79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 23:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
Size

5.4MB
MD5

a6412476bcbbe09bc8d756df61c25d79
SHA1

e0756d47ccd13d91f1e5690b039681b25912d9d8
SHA256

79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5
SHA512

973ba5fdfcd9e03799ddb0e26532c6d0062ed0d338b31bb7a8b82d31c7812a60b3500d8a3dbd8f3d9d1d6c4b1396694bde89fe3aefe5105bcddb1c1caa99800e
SSDEEP

98304:kuLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0r:17wq1W6HqULS8djZDTaNNeCKVP5ORsgv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
2276	alg.exe
4556	DiagnosticsHub.StandardCollector.Service.exe
2764	fxssvc.exe
4900	elevation_service.exe
2928	elevation_service.exe
1688	Setup.exe
2704	maintenanceservice.exe
3744	msdtc.exe
3012	OSE.EXE
4332	PerceptionSimulationService.exe
3460	perfhost.exe
872	locator.exe
3496	SensorDataService.exe
4972	snmptrap.exe
2416	spectrum.exe
1112	ssh-agent.exe
2364	TieringEngineService.exe
5052	AgentService.exe
3228	vds.exe
344	vssvc.exe
2212	wbengine.exe
3224	WmiApSrv.exe
2552	SearchIndexer.exe

Loads dropped DLL 5 IoCs

pid	Process
1688	Setup.exe
1688	Setup.exe
1688	Setup.exe
1688	Setup.exe
1688	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\vssvc.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\AgentService.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\wbengine.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\spectrum.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c446eebbbb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\System32\msdtc.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\System32\vds.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\msiexec.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e0f95d21f9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aad701d41f9cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067620bd41f9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b931ad31f9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b460cd31f9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003070b6d21f9cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089ac92d21f9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000409a7fd21f9cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea0eb4d21f9cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1688	Setup.exe
1688	Setup.exe
1688	Setup.exe
1688	Setup.exe
1688	Setup.exe
1688	Setup.exe
1688	Setup.exe
1688	Setup.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
Token: SeAuditPrivilege	2764	fxssvc.exe
Token: SeRestorePrivilege	2364	TieringEngineService.exe
Token: SeManageVolumePrivilege	2364	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5052	AgentService.exe
Token: SeBackupPrivilege	344	vssvc.exe
Token: SeRestorePrivilege	344	vssvc.exe
Token: SeAuditPrivilege	344	vssvc.exe
Token: SeBackupPrivilege	2212	wbengine.exe
Token: SeRestorePrivilege	2212	wbengine.exe
Token: SeSecurityPrivilege	2212	wbengine.exe
Token: 33	2552	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2552	SearchIndexer.exe
Token: SeDebugPrivilege	2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
Token: SeDebugPrivilege	2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
Token: SeDebugPrivilege	2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
Token: SeDebugPrivilege	2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
Token: SeDebugPrivilege	2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
Token: SeDebugPrivilege	2276	alg.exe
Token: SeDebugPrivilege	2276	alg.exe
Token: SeDebugPrivilege	2276	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1688	2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe	87
PID 2312 wrote to memory of 1688	2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe	87
PID 2312 wrote to memory of 1688	2312	79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe	87
PID 2552 wrote to memory of 4560	2552	SearchIndexer.exe	111
PID 2552 wrote to memory of 4560	2552	SearchIndexer.exe	111
PID 2552 wrote to memory of 2660	2552	SearchIndexer.exe	112
PID 2552 wrote to memory of 2660	2552	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe
"C:\Users\Admin\AppData\Local\Temp\79955453667b3ed5daf47bfe94a4b9d1ebbb81fa3cc3f273b0a5a7b2a77febe5.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- \??\c:\0be0c9257d7f0d4497ccbffc\Setup.exe
  c:\0be0c9257d7f0d4497ccbffc\Setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1688

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2928

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2704

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3744

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3460

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3496

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2416

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4536

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4560
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\0be0c9257d7f0d4497ccbffc\1033\SetupResources.dll

