redline | 509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Size

1.6MB
MD5

0cb43fb3f55168e39845d89ec8718dee
SHA1

d259155148e9fa21254ddca9c1d1dfd0dd3d696b
SHA256

509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f
SHA512

be57dc7a29e47fe593f24316670322e4d298f013a570b25bb5765a2d2179de140f0aea33b1766caf180d03bb40de8f4d5b8e4d502d9b67916c15739ab06d67ea
SSDEEP

24576:uk70Trcd5/a2IeRs/J5TY5kNyBo4kx929bL3Hnx:ukQTAd5/NhRAJ+fB+kn3Hnx

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/2488-14-0x0000000002DC0000-0x0000000002E06000-memory.dmp	family_redline
behavioral2/memory/2488-28-0x0000000005910000-0x0000000005954000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 22 IoCs

pid	Process
3212	alg.exe
4820	DiagnosticsHub.StandardCollector.Service.exe
3940	fxssvc.exe
1544	elevation_service.exe
4868	elevation_service.exe
1228	maintenanceservice.exe
2956	msdtc.exe
2456	OSE.EXE
3060	PerceptionSimulationService.exe
2544	perfhost.exe
216	locator.exe
764	SensorDataService.exe
4328	snmptrap.exe
5004	spectrum.exe
1644	ssh-agent.exe
3484	TieringEngineService.exe
64	AgentService.exe
552	vds.exe
4956	vssvc.exe
3576	wbengine.exe
5088	WmiApSrv.exe
4720	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\System32\alg.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\System32\msdtc.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\locator.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\929221cce5a029dd.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\System32\vds.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\java.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{87F23B05-A117-4666-BB8C-A9C77E6BFB56}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007884cc882d3ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000321279882d3ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dad59c882d3ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c62ab6892d3ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e371b9882d3ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeAuditPrivilege	3940	fxssvc.exe
Token: SeBackupPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeBackupPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeRestorePrivilege	3484	TieringEngineService.exe
Token: SeManageVolumePrivilege	3484	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	64	AgentService.exe
Token: SeBackupPrivilege	4956	vssvc.exe
Token: SeRestorePrivilege	4956	vssvc.exe
Token: SeAuditPrivilege	4956	vssvc.exe
Token: SeBackupPrivilege	3576	wbengine.exe
Token: SeRestorePrivilege	3576	wbengine.exe
Token: SeSecurityPrivilege	3576	wbengine.exe
Token: 33	4720	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4720	SearchIndexer.exe
Token: SeBackupPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeBackupPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeBackupPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeBackupPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
Token: SeSecurityPrivilege	2488	509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 4032	4720	SearchIndexer.exe	112
PID 4720 wrote to memory of 4032	4720	SearchIndexer.exe	112
PID 4720 wrote to memory of 2740	4720	SearchIndexer.exe	113
PID 4720 wrote to memory of 2740	4720	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe
"C:\Users\Admin\AppData\Local\Temp\509a39de8dd0df8505414287bbe8834dfe4d6edb546f1590f482bbe3a678031f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3212

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2288

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4868

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2956

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2544

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:764

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5004

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2496

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4032
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9444dff71084d13706c4b89feda05fc4

SHA1
fbd375e47b21eede250304986c2ae829848af5a3

SHA256
b5f392ff54b0d42e44ae4a46eade0d11689ff78350029f77ab521b31d3f2e629

SHA512
9409e49283ff1849926ba87c5c109214c1bea13afe1c2a8e63a8f9de51bda6ab42d44608d659a3862ef03c32f46ff7817f73a409e13b6fd754efc50e62849fc5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c4d5bc377e08c8183771a78e26deb2ea

SHA1
c324f3a7e1d53a589105f6135027a03cde2ba18c

SHA256
ad1d4473ecb6cd2645791c9a63a66649aadcb2276a15354a3f56e39a3bc8f952

SHA512
5bc557278093bd844af8ee0631685b139d564b6cb18f06213d5b25692e7f44dbadccc285ead089cd8f4653fe219b835ec84d367cb04edac6f98dfdf2cadf102f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
dcd76f4a9ab2c4fcf3b10e96c53021cc

