b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
Size

6.0MB
MD5

628f10c9490702a5274eee546fa343f4
SHA1

12f29ee64d46db497537058ec9f5c09cf79078ff
SHA256

b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2
SHA512

8764e1ad95d719ec3f59cf4a6c6c7244fe58c38af9e0313ef5534db9956ee56e405c5511a2b59c600240406588dcf0e9eb8499112942ffa90940b1a14f23741a
SSDEEP

196608:t7wqheSVYK/bua/BlWWnuVhsus8nm+q4cQW:t8qgSmIbr/Asb8nmFa

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeSetup.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4304	alg.exe
1724	DiagnosticsHub.StandardCollector.Service.exe
2052	fxssvc.exe
3848	elevation_service.exe
5112	Setup.exe
1160	elevation_service.exe
116	maintenanceservice.exe
3604	msdtc.exe
664	OSE.EXE
2288	PerceptionSimulationService.exe
828	perfhost.exe
408	locator.exe
4412	SensorDataService.exe
4316	snmptrap.exe
1736	spectrum.exe
2184	ssh-agent.exe
1940	TieringEngineService.exe
2668	AgentService.exe
4068	vds.exe
3836	vssvc.exe
4708	wbengine.exe
4312	WmiApSrv.exe
4612	SearchIndexer.exe

Loads dropped DLL 5 IoCs

Processes:

Setup.exe

pid process

5112 Setup.exe
5112 Setup.exe
5112 Setup.exe
5112 Setup.exe
5112 Setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbengine.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\vssvc.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\System32\msdtc.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\spectrum.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\System32\vds.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\System32\alg.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\msiexec.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\657e4738b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeb4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exeb4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeTieringEngineService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be19b13bb6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ad3533eb6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c48ac93db6acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006542e53eb6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6445b3bb6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058b9703bb6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ec7ff3bb6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6d6f63db6acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e64fd3bb6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f209ac3eb6acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

Setup.exeb4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe

pid	process
5112	Setup.exe
5112	Setup.exe
5112	Setup.exe
5112	Setup.exe
5112	Setup.exe
5112	Setup.exe
5112	Setup.exe
5112	Setup.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
Token: SeAuditPrivilege	2052	fxssvc.exe
Token: SeRestorePrivilege	1940	TieringEngineService.exe
Token: SeManageVolumePrivilege	1940	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2668	AgentService.exe
Token: SeBackupPrivilege	3836	vssvc.exe
Token: SeRestorePrivilege	3836	vssvc.exe
Token: SeAuditPrivilege	3836	vssvc.exe
Token: SeBackupPrivilege	4708	wbengine.exe
Token: SeRestorePrivilege	4708	wbengine.exe
Token: SeSecurityPrivilege	4708	wbengine.exe
Token: 33	4612	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4612	SearchIndexer.exe
Token: SeDebugPrivilege	1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
Token: SeDebugPrivilege	1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
Token: SeDebugPrivilege	1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
Token: SeDebugPrivilege	1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
Token: SeDebugPrivilege	1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
Token: SeDebugPrivilege	4304	alg.exe
Token: SeDebugPrivilege	4304	alg.exe
Token: SeDebugPrivilege	4304	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exeSearchIndexer.exe

description	pid	process	target process
PID 1620 wrote to memory of 5112	1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe	Setup.exe
PID 1620 wrote to memory of 5112	1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe	Setup.exe
PID 1620 wrote to memory of 5112	1620	b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe	Setup.exe
PID 4612 wrote to memory of 2028	4612	SearchIndexer.exe	SearchProtocolHost.exe
PID 4612 wrote to memory of 2028	4612	SearchIndexer.exe	SearchProtocolHost.exe
PID 4612 wrote to memory of 1896	4612	SearchIndexer.exe	SearchFilterHost.exe
PID 4612 wrote to memory of 1896	4612	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe
"C:\Users\Admin\AppData\Local\Temp\b4f6979d9c3c04c751a54a9677d93e9b82ad316c6c2c78c13bfc642a8c215ef2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