Filesize
16KB

MD5
9547d24ac04b4d0d1dbf84f74f54faf7

SHA1
71af6001c931c3de7c98ddc337d89ab133fe48bb

SHA256
36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34

SHA512
8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

Download Submit
C:\0be0c9257d7f0d4497ccbffc\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
C:\0be0c9257d7f0d4497ccbffc\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
C:\0be0c9257d7f0d4497ccbffc\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ff874f716b6460243ad785fe5cbebaf8

SHA1
f7ba5320bae65d16056fb2238fd1f5dda982d9af

SHA256
f71e8c955bb426d7628b88ab48d4492778901fcf4acab031350ae77053ff5d75

SHA512
9d0342471c99fdd3bf1301eeff41e385312a8e52344d50a31c6b8f4dbd874d2671993bb1c8fb2a7ec721dcd89ffbe85a15d2cd7a835a1365f100bf5bab4f5bc8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0f5d8c05b46ea8d6ab2e382305f02c33

SHA1
c541f839683fdc6602612aa080bec680057a6840

SHA256
5725a9ebb58e3e5445049840cec5a8c2eac45a561481c27358c3c267a9ee15fa

SHA512
9b1710eb2f5f25bd6e3f057a90a6a6e5f03bba1f450a21f6ed9da29aaf190784d1f9c8b8ddc6cbe1073ec855702acfa5f5af9f593cf6e860d817a4608b908675

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5b733d292a75c9fac3b1ab16144a712c

SHA1
498dcce6583c5384a4901d2917e3d3f9e5fc222b

SHA256
478847a7dfcaaec45a83cf435ef0318dbb8ca70bbfd5702bf41e3b3d2155fd11

SHA512
762f4295af90e0fd68334f40a0c8b255be7c70085b37b587f8da45d35036f221c59eedd62b8ed93177f10f9e0361eed61f32758c8535738d0b5d47d39c5a92f6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8b6eb07dac2935eb268cb84cf9b62e4b

SHA1
78b285cfea60f58c4d9059daff7177afe858c274

SHA256
a632296475efea38a78f9f1fbb39f2736f8f3af5d55b8006e65191c38662d336

SHA512
bf3f276de9d43ef98957401a093a28241c9bc933430158697788993829971f2e818ad76b79d450ef2f4f58a1cdec26773a5340bca1a48d9ec20f977e6426a24f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8b19f58220b034af63035cc2f033feab

SHA1
ba7a7f62f27d5d55296fe1543872ebf5dd21e687

SHA256
e70f3eff529cfcac4776884c09073b733c809b9e8897f22420060eb29cc95728

SHA512
b6fb22ad2c2291480b1f91493fdea5bf63c21c47f40a993b1fc1d8cb78e6fdde81dfb4d9489d721230194e34c746670554979691287e738718bb11c0ab584cda

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
321722c69c0a00ff67b9e3dff577efb2

SHA1
9cc0db2d3c626517bc0c099bf3f474526617056f

SHA256
090b6fab307af69009a891216565e5f0f04d8169f96a456da8180b45073fb836

SHA512
bc6cd683bebbf82cd5a65a6a40cc3e994352835811bc26eb8477395d3afafbe0a6e5c2d8e09411f85ac776ff4feae23edb0658a3523a44eb3e78df8c1a2c3e72

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1d0d7c3f2f2a39a2f0c1bfc559904730

SHA1
d42be4be84d4765e9ab19bc0d65fa706667d96bd

SHA256
c32748417937fc318b9e186c65fec64ab39a8b05187fe2bcb2c6e9ea0b00b3ca

SHA512
13845c7160fea33891623705a391d571c1b9985d35f02c83349b1044116cba4e6c68fd96a208a4ece6656b417a60b1ba7a90d90d763b925c3d1759c83e0b20b7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ce0c1487bcb4c10d17ed8508c254bda9