SHA1
464e99301a4fccf45aac48c7d8c8682e7686ca71

SHA256
fd8358b5235e44ea93e3a971935c936a6201021aa101d46726ac492f9d212455

SHA512
225fb5943545e1de7129d01f07582b2c1ac6fc996caf8a0dbe96c9b5f54016b480ace9a731e1594d6dab9017dfa6c4944dfc18266c0af7da7315c67da6020b94

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9a7f772c90a695c7c97f532d5b327759

SHA1
7a07cc2676af5510d06fa7ee1a07ea00e23b2bd2

SHA256
53b367e2626765d845921b29f73cd7a82dc981be1b3958b01fba914842bee9f6

SHA512
a19e1596cca457ce36c25e3d0a6900bf5b09ddefb19e0b67069aed80fb428f9bc2ef259d4db24a8df2b5d9a5181434fb4cd1fc62f483623592dfafd88a05521d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9f68f49cb57c44d06963c30af7c8b33f

SHA1
e498ec5cc2a235cac91fb328013a0c730015fe24

SHA256
2c901d8e1cdea1f77fbada660761ca6ee5a5eed1b289f0740fd3cc4afa40ab4d

SHA512
a9c20485c994af4214e723bd07bf3114da0702dc1ddaeab2b886f122dc157905d2d36cbe87fd7f77b84ab0e1c38fe6a3074ac39d64a8e392208ee697a9a019bf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c511ec4b669c1b11476214c1ccacf95b

SHA1
1f20231379da8203503f25547715dd5e5d4af153

SHA256
9197eb09db0a2ad7a38f67bdbb0645bdfa631a711f81e7d93f77d5ffefb0430e

SHA512
c999ab3cab67b3eb8b476dd736d4cae4ea396f1888b211ee35ffacba7e76d267bb7ebf38fca121282a95b4172aa859789bd92f41b8e8e4762e47533fdd94a5ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
81a0b49b5a785b957123dceda87c2484

SHA1
3a2161ecd8695613b99aca9d1f6116222458f285

SHA256
e4f79f71c2133d3deb8b8d85d14d67cde25c38d4401cb95ac48e33a96ed01f24

SHA512
dbfde9c4230208813fb7dbd931a9fd338b194d5e643ae07c1648aaca97eeba4ce20d09e1c89c7cf64681de784abc2d79101d2586ef804f18b09bcf44b4dce6bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
65cef989df48116cfd648ed71adb1e9c

SHA1
1b35c06a5e68c94f8dfbd32dc0de33ce5c30bc44

SHA256
3115f624dd5a12914d255b8b49b662127fcb00b9cee62ed96d68e6d863585318

SHA512
7b880d9f396c9c3f9779a0a126baf2a57a1b75f2108914ad16ca3424dba346565af3a94de1d294b6058d0798bdf6321a59c1fcf8b71f49f0b7577a2547d6ed43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5987b2099720c0357404d461dfb808fb

SHA1
d946fd855e3927ef7a95ee5fed9497626ba3a189

SHA256
4ac0751df0378596c55d1fc0f7d4f38befa0507abeb2825504aa0bf1f85ab0aa

SHA512
8e1d0395c61c7d230279a6484b88b6fbd765ba9473e0c9a77510fe6b3fc34c0658bd1c9ae2522b491e25e07e1ad926e0b02c4fe09e956ff19ef6287ba0a05882

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6572abaa438baacb5e88a484880c3be2

SHA1
3d2391c4553a20a3364dd8728cb3fd522edc6524

SHA256
dce4d0872c9a5a206eafcd158c4f5e115fbc525bfd8179db3a48c31ab459ae4b

SHA512
2a4960e0adda78ba4894a6e4a721b23896ea08066a3086d9e6ac7db2613e17214138e7fbe10780ef930b45c44f3e5a1f5c8e52a6900c04cb88dd7346d0174983

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d6e4c68b5ae0fa0790d50c017ee94bea

SHA1
40c0c32565520a3b0c9d86af79a708f67d812cb7

SHA256
20984e6385200628c9ab2bedbaa8383b7a4bc9714bd5a1f0a1215ee3bd245c3f

SHA512
642fc69cb5fb5a6aea52e2341346c90835f03aa10f7602c2726bff2ad2e89f63d8db9bf1c0c3696fb66b2744514ed99c8a7586604b1fd1479b6b64beecdaae8a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b63aec4876b2c8146517f791e606570b