\??\c:\d730f38559599de0796519aa009fdd84\Setup.exe
c:\d730f38559599de0796519aa009fdd84\Setup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4396

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1160

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3604

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:828

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4412

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1736

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5052

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2028

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
2⤵
- Modifies data under HKEY_USERS
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8b0ba4226ddd6eff0041103e9651321c

SHA1
958192e7afe212fd7e3a7b386496873493f56807

SHA256
db2c152545138d2236c78ec8c5ff0d0bf1614ff52ff88e80efed4fdd0f3d1591

SHA512
d9074f03086ce7387192504034777639493840ea0e076b502fdd25c88cfa376a193c2b2e1faee2f7566c00d84b6b6d1626470a833004fbc55fa6e15680f35751

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
a68e5a44de6a0737a794a3343e6a8581

SHA1
46eec80bd774509cdc5bad6e809a32c195e820e0

SHA256
0591117a11036c7f92a75ee72e750f99f7af01c650ba08e8c6e06e3c74cbaba3

SHA512
506f9bec91052be720ef72f6dbbf5ef322baec8acf6c5949ae0bd0a702daae0c33528b78a867258b19671c2bef09c18933bcaad5966afc06d3ded90ad7e7cd74

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
eec2301d773932dfc618f4bc4c9a4f1c

SHA1
4d57c1f0b7881c79787c635b7c0abcc8a5c081f4

SHA256
df53a13861b9409ecc9fed89958ee85e4cff4f7376d012b550491f4ffa5709e1

SHA512
a767cb693104fe51d165dbeda079c7d950c5114586892a981ae60c4747112c86d4e59d2a7b13055d6ade7ea7cd6c6e4389419d64bf367d4307ce98cbba239101

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9a7ecf68839c2ea7607caeea1d5a200a

SHA1
499170428615106b71eb1ceee0cb9fadb660a44e

SHA256
e6615b12c79b4baa967c53d2f1d8f197b99c455796a2574579afdfd0fc1ccfa5

SHA512
db65a7c78416c0463e991cf3b484aeafc336f944553c39c3e3d28946edc5f6f5b53aed83e582de7b0014276a363b552aaa9b9c4299d97336727567a15d3cca71

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d412461b3675139d949bc208db4a0f36

SHA1
638912ee555ec930efeb2349ec931b6cf516f38d

SHA256
675b6ef73575479b5005ced8e1342f5fa2d494d2aa19488b6e4d45e090d3f356

SHA512
dffca5d83fa81a7f9e7530f10a507e26dfb840a967cfc68219ed5a4e8d9cf11b5f3951b3c81a333ff3e7993b7cca89944a41d9d8fd5c9d80b488e9df4bf8ebb2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
0b231e9b7ddb44a0a83407ac1ecb7b04

SHA1
ae7059767ec890b8c0d97c2aae31206fefc0c821

SHA256
e68978270bbdd6dfa27481a4217827b374276f69c31379990ac1bccee364c997

SHA512
374c5bba90f1dd445d9f290aaa8b01a175d21faeef979b98c19900043ec4ebaa7eda2c147af7ea9b849a42af12c5ea2a39f318ca47cc4015c72fd088c16c1731

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
26aee237a7dde06870f74508399c86ba

SHA1
e32435895f056c1fb78524249cfb899a5206211d

SHA256
f86a8d9b074279d402e973911d2645651c3bea1b27da21c0cbd3012f219a4a45

SHA512
55023c1a7d92b349ff359b34214f5525a02c2eb1185080ca3f9b135c0d2408ee51fd9df9631bfb2d59974a19bc4856aa51a3c7ad28d50956c9534158216ada0b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
042dd55cec53af21ece41a443185986f

SHA1
a1b34657de5bba4dc4f0ff2183be673a4d2b7400

SHA256
584673aabc4a6a1e1692db7dddf190006124ad81bdea6d2a06022f18641b2ade

SHA512
dedb3d988ef09f43cc498a0a81f6c9c19fae33567f383757c8504901448704b611a081650765894c02fbec8d322af7660e7601c3c12414037a44bc57f4e4b7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI4C9A.tmp.html