SHA1
203f645136cd6e660a36869d7a2d490ca6779d90

SHA256
9da8e0ed3369dd786f7aa98fc1bd1a000a018442cfa9b9634f4f275c53242b16

SHA512
837678ab7fa7394c1847710e5c96989cd26d07620fbe55367e7344927d4c6711cc44970ec391543d85dad7850f47f80e9d66952b814945b797b3d494c3f4abc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI38F3.tmp.html

Filesize
40KB

MD5
8ca3a79dc93a40d1444b8206fd5f83e8

SHA1
797c100da48ce20e638c2c2f620e25dda43d5133

SHA256
614599f846d893f70320d5a7a2817d6d99561d9ac34bb73d1460f57a3b3df8ed

SHA512
5cbc3ebde8a6cb3cb024a714ae872dce576db0d382480b05ee585f3db913986cecc79a382c40a38b4a4d9c8518aed4823a8ffa21213fd85a2a9e8d13d823d6df

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
8a4333f8f9bde73147f2dfdb1dfbcee3

SHA1
c202f1da06f0221f428ad0a68c30254bd783b2ca

SHA256
8333caf61d52f2b4e7086c7bfae63fc95204d903e2a7fbc6ae4e0e565525fe17

SHA512
d3f46e38c194e8fd6ff691c580c6a0cf0befd597e3f3d63c27ec887c9c6f442c0faf3c4a227418582df71b6028ccc1252ad6bd26c188542821214807b9e5854a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
93402833ba7b0342f81798d480fcfcb8

SHA1
e6b95320623d40a91e674092313132bde2e413b2

SHA256
32fda43dfed1bd5e626afc4b3e3d9bcdbc04b1a4abc339277d61528acf883f4f

SHA512
2cb86c7c510e41f8d05c5c6325af1a962b4e41b6cfd218cd43780fa1ad74d6e47a50d1efff2d3fe2c88bcec1d1b1dc7c2830336bd21e5c6f118866a452d73387

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5d4d59a3cc89dc52f95c8e0cc7353021

SHA1
01be1d9040dccb14511e85f990f7670494d5e113

SHA256
40b459be9367c455ee429ce9d2ab93421533b54cfabe93d1e4f60f2c5becf31a

SHA512
4c63d71423083b8f209862b4b2a60f5fb08925b14af59cdcf7efe97a85cf4107ab0f3f23735aea89a3239d168cd1c0179b401460738ecc6057e125ddf65a8e5d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9a891e2e4cbfd079cb23b47384e8b9c1

SHA1
706f8a3382ea70f1e8f86248acabc62e3397b920

SHA256
a016ae992a3c62a3847646239c21eb1dacb99e79d4e511b49d8cf5a69dffc95b

SHA512
6f26a4cc58fcbc1a106e4998ba5ce28b33e0546b49e8fe7f273e2bb61dc904863533f6d1b98a5cc9a04c185b4cd3d78ed23f216de18eed28afaf2d6fda3c627d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bcb1e0e9e22256dc781448b1d7baeaf2

SHA1
4b13d2bfbb9e0c38ac8fedd4c26fc41a7ff5e1ff

SHA256
580484b23dffe726c17461d642a9032fea42dc5a2f207e1591b94994a57b3d5d

SHA512
6eafe033d4782b6e1ebfdd127c2f703aa62181df0b73580b86108c44d664e9f99d2012d15350d9231e93d987269e17626fffa1749fe3b1b5959f0b14c37ab481

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
9c05c8c139a7923d84edc749b54c68f9

SHA1
642bed616edea857c808e9c72588abcd045ce39e

SHA256
ae574c8d8ec1dceb318c32ce32467e0248207d1a2224425ece43be5d8f50af6b

SHA512
5afa36951e03178dce729ac01e1da717f6356860a49f1a51fe69b1e3bd0f8dbef4b2fe494f54259a284ddec1a9e95ef994b5159ffeecb90d29c68a8299a81e88

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4f722627ecf81fe11ecaf2e4e7f10d6e