SHA1
faca2e7c963722489d50310a540a172b0a8661fc

SHA256
70965983fdb03aadf342701bdde1cfb7b03ac3e9b7cec7034571d16e2bfb1695

SHA512
970f6bac438560c6019a6466b5b4a4888fa6e307f2d235748ea926945ee664585bf0d91f9b498023a046f17829284aad763543ab8a2524062ca1e4dac17e12f5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
14f5f7c9956857fd00ea8837371d99b7

SHA1
c707e925002b64bb601de3b0b39ba0fc2c82007c

SHA256
09f7bb4779e9293be81cf15a1a8de6bbf6c42fef65271dd1549b266bc7595097

SHA512
abf592dcfbec81e43d2eca3335d4b9f7373ec57baef1b274f55b076404723bb92c755bf0a3e8ac910f02b6e50882918552af5b4e82be3643cc4d578ad443de63

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
21ecff0f9d43231f32a98fff740845ed

SHA1
a5155f461731fb9422ce0e4549ffd550121632a4

SHA256
487e7144a88c48356171073f5f90a4d763ad53b9da5e97a4ab8d0f63d519e936

SHA512
163bf7e50f28560918f490a2e4bb7e9936b846ef8ddea37988eb1f68730ecf795774d0a0026d717b87f0b6fe14b26cca538f0c7d0251ee678ed7108951c8341e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d36db80a84b9e4cccc8168e2f581e67b

SHA1
78bdc509005212bf1cb0e51d3d51398a0fd28f41

SHA256
3188c169d2abb8b6cdb449e45228c8e12ad8f9946fa4cefe6d29a946db5e3a82

SHA512
59dcd7f728e68b361f5ee2f8ddfba0441fe640bca3ff44f444a4b31ae31df6e06f0e17ee3321076be55c47400a41290a1f598ec1c083335897a3d26fb1f311f0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
c5baf743389db180cfd4c7d071364d54

SHA1
b6b88efd51db4bb39a5aa96d50dddfa975a67ed4

SHA256
3f44ff6b85b4d9e22f06914dfeb377b7295b9df59f358478236eebeb9e377ac6

SHA512
50c37d788d6404bf87e83578b2dee7b34952ed47d9323d832ae9d5d129ccf40aad77208926fe8ef44ee28d24181ebad39d952f96068f56ee16f6edf1ccbb70dd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
c5f2e25be0bebc50a21dd1f59d60d63e

SHA1
090c30dc5819e660039dacf5425e4e47018b6d01

SHA256
0e7eb4289d8344191cf8951fe8bd85c6b1756c0f0b7c1fa283e4b2edc9c7447f

SHA512
88e8dfdd37df24954ec9b036bb2544b5e893fe69f1e010bd6aa7cdb56c6873bc52a4503ec6ddfb79b274303cd5721e4b03e607e17e6203b134a0e3d6c85d3ae7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
2e5f6d6d161ea82a0ce84f4375886f88

SHA1
cc7c4bba9e5c3b45654344fd240e46ec69171fc6

SHA256
64747b532d5caafe94440431bb253c09fea7b694cba49ddf005eefc0398e6404

SHA512
58b2ae37453dc3dc3fa6c6d59b7f7ab9ca928cf83edf5796e7746d9b7906cbdf6241b0dda759fc6d1fddb919d7a30f3bb7d2ada45fe968b250e910a0c88dc97b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
d2a371c0661273746fb3818153651d95

SHA1
7c43a3d4f7359c4515c524a0b77fbc4cab3d082a

SHA256
ade9c4e68fb4208e9d44f302e565b7f9dbff260cda950d388db9a6fcd7fe871e

SHA512
05d2d4ec7ef13d59e8fe5a7364e14d1aa988d82df90b5677e38ff1c6bb1f4595be3fcf2871028e03865b77ece84e5be2bdb2d787954fb8be9d60114397979b79

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
c57e3dc79ffbd255d85a307bc813b6af

SHA1
8b22ecd991d5c22d2edbcb23d24fa59f7a5d8f95

SHA256
20ec4cca643e9cefbb25a9f9c7599df535c1555542b73531ef278a5b87ad9826

SHA512
1a1a7f7c49c24640af46afc3620274b715ebc4a4ea5b7b708076f78989faf59a942db959073d2515748006f42c3d5bad631c133734c1ac8d97977f9b65171235