Filesize
44KB

MD5
65769087dd854001dcd0001125b8a483

SHA1
57c7ac90ca6c8ed04ad48edf74cf7bae4e3f73ef

SHA256
b31bf5a421b7162f12b64eb79fd39af5cdfaa793dcd2a75761398cd7811fb9c4

SHA512
1d91900e277e3d6043ce36967fad1be5bbeaa1de3369b9bf896ac8d5e5c6a12c784d9b052bd2a9d4a721cd1df6779c9355a6615322efd489d760f1d398e7f6da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
4d2fa95e456092575ef6cf4f79966b92

SHA1
b8d20425ee02e09f473e58be0df74a90181fcef9

SHA256
455523a69c8979415185f52fc7c686c4f4ea02705a7912669ce33dc8b13c4134

SHA512
09a7c6d564f46d1264a7daa7866fa2d89b6057b8aff6c5fb2d7df9ec8cd3624698256ee3c91edae186e2be692237677db368b9ca9e3959542f9b305d8e2ba436

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7579d16de2fea01db0b72f6653e9cdc0

SHA1
58f45bec0b010022e8dce974634519bcb3a1695a

SHA256
6c242241a0149bbe06d434b6aad6ee071ec6ed63810df48916a471a20b474d27

SHA512
d8ac61ab2ea33b2af8c6a5ae0ee04f8f7d69b30e7ff4d5ea62be2159f8c336a8be2fc1b2ca87159d527cd6839cec5453ddcf822c4737c567de18fafc3c8fbc76

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
db1db86118b1d72df5816b18242e0a1d

SHA1
969259a9e32c0fa1535e79811f94bb11be3b3315

SHA256
f31b23a379d0073cab6441b699bcfc33b9617a05e6392cc00ade1c390e47b036

SHA512
07a26e758334800f8c7c7377a65d3712d3325e857b663c5c0902f93903927f83cfdf62138961501013240014b6bc669867037edeeba842d85108ec48d8ea2aa8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
510b28f25eec5b83c720b81943d88a83

SHA1
5cc5a501498327d04398ccb999431e90881ae82f

SHA256
ace8d2f5020d8687883afe230220c680e9cc3452153048001d187137ad8c6f0d

SHA512
1acc20a3156aaf276d99515a895010508d0d1be677a2d3cc22eca1246d9b6ec49cf86a3f59f1e70626d092bff033eacb7fd6f39626634027c63cd934610c01cb

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
859f5ef1f39d13c7f6a27e05a3bdefc0

SHA1
0f7fb3e1e6626c065f621f796fc98538241ee583

SHA256
d390334e0bc9501ad7c2f4be68b35e6ffd9919191ba60263186bf57fd3ab975a

SHA512
ffc6d99d7e64e76f0e3db260b31b0da28e0db863c8a82d3fd6f5250d4cb509444ef874841135f432f19b54571e8d928e62d1f4b0cc047abe24e2e1555f82b5b6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
301e3f77330ab87fd042a47c0b178abf

SHA1
916134bcb7d7ed03b30a9e6073ff7e4152b150d8

SHA256
fc0e153be61f0e4ee50f47f0cb08a7cfb0d52aa221b4115c798c6cf768181f07

SHA512
782984ba0021ad2fd74688c15c4a489c70154d9209e69ea23da4de7d7af01f845e5feede6d839c04a4b85ebe5ac0469add9ad24e9959dce2c8b8d00c15267c68

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
db6f74e4f4a3d699112be1971344e1ae

SHA1
f9a3ed3befa160169deb70cc6e017eb8c1a34dff

SHA256
51434d7d6cccba3158a9efd45e47225a07f5dfda1e6dd8d08c5fc68c7621aadc

SHA512
35bddc248fe2733f9067173918576ae55552166bc1b02248207b47d815f6469a0d372c63f789dcd6cad366827a2b0acae45ce456ad54fedf9898ede76d4535cd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b6fbd5c0aa8af3578ffab82c70bdfd97