SHA1
4e8dd6f1c196ed0d29fb853370b9af736e13c5e7

SHA256
04a8388cda0e9487cae30353b3667f7c762e2a9cec178c18bac5dc601383c18f

SHA512
3b8a6d29e471dfcdf4de234ccc9c452e09c50a5c9306149fb0cf85d57f4311a0f54d2f6a9ef10f686269a3642adb53ce1a1b861ee6fdc2f86c069f5429dfc6dd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1d070cef7d18be70803bea723b4db5e9

SHA1
a32db314a7910acdf52221fd3450ce1df4a062cd

SHA256
28e7cca5c190bc0a963eee7dfe25ef1b4abf85bdde1e3cf44e0868da324bc1f5

SHA512
240aae5b3321e166c235eaa07391fbc43cff29d1892de49041b9b65ed5e662197175b58872eb3148905fe99cd2be86bc3822107fa24feef0f8b9f26b2e3942fd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c4eff1be852c79df82f833b9414d3718

SHA1
4fd5a2c842d6805ee8da4b7bee0c121d28b84b66

SHA256
cc01bdaf4f1a7b142ddf5cbf6ec6d121c5644d737c671e621accd3d094ac00f0

SHA512
d8c20a295157e2430fb1f768e2a2c40627b252af6ab25d119391ba787f529a5c4fbbe65da9f81b6698221b65ca5df0d80c76b8e5b9575665d2fbcc9488670aaa

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cadb363d752191d0c3264b02d2408bd0

SHA1
2000c598b9988be06b90dc47b71e64b86b330cb5

SHA256
5f987b7314d46d75b0971d9f6c8f674e1b2414f311e8413c0620724bf5211e79

SHA512
ca6c37c139c5527af35f9e03edd333bfb365879a5ae5112479dae0e65a28ed152e34d55f9258950168511405bf4a821b75bfb6af188d7c2c3bf442d16719743b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7e9ccfcde3fc6767e01b0f99831ad3d8

SHA1
77848f565da403024f3d32945950d6e1c7843a60

SHA256
b4f172203ac043b21279263d76320b67f6da56e4e2f63a8e6f1043b910ed3344

SHA512
8d8e0c7ab1b68e5a352be1d6f5f066f6492abe9b5921170583026b751595bfee6c16754ffa40d43dc137bf98643d82ac8f8a828f478428403bb2c1a2fa0d6a61

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ae6b691d68a5bf86085387ade89a1889

SHA1
258ea2910c1fcbed6a8efe72a8f3f2745af397c9

SHA256
7283e0bc68414beb7162e4a2a94971c60be3b976e83c2d9c9e3be030c0ca6e11

SHA512
4b4d5e4581897d771877bd297e3456738cccfa7dc51ce36a00640181c65f347f5ef9fea9786468b0a0edb56ad48b04338519c2a3efe6b82cb81e834534d5ef92

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f6efb7d4bc3a05adb9f9321113d84fbc

SHA1
3801ed7b6b5044f2ee62ba9724c38792194d1874

SHA256
2711f9768d8b13ff5cd0758057ec706ac8662fa35d8d05a87890fecae90ab02a

SHA512
07a910f6ba60d94bfda585d6c387814d4129f744a7a702cbcccfb054dd9642968b8b75d803f32032a75bb338d1b91c0f6bd907b1ffd61c6d51d370789b333646

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2659be4c57f1c8b2bf8fb48cf5c1908b

SHA1
386eb28b167e77436efb42f4c4e7b32e557dc22d

SHA256
dcbf7a939ef29d0ca245a312f05ae783c22f037b2145cd8098ad89dc7193a8be

SHA512
e5c0cacb5036b6d8732e1cedf8ccd18db88578ee8e0037b2a2e0a156bf3f97fa1d279e46ad2e73fbb7d647caf83349d40cfa5ee9608a93a60051e9e921929d7c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4875c93cca28f0041de1ec45cd6ec769