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
cc5a488f3926d512745ca45af48cf142

SHA1
b63c4ff41170ff7d9367de65f860320f5876209c

SHA256
383a27b1f61c1589901149b8292748cd0421129b324255197f4b0ccf39eb350e

SHA512
9e21fc54caf9ef18fc43803f0ff4c36cf7809324adfe23616dd06e0fb6078df7d436174dae9c98169a92c613c2925368b013a1e1671e49424973406bbab71b98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
791bdeb3f32c5eafc1b43f76ad74accd

SHA1
b265c0763e821b28024e2091e877d26d4594ce2b

SHA256
50292a2f4ed08fff0c2b8aa6d74e9e022cece3e328bf667ea8ce0c28caf77d9f

SHA512
069b741491e9337b5c0d2c3ab76aed0abce9bb3e8d6efe1fcedbfd232ab3a54857ae8b8c0cefcd67cdc68875828c09cbed2e44a089709cd1908a1f5c085a2eef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
8fb2f55e9db35295a17169f100312ec2

SHA1
a10ad29b13da0be98be65ad384fcca781d67d85d

SHA256
fa05bddbbada238a71e4eb5c14fb1fdb5f255a1d13796524a2e052fead7e9db1

SHA512
d2181213d5e61ba66ae08a49f2ba82c580ec41adc5369ab6cc6b680a90ced9589a2f503ea171b4ec94f54ff03181ec1dcec4be7982bafba4771e19811d465cda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
16afa1db778507cec2021d505dc48c7e

SHA1
5c243447cfed578dd02c7a80903f9a02c5c7d84d

SHA256
7a5fc2c2d031dcacb90ec05c3449f303e86b7cd69a9cba9ba65ecfd5a0bdc5cd

SHA512
8c3edad1536a439dbc85c1fdebc42258576b1c24c2b2de536c21d7adf61f9fa74777805c6b947e8eeb3153aa6f019aa92b7cf7be74daaeed5737e11591d25d1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
ea99b77cf54819020f9d67dde50b3228

SHA1
421e7ce6e5c379d0d6aac86e08cbbd3be4e80733

SHA256
5cf19c8583e784193e513c37766cc725a6e24acc43280b08f1719dc11dc3841a

SHA512
8032f629b31bc86e5bd83295bb83da9478d5f00a2e7ee05ee4c023885bc7c241cb782b6911be2234ae0bb9bb1bbeabfe50d86abff22d658f905e125ee852444a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
1a12e8578358d8d2a5baeb24066533cd

SHA1
f64b8f77a2a986cab37926e7da2b4c652ac1e07e

SHA256
8894dbd7b0615014a08b170b2793f09cf615e0dcd3e45768a5a30799c7f5ab0b

SHA512
f4016999ef19febb08b464c540141a61fdee0e206746c5ddb43171fd5a41da06f44893864b558cb12244576e70da5043b2e64cdf50eae38f485e777c1c91a40a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
66ebef372402dc538c4797a197e29e64

SHA1
701675602b6c9547a487b6913089f740d8bf4c23

SHA256
a3767509cf47fdad2d97e6f9fcf897fac049976fe91af1ad364ca22ecf68911e

SHA512
18d87345f1a60e056327121674d1e90b70eea8f380fa1011d203a8988a5e442b528b1554c60fb066a9b995584cb8ca4801cecf509e119f432c3e8ce8e36bd4f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
af5502a7b18d565631de440429a36ae6

SHA1
bc4eb075d61bdf839544b8f7ae2e53fce0a211a6

SHA256
29cc88e1d9197bdce237bf6ab0e4c2c50e04d436bfd86ecb12eefe397ee15842

SHA512
ba12b6cb8538cc66fad458e81c5a80366ac6c50498d24d2f31eb8a0f94b343b7cfdbab92b18ac94970f25683283a3ecb78110d0beedabf5afbec258e6cf93c5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
5c1bc8203210edbe83b4aaa7d1ea7c71