SHA1
6b93af2bcdb915655b24dd2712abc5b54f6ca7eb

SHA256
0159bd1cd6509a8a2e54c79f6e55c80c2d76fbc6275b61bf77597f61ab9bbd54

SHA512
46bcc28213e4f88228df758a1ced093bbce808ca94a5601c8d01b274d72e98bd42b5144ae555945ca7ef73e2c757003ab013518736f80a6376bb9a1bf543489e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7110d277a928365065f7f51cd1e4b435

SHA1
3ed895d542a2d7e175d1fe9189ffe25529a324ba

SHA256
7e1c2cce811656be0000b756a33584a5c9ccb440d7ff8a4d6e3fb362a4b26d7e

SHA512
c4a808a524477a38bd225edb801c7afeb3c0626db7634ce99277e008d6c4e90c16d39db891e0e0e8ce3b6572f835796475526da4ece0aefe4117a53784a23e7c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
04a4e9b632dddc9f4f44100a5b6f7f14

SHA1
8ff21aeeeee80ec9385d3ce150cc1416152efcb1

SHA256
2f90aa553a1adecfaebbc23de5e0039c48788cef12b580cca56b2295ddb29f56

SHA512
e49b27467a3b0769b6cf2c2eec71999dd7181a2c760378f583ca99b9b14f986e71d0ad7522ee8800ee205997c79a12ead0c41b445033c8887030e21f637c6d51

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
5d35c42880faf3358e7feee702be7d0c

SHA1
52e569da5b914923ce0a6f2b5e6f2239a19be43b

SHA256
bf77571004132981b94c0df7b6b553699a1c1946665e048803eb1dfa8504a514

SHA512
5226afba0df08dfce0482945e2077137f13a3c16405fca1fd8b38cc35b53e9b6880e6503a8f73e0863b56deb6bed7ddc2f6bb5637a33620c397ef182cfc4d815

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3a22c1bc5964049f59b7cb3ad740690b

SHA1
8e7aea0309440c606c1f1222a9da79973c355f61

SHA256
9da44961220a1c2648f4c0295bc8d161a10a8afcdbdf5007efb498ead08f6e69

SHA512
20e944c299a49b2179ad18d096532bb62fd5381dcda5171abff058c97eb30f6156619914f0fbfe11de946697d32504a9f332a6b9858cc8035ca8a09511291b1c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b3f2252831f93cd1a0ae0a172a3454f8

SHA1
461227e9dabf12955b8a32a13b8f5a3266d2a9f3

SHA256
1fc646956a774247df5dc69b01d2c99870dd3654b29ade84167f6faf05808f05

SHA512
5086f79c1579e6a52b02fe65d8a43a6da5a8b58ab13b6fe571f9c85ca86a4ac9b044b2e373c0c6b69a66435f0dd9ee08820a3393942c65a4c7009e1624ea120f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
57538a0b669688714c403cedc2d12b01

SHA1
203320d5fbb26bfe4a28e6ffe31fa5a1a6ee306a

SHA256
15bbc6a93bbb2799ee8a22bbd8640d2b1054f3780b24b6ce1fad7d0ac67aa150

SHA512
dd6afda9318b92267da0bc7eeceeb6287300939293d4d6956e377da65fa16299b98299c1a997f0bbc94d9b0234ff35b0e212d2a28d93cb624b88c342345c99ef

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
2c5b9b9d33e803227be7ed05443a4d05

SHA1
5388beeac209e26123b2e8e11dccb887fa543a94

SHA256
45996a3e7b450f30041a4d41175e0c4ad21736b7f6ab1c8ddaf9895b3b8c9f7b

SHA512
b776fb6eb3f503a69564955a3c1c672a6191a8f9f8d90ff896c43ea1a379bea2872df36cb20bb8a45eef8aca93f524656e462a46f192adb331b4904e1902e73b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a7b33b36855c8eebb8e6bf58af34d975