SHA1
eb9c1600b14bf878a4cc1eaf4c7e3c01e36a4aa5

SHA256
8bc620ca2ed175dbce17dfc35bf50fb6ce65be3dd7fed1f72e393d3de327700e

SHA512
283d4c4b428e1453ed0f7e0d3ba8bdede7a429486a453ac790607d353c36582194924002993a754ba6f754866405dbf4ae17cb7ac9636fc3891a0710b861f4e6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6feb3e20a99d7f87d372b64d6801a580

SHA1
85ec4939b49184815b5f8ed26304dbae9497c958

SHA256
ca6cd2f8c97980bc2bb249ec5f7df645e4e080c7ae2dfa4c4994e35327ea08a5

SHA512
d86377bb4fe33c7e53885e68fe9f43dc5c67f546abf670bb46f2987103853facba5717fd29540f06c0e6fb6ed769eec2c84d8b3fccc322913be5e4e6a81b7b6d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a41108b5ddbd4a23d0d2514f250da6b3

SHA1
9a9a9973d8333b40b1eec865b96665820a5e811b

SHA256
4d0e79e2c03a9b07f9665f9b2bfe5f4cc6c812f00a9d33aedc7bb8bf193f96f9

SHA512
e683dd9fe330cb6b9b19c4eb12b1dc41fa90340481cea6ea65fcbfe101bc1b69f2f699dc5615877b687e5f277248131957ee91098485c47f8799c56a1a0b1bc0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
267f8ed4a0a9838da854a8774c6f65d7

SHA1
9dfecde326ffe6174141b90879e0c1fc67e3fed7

SHA256
ebc560722f2db44fdf76d7d4012435f915d06383ecb2a4a82d0ca15ffb918bb2

SHA512
6145e47e40f349274a2b8b008405f7b357b45c35d7dca27e15f53c56ddfaf3e8dcff708455daf0397e39d6e9b3766ab58b329ce17c516a9047ccbb585f89dcf3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
79ccfac118200d83b8816eb4e7e1fcb3

SHA1
b14ef04266e86d44103a20d41fe1b27e3cc996f6

SHA256
a9f8c00a9523cd1f6a5d2879bb69b72df8b66de18d56d79d34e62e118cd6bc48

SHA512
a451e075af7d42211b4d69780b39f2f94d0cb8480f2c40b14717d713e449d71f00ef5f794a3f877e8a21a8e4e4b213e985187eda4c1dc3908b4fbb59a5c615d3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c6c3d29e29ed19bffd2af35dca83d493

SHA1
c2b79de0104b4dc4d2a793a25f560a18ebf4a499

SHA256
9e2912ef01ee7bd8a0883b5a0fb4c2304d92dda2798c2823d0a7c0fd267eeeeb

SHA512
e2cf3cd10b5ad20a55bfd059a2de9138e01abf492c61a481b068323cf124c9658ce138f1efb6c8052d622b4219034514f2395e2466dc484863b7bbfe7ae65432

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
71ac6138482fdd49174d0b37f30d7567

SHA1
680386253ac1d57b44c72ee5cb67796faef03151

SHA256
ed4781c139686745e0eba162c6eae05ac0ad442900eb02e86c96b9aff98d8f17

SHA512
b1a5ce3d45e87f652dda869f54c3f1113846cffecef025767c6d5f6534894f8fcdd4338dffd3fb34859d302ee8be96bc4b8c7dcf156dbd833bf2b51a6a9087cc

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\1028\LocalizedData.xml

Filesize
29KB

MD5
7fc06a77d9aafca9fb19fafa0f919100

SHA1
e565740e7d582cd73f8d3b12de2f4579ff18bb41

SHA256
a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a

SHA512
466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\1031\LocalizedData.xml

Filesize
40KB

MD5
b83c3803712e61811c438f6e98790369

SHA1
61a0bc59388786ced045acd82621bee8578cae5a

SHA256
2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6

SHA512
e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\1033\LocalizedData.xml