SHA1
cfc59ad44154a9f49366cb491eb2874e9c239a8d

SHA256
4880ff2b2e0eb5c1a2293be02adf1a95368ebe70e01c431889f92441d4108e12

SHA512
d195298b8afbcc3f7ef3edee4df871a82004dcdd40fd9c4a5a0927e15616a7a2c119fd1433fc4d0274bfb662723435e17da3429e22061844b433fc1a84581a1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
f950f23871a0791520c8287cb5f2580b

SHA1
3cd825ee08fdc8dfa280b0a89a9078dd3e50da31

SHA256
3616c0255ad1d12443790d9e914e79909c346927e91b479b572ca7868a35809a

SHA512
c8ea032c1b553b2cf0ba730416bcfb5e77d3016f372f3d75bcf80456ea6ece23bc8aa81b7b1439b8fee16e3d6f0ce7c60ad4e5a1533a29a5f499f22a65ebf6f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
900d8ad832d79fe5706eb7f3d75fda8b

SHA1
b30680184f55dec80dc642b0b2f2e00922883b02

SHA256
29b63305b3ce7d560092cdf9f8296332486c4fdc703d1bbaf639dfe45a53ab57

SHA512
a90befd420d3f4c0313cd9dbd8abde2962e38796102f829140e67871ba711d4aea39255de3cb6c9ba8616036f23627529fddd402af11a91e235d2cdd6f39e5b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
0736d634c256568e511429bba25c3456

SHA1
1e1ab251e15fed81f33c5cc8e8353a0326f5d43f

SHA256
28c96d1f8346935a4ff886dc8d1035d3ad6623a3fbecc264a40f95cbf3ce69ce

SHA512
460288e464e73bcd891ea2913ab9cbba207c01430761c9267c7e6a3ede14579964e867eb395f33e4cb913dfafa6fa88b5f9ae1a40ec1964cdd708d3d1004d0cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
ab5f5f5f1fbdabb529400366a2a33443

SHA1
3fd0b676ba102a04a62dd21425642ddbf6c2cfa8

SHA256
f57eb46501b6d6a5422563d8ce6738785f025ac789695293124c194ac310b143

SHA512
da4b6de174fba4ee129a12dba0a0e39b640623b15d66fcc36fd2a50643945baec5ac0f0efb5c1aad4cd77d9299aac56a57d69af9018aa09178e0e667f2b16459

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f36a824c730b1481be2759388b2eb285

SHA1
3708ab3caf1d6d82318b880180f6805b2bf6a553

SHA256
df68bf643c4246f05d640f14e0c8dce7b54d15cec1f019671c2ff73170b1be88

SHA512
f495667f5bc12b8987d11b9c280a99a2402ab0d42efd3e851869f114ec5d4c18199745ce7429d62a6cf45145ec9cf71e90f7a0b63609b9274f3cc8bf0788a421

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
3411e6946e6942a7d1c56841acb857b0

SHA1
07fa279ec0cd17098bf574271bfc5177dc7db868

SHA256
8c8281c644983ffa1d18cc89dd7d6b4ce2da047f60aaf387a60347e26a98374c

SHA512
37928161d6381035f467dc8fd24017ecaf756924016f9254d45853c4b1ef2bf8f02a6966ce4bfae8b7bc58c0e98f614b893b3b4ee9c433c5753b2ccecbc70599

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
abc65afbd8b78eab34ec06de726fbac8

SHA1
29f577a7eb02afa1fabefd62ff8cbc2b5f480ed4

SHA256
aaf2a9ff0842bd64af62306aa92af101fa3e37d3a234b53b8d29c6597dad9271

SHA512
7dceda81bedca53c35905050b204ae597ff9fcf6c1136f4d84806133953f2d2b5f9d2d5097b0df377fbf3d25afb464a83d51c7342d5a830a1174dbab19dd83f6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5ddab1262ed3eb863e1341850ec4e175

SHA1
e1a5945cea9adaf53c7f27d7a055a2904f24ede1

SHA256
b000750ea0af7f5047b806b7670fdd46ff4cf7389a52da665252c6758371788b

SHA512
69382fe85008e54df00e35cb29f19cbcf3991d5286ffe7a4f9a2cd046443111222ee2940357ed2f2bf7fba2fe998bd8a4ec7e1e7bc3d7c6c3530708c59f0bb17

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a68c8143a5fdfd1e6029f4e459c0c7d9