SHA1
c3973aecb75433280c9be9e6c8c850db755c2057

SHA256
fd57e2bad868bf95657c5e7cfa9269baaa9a46665ba81f08c15fbf326ca958fc

SHA512
4dbe0ac4af1ce91546da10b799c16f933b4fe9869f847d123823bf5d6f88f8334026b60caab0bac4f6b1f38bed0961a12630dd8f5280aa4fb7da7cf7e6dd3cf6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
57ead54464d36eda37d74350e8525f25

SHA1
29484caf6dfe77aacb7dd4760c0fcdf250c8304f

SHA256
35eeaf2a6474db4a49cbaa0fd49238005f1d463debd7cbf11d6828186cfeacba

SHA512
bff289d98242dda4831592665f5cdf24128638106454ffa10a90d45fb283fbff318702c80d82295e7625e1611b986ecf5105cab11e8319d1ac1c3cc51fead38f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
eef048aeebbf1e243eb574e9b1ae95e3

SHA1
ae932eae0beb31b680c327dd1dbfafb5eb34410c

SHA256
a107fda98319ee49a8ae7c911d0dc9a0a65ad68dd9c67858622bb08a3d0fdf57

SHA512
12f7e8778e948ed1f1a8c750e0a8177890d234559add83ef413c754a4ee6dde786e42634ebcfe85af12db2653f9eb73dcaf72a2274f0456b183460903507b9ef

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dd148dc5554c6ef6d683f5c427f3df16

SHA1
3a5780cc52d156e4c4dad17a7f09ea867552228d

SHA256
28209336006488a09172e8f6e146ed161b7a52de272466a431404790bc4ead64

SHA512
237c7fd74e2ed64f810e13670fc09ec5c61a3ec4191f3c90668fff8e4bdb0279216ce7784a97b5883b3fcdcbd4ccd1ecaa023626652e0c9a07870f9589919147

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
b663eab6f684c0c2359bb65c5a860faa

SHA1
e96c6a3ad66b37cdcdfd3c1921a0e4d42defe7b6

SHA256
939cbe63e3176665662e24a49321a5a909c362a3b6420cae03f5e5492563e411

SHA512
452e309eb8a75f03181dfd589a20ca4726f8a31b12113323675e87a810bce53c39987a749031b50f49f21f2b4eec46a0e236044b188df2e88fce10bdeb1665a0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
cdc58a318b2b4cf6ec9e934a12f1110d

SHA1
49f3ba76b3b62f4f314a2f6b7bdafa20e9b6b8e6

SHA256
1652f38b3017f7a738fa47df942f987a68600bcde9ace9f827078e0339dc74a4

SHA512
c21d534a2409a4e4d7e2efe7fbf8b8f8553a0cc6d1c5866ed58a14cc31f87c0e9c9d3d8fe97cd039a76d033677975cf51b26a0eacee2c8e622bf76cf95292ed0

Download Submit
C:\d730f38559599de0796519aa009fdd84\1033\SetupResources.dll

Filesize
16KB

MD5
9547d24ac04b4d0d1dbf84f74f54faf7

SHA1
71af6001c931c3de7c98ddc337d89ab133fe48bb

SHA256
36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34

SHA512
8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

Download Submit
C:\d730f38559599de0796519aa009fdd84\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
C:\d730f38559599de0796519aa009fdd84\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
C:\d730f38559599de0796519aa009fdd84\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\1028\LocalizedData.xml

Filesize
29KB

MD5
12df3535e4c4ef95a8cb03fd509b5874

SHA1
90b1f87ba02c1c89c159ebf0e1e700892b85dc39

SHA256
1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119

SHA512
c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\1031\LocalizedData.xml

Filesize
40KB

MD5
b13ff959adc5c3e9c4ba4c4a76244464

SHA1
4df793626f41b92a5bc7c54757658ce30fdaeeb1

SHA256
44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b

SHA512
de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\1033\LocalizedData.xml