Filesize
38KB

MD5
d642e322d1e8b739510ca540f8e779f9

SHA1
36279c76d9f34c09ebddc84fd33fcc7d4b9a896c

SHA256
5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9

SHA512
e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\1036\LocalizedData.xml

Filesize
40KB

MD5
e382abc19294f779d2833287242e7bc6

SHA1
1ceae32d6b24a3832f9244f5791382865b668a72

SHA256
43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf

SHA512
06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\1040\LocalizedData.xml

Filesize
39KB

MD5
0af948fe4142e34092f9dd47a4b8c275

SHA1
b3d6dd5c126280398d9055f90e2c2c26dbae4eaa

SHA256
c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248

SHA512
d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\1041\LocalizedData.xml

Filesize
33KB

MD5
7fcfbc308b0c42dcbd8365ba62bada05

SHA1
18a0f0e89b36818c94de0ad795cc593d0e3e29a9

SHA256
01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2

SHA512
cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\1042\LocalizedData.xml

Filesize
32KB

MD5
71dfd70ae141f1d5c1366cb661b354b2

SHA1
c4b22590e6f6dd5d39e5158b831ae217ce17a776

SHA256
cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331

SHA512
5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\1049\LocalizedData.xml

Filesize
39KB

MD5
0eeb554d0b9f9fcdb22401e2532e9cd0

SHA1
08799520b72a1ef92ac5b94a33509d1eddf6caf8

SHA256
beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c

SHA512
2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\2052\LocalizedData.xml

Filesize
30KB

MD5
52b1dc12ce4153aa759fb3bbe04d01fc

SHA1
bf21f8591c473d1fce68a9faf1e5942f486f6eba

SHA256
d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3

SHA512
418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\3082\LocalizedData.xml

Filesize
39KB

MD5
5397a12d466d55d566b4209e0e4f92d3

SHA1
fcffd8961fb487995543fc173521fdf5df6e243b

SHA256
f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89

SHA512
7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\ParameterInfo.xml

Filesize
8KB

MD5
66590f13f4c9ba563a9180bdf25a5b80

SHA1
d6d9146faeec7824b8a09dd6978e5921cc151906

SHA256
bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f

SHA512
aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\Strings.xml

Filesize
13KB

MD5
332adf643747297b9bfa9527eaefe084

SHA1
670f933d778eca39938a515a39106551185205e9

SHA256
e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca

SHA512
bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\UiInfo.xml

Filesize
35KB

MD5
812f8d2e53f076366fa3a214bb4cf558

SHA1
35ae734cfb99bb139906b5f4e8efbf950762f6f0

SHA256
0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283

SHA512
1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
\??\c:\0be0c9257d7f0d4497ccbffc\graphics\stop.ico

Filesize
9KB

MD5
5dfa8d3abcf4962d9ec41cfc7c0f75e3

SHA1
4196b0878c6c66b6fa260ab765a0e79f7aec0d24

SHA256
b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793

SHA512
69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

Download Submit
memory/344-630-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/344-331-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/872-353-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/872-240-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1112-624-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1112-289-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2212-633-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2212-342-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2276-228-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2276-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2276-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2276-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2312-181-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/2312-0-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2312-7-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/2312-5-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2364-628-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2364-292-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2416-591-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2416-276-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2552-635-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2552-375-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2704-176-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2704-141-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2704-139-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2704-154-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2704-147-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/2764-120-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2764-90-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2764-51-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2764-57-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/2764-121-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2928-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2928-288-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2928-125-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2928-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3012-326-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3012-206-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3224-362-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3224-634-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3228-328-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3228-629-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3460-230-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3496-374-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3496-627-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3496-249-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3744-183-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3744-184-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3744-303-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4332-330-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4332-217-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4556-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4556-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4556-243-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4556-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4556-25-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4900-91-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4900-272-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4900-92-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4900-98-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4972-264-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4972-540-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5052-312-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5052-315-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download