SHA1
b37b5649d32ae7f547be0c9e33b6e44ca9352f03

SHA256
4fa68ecb0d562d6aa0dacad1eda62c0948d70d98570c34e753afb225939568ae

SHA512
54172ce2228d9e023f4065938d81fc99d53446148a83008c58679a53d602df4f0f54d3ab8762c698d1ab76ab003cca21f3a42187d5e82d8639808aea44e4945c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3b14f14981937a9c29b1668baef8bf24

SHA1
c1e92b43584d013737865a25a059f691b61ef6f6

SHA256
c4b9a09a828f9338790e42a720c366892471c0ae7c6c3c49a04e3eeac86dfa90

SHA512
2b19d2c0dc48ed018a8ac0203e25649377861b6b0309e7f8d648fd9d2943906540b440e3139e522666a7e690cfd9a1c167988aa3b10e9e862d5c793eca85fceb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4498c7cecf7e4747127ed34e7aedbf06

SHA1
14fe036bb680f3bb5624d4658ee7f1eaecf6171f

SHA256
2e6acd694510cb3292b950d3f94d58440c2925018d0b120786fb1cc2504cba1d

SHA512
8dc624305e1419be3b8673ed552dcd8443f2dc8a545905aa53d219f592bf1981ae8df9ccae9c5867b9b6b6a1f8e848c6eeaad9e021064c24f7cc91906e75a07f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
1a124e4f5a5336338f3c906095ee8336

SHA1
d12ddc3da4b12c71bf8955c5629cbb698a2c0a13

SHA256
fff458c69061c26d40cf206014a71180fc900824971ac677f4e47ff7f08204b7

SHA512
f646a60656c0b9c8b01716fb2f22972fd4eeff0f8e824bf9783d6bc70cfdf0f7e02d3679e76389a1cd89061100ac3947603b4fc60eecd2ca6b48e5227eb812a4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
095e6caa40c92c74e3f1afc61b6772ac

SHA1
b6836162d488d45e7456965e48b3eb928820939d

SHA256
c70f247dc1f1a3ab3fd76e45b719d7bc767a35a1654285324d56e2b09f0f8fa5

SHA512
f08c457a8406210452679441ba1447aec2908da4f919d0c58278c05bfe4d06ddb11d9512ca1451040b98a0b20fbe7fb3e1bc136dd4d4a47371bafc5742e11283

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
eeaac1ca1f59a1ce5a42b7d113420e90

SHA1
26a781fffd738f670c129df5510340fa1a80354a

SHA256
a5a6f77051f7af031b49b6d306667adca8633cabdc54ee6692ae7c234783ba46

SHA512
296b08076f11339652100c2b8a85b8b2d1b82af04a964bdf010ace4d3f23c63a1c196ece2cc1a95c2a5220c4d7e0aa11eb6d676c2dd34c56598b4511f5f63c6c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
01613997eaf2357758949d3b13dd0090

SHA1
2728ef8425c2cec11445e66aef94c79efdc9a142

SHA256
2cdb2fcc80a6ebf8d540dca4a00b3ce9984c47e3c8b72344ab0a9297e467a095

SHA512
f9335fc3d3e8f6f38ffa73f6c7e74af57c1c72acaf705f5c0595d113304a88671837dace2b6a1f5a48b874c8aa764b67e6ad9c498c2b5dcd294c797d78c40298

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0ec6951e418545971d2954ad0d2a2d81

SHA1
14bb9841e185011d5d6b43917714c137a34cd9a5

SHA256
5658dc1ac0b1af80cb4a5bc28d46ba72b7233d0ea25b9820558f04de31f2fe98

SHA512
1e66402d02cc37ec874d1244280c14a0b9c4f37aba0a9b2f57162a8ffd53f5078674700fa8eecac2f606fee1aebb3f0397c5199d65971300173a61578c9c632c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5434908c0326ee105429e1f6fdd3ea49

SHA1
b3e2672b921425d3056d0289ea24c62b2935b93d

SHA256
639929da0ae3141bdd42f916d961e451512d990abb19028739ed04385ff5c6ae

SHA512
ca1d1cc65ddc2e05edad656f1cbcf2a45ba4ed4f0631b49157046ce6bd7b35ffe857cf5fd87a80a426a41bd525b0a8a9909422f2b89b54ccb3f0cb56b2637f95

