0f6035106df18d78406b47f67fb1bb8a68714999

SHA256
00a8a9c08f64db9c06930d681ae4d591d65fa84675c51c05d37bc4b92968dc8c

SHA512
049df7d1a6cfa4b480ea3cf4ab9c6023c7f8abd0cf6ddf04f95b405acf85b021355d863cf58bb83be365a743da36f84b5a008d1012a64b5ef0efd64794aa29aa

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
96937f6a0fdb3c452101bbf208913259

SHA1
2927bfda13c92696dc32e5137b8ca838cf8a41bc

SHA256
8896788cde63587afc03d0bfb7be4d59ff52e8caa016d22f01a42920e069c2a6

SHA512
173557c4387b3c6e0a11658104417b51cbdc78ea1cecacfa74260590ad5ace9c1629d00d8df4a80b83c357f3a1875886053b8bcfc6a6f434c0b62812ef65369c

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
1d54130fe3976abdfac4c19db67e1123

SHA1
48a8b9a7b876d444cf22a72c99c508dfbcbbfab8

SHA256
966b1aa5a2cdd2a892a0e9e34afe9731f18afb48afd54169ee22cabc8a655263

SHA512
ccad3e704970a70f269b5b4bf18f5b9dbb687c26070552b56fd2ec64578ef2f2dae25c8ff28ede41b10c658023071288b5b8456d2a79ad476a155b1c5e79c304

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
ba09573401f10c06d3637b8b18ee8ad0

SHA1
486b052d1e31a65270847fcdc3ea6f79a0dfa415

SHA256
6cc7a9250813a9189354318a551894f1e576c51e5c5ce08ae7a4a3813d8c5971

SHA512
c271530ebce1b24bf7a3cfa4913466e6b0ad8938a19b41fea6a2df13a7b12af0ae40d3da64c29cc2e5fbf0e7a9aba4a59943a88cac0e294bf29ef81cca618b60

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
7964a99303e7bd9d908c6b3deef70c8f

SHA1
a2ce5a202b31a7096b2ef9323f86513b9a648312

SHA256
c33220e4f3515761f0ee315401ff7acf7774577fc59d2921dc310e82bda6ebb2

SHA512
3cf26922f52afadcda02714755030bb50e84afb283c655381e18646c92ff9095d64a789dd3ebdd8ed98d81836b297986099e83577a9d3f952dc8e8e2e6949e30

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
a6bb0616ea3267b13f634b49d1663956

SHA1
f831e7a19cf6be92ddd79db6596ab140db920a25

SHA256
177fc5080912e14a16ef33df45d053588686e1e1ab9b716a287bb72401c44c4b

SHA512
07d904c68932d3609dcadb301ecee34bb8b6978b25b1a2e4c79b0228b9417a130aa94a38b9c760427da92808fa915afed380c8b719a15c5594405d041fafbebb

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
9825b3eb7f9e1129331020fc11362a00

SHA1
aaaf08a8859ed49d4a4f34992a804095cc8eaa2e

SHA256
e566eda835abf887fbbffeb18b26a34b8f175647ef2c99e262cec14e15356a57

SHA512
48ec59179154cc946373ee281211465464e8e27c5bc9023340a105efc31a5351a75223a7da008d1b518793afe8b08569da669dabebc4af7cf9849a9fa78e8811

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
76e7e6a28b2d6fa5aa66940236d68dd6

SHA1
82c82ab5e2a5f00f560d075b79c1d10e5f336479

SHA256
db2f39c145771a64c1d16fba15dd8e8def3f5df5f7d9d4e32263acc2ab7c2747

SHA512
abd30d6ca9cf9d65586b5405089f992a0f6ec9d5f70befa058f80546ff1028e23313b09c8e771c47bf4a921af6f064b06c6afa5bec000746495f82533a8b2e36

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
2e28c45baff8d4327290ea9ce90c1e6e

SHA1
f9f1c2b53115321e0378350d6ce9b0c04458d84b

SHA256
3c6e3ead627896cf425236e8557fd7dc4ce0891bc8bb0db595e26ff04cda4c81

SHA512
2e58374a6c99d4c4ea211e9dbed8a49b19e57682788fe16d58bd37be90905bd1397b9ca179dff4682cf50a28abed8e67544457013c98d013993bb70bad636a17