Filesize
38KB

MD5
5486ff60b072102ee3231fd743b290a1

SHA1
d8d8a1d6bf6adf1095158b3c9b0a296a037632d0

SHA256
5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706

SHA512
ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\1036\LocalizedData.xml

Filesize
40KB

MD5
4ce519f7e9754ec03768edeedaeed926

SHA1
213ae458992bf2c5a255991441653c5141f41b89

SHA256
bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31

SHA512
8f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\1040\LocalizedData.xml

Filesize
39KB

MD5
fe6b23186c2d77f7612bf7b1018a9b2a

SHA1
1528ec7633e998f040d2d4c37ac8a7dc87f99817

SHA256
03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a

SHA512
40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\1041\LocalizedData.xml

Filesize
33KB

MD5
6f86b79dbf15e810331df2ca77f1043a

SHA1
875ed8498c21f396cc96b638911c23858ece5b88

SHA256
f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f

SHA512
ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\1042\LocalizedData.xml

Filesize
32KB

MD5
e87ad0b3bf73f3e76500f28e195f7dc0

SHA1
716b842f6fbf6c68dc9c4e599c8182bfbb1354dc

SHA256
43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070

SHA512
d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\1049\LocalizedData.xml

Filesize
39KB

MD5
1290be72ed991a3a800a6b2a124073b2

SHA1
dac09f9f2ccb3b273893b653f822e3dfc556d498

SHA256
6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c

SHA512
c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\2052\LocalizedData.xml

Filesize
30KB

MD5
150b5c3d1b452dccbe8f1313fda1b18c

SHA1
7128b6b9e84d69c415808f1d325dd969b17914cc

SHA256
6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2

SHA512
a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\3082\LocalizedData.xml

Filesize
39KB

MD5
05a95593c61c744759e52caf5e13502e

SHA1
0054833d8a7a395a832e4c188c4d012301dd4090

SHA256
1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1

SHA512
00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\ParameterInfo.xml

Filesize
9KB

MD5
03e01a43300d94a371458e14d5e41781

SHA1
c5ac3cd50fae588ff1c258edae864040a200653c

SHA256
19de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a

SHA512
e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\Strings.xml

Filesize
13KB

MD5
332adf643747297b9bfa9527eaefe084

SHA1
670f933d778eca39938a515a39106551185205e9

SHA256
e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca

SHA512
bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\UiInfo.xml

Filesize
35KB

MD5
812f8d2e53f076366fa3a214bb4cf558

SHA1
35ae734cfb99bb139906b5f4e8efbf950762f6f0

SHA256
0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283

SHA512
1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
\??\c:\d730f38559599de0796519aa009fdd84\graphics\stop.ico

Filesize
9KB

MD5
5dfa8d3abcf4962d9ec41cfc7c0f75e3

SHA1
4196b0878c6c66b6fa260ab765a0e79f7aec0d24

SHA256
b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793

SHA512
69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

Download Submit
memory/116-149-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/116-155-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/116-159-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/116-161-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/408-231-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/408-352-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/664-209-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/664-316-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/828-227-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/828-340-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1160-127-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1160-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-310-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-134-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1620-0-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/1620-8-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/1620-7-0x0000000001000000-0x000000000161A000-memory.dmp

Filesize
6.1MB

Download
memory/1620-223-0x0000000001000000-0x000000000161A000-memory.dmp

Filesize
6.1MB

Download
memory/1724-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1724-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1724-35-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1736-265-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1736-545-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1940-641-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1940-297-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2052-139-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2052-70-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2052-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2052-138-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2052-64-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2184-573-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2184-285-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2288-328-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2288-224-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2668-311-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2668-314-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3604-190-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3604-308-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3604-179-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3836-329-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3836-660-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3848-97-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3848-296-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3848-108-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3848-112-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4068-317-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4068-659-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4304-230-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4304-12-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4304-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4304-22-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4312-665-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4312-361-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4316-481-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4316-262-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4412-569-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4412-250-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4412-365-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4612-666-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4612-366-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4708-661-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4708-347-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download