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
87b3129a21e5ead2edde6a5d83a08cdc

SHA1
07dd373b89f47d557886ebe5eb2b47d093e2a840

SHA256
dfefe3338bf3ddb0d633c8654fecf19a0b267b9f0a1fd8fb5e42faba3308e42e

SHA512
b4727ce35ae83af6f20a1226c047d551b4c4d114584fe5c72bd823a3f681ef31563e543a0300a4af208388ca83ed92ca79cd334d98efc5517ca86e1ed242edf8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0c5131471f9fb265bff36c9107c830c8

SHA1
3837742d37b275c0eb1f64a92eefe23ffe0081b7

SHA256
40ab8a7a9ed09dfc820e3fcc19e6e6f079c80171e02bc408ac4c86d71e131fb1

SHA512
81be965d3afa413fd23ad9b727e470aa7233ffd9e4e3302f51f8360bc2a11ebb4298710ef8288431884f9960921b8c9d463f6c4e8cad01766e75204981c0279d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
87bcc110f569bec64ac798ab7763d222

SHA1
2f8979a87e11a0edf1a7d06afcf2c0fed010bb5e

SHA256
4c3f754084c2a46f1abccf5ee7bcadb7afc493c69238bc9b33838a8bb9949e6b

SHA512
eccdc509dde4668a5c9f158662e9becb7de5dab6b3532038a21792749abb2f9f9d004ee697a125036e3d4bf2b2002a7b139376f5b92f8574fab1e2a0159f78c8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c8f061f9424711f7f1ebacb277e968b1

SHA1
399c8ef5b9f6c2d7703536de32d622a163da1037

SHA256
0354a4f43bfbdad6439d588715be3ae698b5af2c7478d4bdac7a27599541a559

SHA512
66daec4e42d98414b211ee5667c530819845b5530c2ac150ce2549abbe377d536430d2df7542add641219674977f3adc1bcdef86ac35fd2363ffa4b115c1b8d5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6f3893ac33ef1c8225c178e5b6319995

SHA1
8b109b5cfd836da64751a0c0bf0e2cc92970269d

SHA256
f50264162e33453d2f7adf5bad13612b488da20b57503b027ab5a0dcd234ff4d

SHA512
ba422cf2c1b62b6cc575c18acff446405c2c5eb9a2be69dc40896e2bae63de8ebafc991872588c1c8e57a8df5bc617662a2f2faefbb80a1fe287e9c25a8c932d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
628be1bdb8b3a1342f7caa88ff2eaf90

SHA1
65dc79da465163bbe88cf8f5e3d17a06f42a4814

SHA256
84c6addc97d6d466eee3fdc7fc40b0b715ad3cd4f874b703ba8b04d8413a06b2

SHA512
c915b48db049843e99a137c1a6b68e3440ed50516be49cfc9f998c6439a5397da3d25e80a9c10fa46f10155d53c12ba9ba79df602ab39bd9cd0fd709ee086768

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
eba7d619cce927a83107b976665dcddd

SHA1
59081c03c2693e9d81174ff7b6fb791b8f3da99f

SHA256
6e4a3e160118930f523542abfbed68d1ab43e070a2de2e4afeb531ac1512199e

SHA512
df5952aa821dfaa691f226bf0b1efe4aeb03592098ad134ee0d2a4c659a47a26dc5a2827938fcd3fa091f716688b7d202fc02c09e60733620ee27e468e6c16f6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0866f5d84a8516cda2f62a58b8226d37

SHA1
710255538ff4665b504d6b9ed29d9d5fe0e902c1

SHA256
7a868987341fa52b55fdacb9f84ca09ebb8b47be2a2835ef15bdeae05e304f4c

SHA512
16ec67e1b8a174bff1a8af7fb1e6595a9e043e087a523d175e0f7bff56fdb8f2b342549a088a44a5268922c617734fa8f8e7cdcf2f913a8fe0b29625867dfd0b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0848754ba396e1ad600faaec4c0a18a3

SHA1
8c8ecdf4dcf6cc97fafbc4466fc2ebc99eb2278c

SHA256
82b17de0389878fdf0ccbaf36b3473a6dd13a06b1174fcf1e92943f7c4c946b0

SHA512
57eac156f28efdd8b511d1c7fea0c491763f56dabe91f6383c75b455cb1bcdabe54530546bfe585ce9c26353208c5e465f3b4b03c1b1a21bfbb13212031a89cf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f8b558ebe22977151b631212677dc1c3