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
a5b4b9ab075a8cffa160a5a2413e2bd6

SHA1
64253b96451b5d2af50b69921cab5b53a262330b

SHA256
07671e9b0c621fc6e8b84cefb776b6bb57c6f63db86aea732bf7803e7262d030

SHA512
d52f6d1b0157fe2d6b8dabed3142e445f4a089c84787444ec99851d32b671584da558e2e3b3b4ef60d52b0181b5b5026b8a7a2026e7b368e8447c346d4dd10fb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
6579b3fdd0c391f8cee8db20b4dbacf2

SHA1
115de4188c3a6d5743a55471a97bc4735b94f2f9

SHA256
e31f6125d4e84b364a0e268389b57617b75122406e9d59d8950f08669d2a24dd

SHA512
73d8277025e9263c734060570f42a3aff3feedd52fb22ad6a2498a0576c3cf35694512e2453b2558d59c396b02a6e93231da3fcc7d41a061e9ab04fda17c55ab

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b58153a8c3cfa5086f27725f8b69286a

SHA1
deddef8144a44e6c1eb12b404a31800892f76b24

SHA256
dba6b63c92b5bd6736f19f3c0c8568b5d52448525a7c14758a4206bdbf73447a

SHA512
d8f6ed7c026da4b5597c1e1be725ffe91fae09c5c40aa3a2bef4233cab6e184ce3e04a9eb1f06e63f118e2baf05502c6dd935220b03d4b83bfc34c17ff58e945

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
ba475a518c5bbabfaa2bf41cfc88373a

SHA1
d35f896004c6f4946b48e5f4f5f2b330fc6ac151

SHA256
9b5f37845253f0cf97bb11f480251df4470d7694be4c55c446a80efd9f48ccc8

SHA512
a2bc39ea201f40f7040a4e3eb2924035e6301fb7d3a35b96a10c110bd654b456d8ad3663671f2aeaed5c3f937dcffa314030731bfb2ea831ff299e428535366e

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
d343539d178c76b2670771b087ef2c8e

SHA1
dedb75aeb6853f27c3bcf67fb090469d20dfaa8f

SHA256
a8e5e1efa5820ce692376cd4be0b78a282e02f890fcc1bec8f447ea6b5331f53

SHA512
f764d0c815f7987fe220233d201b233581c85ca097b67a510b9f2925ecde96fd9f5bb258325a7799da9bbaa8ea42d82314eefa76dbfd9078419dd36b07350dc7

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
3b3484ef27a1d9481c6fedcb178ce90f

SHA1
3aa5a730b51c5c5c8b774ac793bae766b577e427

SHA256
10569d711cba017b79332700bece6e942485b33f856f8642b5e375ed5f3fa7ac

SHA512
d3d5d64b8df67b781451bb47baa5087da6ec560361ad3efa4311ef49eb4be5e163d8505e1cf7a3fcf6b438769e55b852f9a8d113c06977791392bbcb40b06f42

Download Submit
memory/824-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/824-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/992-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/992-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/992-64-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/992-53-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/992-59-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1000-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1000-15-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1000-21-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1616-5-0x0000000002180000-0x00000000021E7000-memory.dmp

Filesize
412KB

Download
memory/1616-91-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1616-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1616-0-0x0000000002180000-0x00000000021E7000-memory.dmp

Filesize
412KB

Download
memory/1788-167-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2472-68-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3224-165-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3280-457-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3280-42-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3280-48-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/3280-50-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3352-164-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3588-143-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3672-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3672-114-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3684-461-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3684-98-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/3684-105-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3684-103-0x0000000000660000-0x00000000006C7000-memory.dmp

Filesize
412KB

Download
memory/3772-31-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3772-38-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3772-32-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3772-357-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3832-117-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4016-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4016-78-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4016-92-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4312-456-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4312-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4428-82-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4428-95-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4428-458-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4428-88-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4508-163-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4564-166-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4564-462-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4944-162-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5084-115-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5132-463-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5132-168-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5184-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5184-464-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download