SHA1
a56b9d5dc401a0d6a2c96aa521c2c48ff1d0963d

SHA256
bd4c78a15abfc516b8b577e7be50954a97e9414293aa4c7a4c30c1783166e356

SHA512
84d530df22f8b03f08af5f929d6caa282a7431c0aee04401f4e24c09a5880607a6405384e638f02fdfdc7748ec266356caabc566afd3aa2ca5645e4170db99f7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5b9a453c68c07c5900f96be1945e2a55

SHA1
780caf717453bd9288c9515aa18ff6f1fb3f3d45

SHA256
21d009308ce8bbfe200b1d03cb5c789c5f6554642460619b047e87dd0c7e88df

SHA512
056ce15f7587788e16f4afc73cac43c9b8cbd62bd442dcd06d3bce37ae882b187d905b7c3db48328d6ddaae466104e5e2145d02275d9e1107a13185048edb7b4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3d41fd6ab2ece3d71f40b0c88704eb87

SHA1
a3ede775de70da5b6582ae6720ed5c2173fda759

SHA256
c310fc243fc73b8f5569575cb83b5198ee8a39a63b8b736482b53b70605e49f1

SHA512
8c273b086497d335b9b36b3860b56b10a800919b0ee0c438b88405708d1705af61f539f7e0a5c872458e663aad804887fa81d6f9ef7fb6dc12b1a65f2a2c1fb6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
f68bb975043b6d6f32a318a9d1b86727

SHA1
2c20aedc5935c1dc592866aa2185a3d4874d6789

SHA256
5cef93c161b745d573ea808cf228ad6e2770c62b4b01fb50bdead24e3ef5a8e8

SHA512
955de8dd8429144d78a92cc43670bf5bd77cb35beddd5db480888cf6831df634d405289bef510b43996315bf86bb3c87ce7e6ab19f4872a936777d4ccaddc738

Download Submit
memory/64-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/64-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/216-156-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/216-267-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/552-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/552-435-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/764-453-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/764-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/764-288-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1228-87-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/1228-98-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/1228-100-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1228-93-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/1228-86-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1544-55-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1544-61-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/1544-63-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1544-155-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1644-195-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/1644-384-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/2456-217-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/2456-119-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/2488-85-0x0000000008F20000-0x000000000902A000-memory.dmp

Filesize
1.0MB

Download
memory/2488-0-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2488-112-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2488-8-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/2488-10-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/2488-118-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2488-39-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download
memory/2488-24-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2488-82-0x00000000087D0000-0x00000000087E2000-memory.dmp

Filesize
72KB

Download
memory/2488-1-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/2488-113-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2488-26-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/2488-28-0x0000000005910000-0x0000000005954000-memory.dmp

Filesize
272KB

Download
memory/2488-64-0x0000000000400000-0x0000000000594000-memory.dmp

Filesize
1.6MB

Download
memory/2488-14-0x0000000002DC0000-0x0000000002E06000-memory.dmp

Filesize
280KB

Download
memory/2488-40-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2488-101-0x0000000009030000-0x000000000907C000-memory.dmp

Filesize
304KB

Download
memory/2488-65-0x0000000005A90000-0x0000000005A9A000-memory.dmp

Filesize
40KB

Download
memory/2488-80-0x00000000088E0000-0x0000000008EF8000-memory.dmp

Filesize
6.1MB

Download
memory/2488-84-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/2488-95-0x00000000090E0000-0x000000000911C000-memory.dmp

Filesize
240KB

Download
memory/2488-29-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2544-144-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2544-255-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2956-104-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/2956-114-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3060-133-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-243-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3212-103-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3212-21-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3212-13-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3212-15-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3484-206-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3484-409-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3576-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3576-461-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3940-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3940-51-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3940-45-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/3940-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3940-66-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4328-339-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/4328-177-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/4720-490-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4720-289-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4820-31-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4820-41-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4820-37-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4868-77-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4868-182-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4868-78-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4868-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4956-449-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4956-244-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5004-354-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5004-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5088-471-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/5088-268-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download