f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75

Analysis

max time kernel
146s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
Size

5.4MB
MD5

7c7c0464de76a57632f01da222422de3
SHA1

4acc1c1a20c9a4e354d490a7cf189b6371ae4d5d
SHA256

f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75
SHA512

c7e6c6e0482b2bd4137f081153c9de34a3cf9768512dbe87347a75f632904ad7cc0ad170de6e1eb7750b2824fe22d53d457cefbb115005e9b68ac89f46c7cbff
SSDEEP

98304:tuLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0:M7wq1W6HqULS8djZDTaNNeCKVP5ORsg4

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeSetup.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4380	alg.exe
1480	DiagnosticsHub.StandardCollector.Service.exe
4364	fxssvc.exe
4676	elevation_service.exe
4212	elevation_service.exe
3228	maintenanceservice.exe
1976	msdtc.exe
4156	Setup.exe
4628	OSE.EXE
2700	PerceptionSimulationService.exe
1280	perfhost.exe
1096	locator.exe
4164	SensorDataService.exe
2136	snmptrap.exe
3684	spectrum.exe
3768	ssh-agent.exe
4632	TieringEngineService.exe
4748	AgentService.exe
3476	vds.exe
2824	vssvc.exe
1120	wbengine.exe
1124	WmiApSrv.exe
4356	SearchIndexer.exe

Loads dropped DLL 5 IoCs

Processes:

Setup.exe

pid process

4156 Setup.exe
4156 Setup.exe
4156 Setup.exe
4156 Setup.exe
4156 Setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exef5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\locator.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\176d98c3b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\System32\alg.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\System32\vds.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe

Drops file in Program Files directory 64 IoCs

Processes:

f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeTieringEngineService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008078298dcdacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046f0a384cdacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cbf46584cdacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054df288bcdacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097e8c888cdacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6db1a88cdacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f73b388cdacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0adbc83cdacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066901a8bcdacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

Setup.exef5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe

pid	process
4156	Setup.exe
4156	Setup.exe
4156	Setup.exe
4156	Setup.exe
4156	Setup.exe
4156	Setup.exe
4156	Setup.exe
4156	Setup.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
Token: SeAuditPrivilege	4364	fxssvc.exe
Token: SeRestorePrivilege	4632	TieringEngineService.exe
Token: SeManageVolumePrivilege	4632	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4748	AgentService.exe
Token: SeBackupPrivilege	2824	vssvc.exe
Token: SeRestorePrivilege	2824	vssvc.exe
Token: SeAuditPrivilege	2824	vssvc.exe
Token: SeBackupPrivilege	1120	wbengine.exe
Token: SeRestorePrivilege	1120	wbengine.exe
Token: SeSecurityPrivilege	1120	wbengine.exe
Token: 33	4356	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeDebugPrivilege	2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
Token: SeDebugPrivilege	2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
Token: SeDebugPrivilege	2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
Token: SeDebugPrivilege	2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
Token: SeDebugPrivilege	2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
Token: SeDebugPrivilege	4380	alg.exe
Token: SeDebugPrivilege	4380	alg.exe
Token: SeDebugPrivilege	4380	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exeSearchIndexer.exe

description	pid	process	target process
PID 2384 wrote to memory of 4156	2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe	Setup.exe
PID 2384 wrote to memory of 4156	2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe	Setup.exe
PID 2384 wrote to memory of 4156	2384	f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe	Setup.exe
PID 4356 wrote to memory of 4124	4356	SearchIndexer.exe	SearchProtocolHost.exe
PID 4356 wrote to memory of 4124	4356	SearchIndexer.exe	SearchProtocolHost.exe
PID 4356 wrote to memory of 3500	4356	SearchIndexer.exe	SearchFilterHost.exe
PID 4356 wrote to memory of 3500	4356	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe
"C:\Users\Admin\AppData\Local\Temp\f5cb7457cdedafd61dae3f9601d538f03bbf16a0f3c4f1b149a5032faa03be75.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384

\??\c:\5a6d094bc9d83a0fdabcbf\Setup.exe
c:\5a6d094bc9d83a0fdabcbf\Setup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4156

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4696

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4212

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1976

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4164

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3684

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:684

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4124

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:6012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5a6d094bc9d83a0fdabcbf\Setup.exe
Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
32a1e76ceab040238a1b165cf1b1e225

SHA1
b7691e46d5cfa391d0241e6cfc546bb268c51f40

SHA256
3c55b697d320d9f25021d160515218e1000515a59fd2e6545647f00465fc4fbb

SHA512
565f94565c87b93999e1aedf6aac20143bc5093d8bc30040497227333680da73b53a0e8868f35dd894eaa922e699ad6aa393d537dbbc9956eb76531d2ecc9724

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
bba1e4ff18f23e027d98bb74bd944480

SHA1
9fd156c62c8f4827a49eaad553e67bf0b42402ce

SHA256
c828ceae5032cbaecfc561ac1c99ec93057c179fe00d4ae7b5291bd2506ea46c

SHA512
fa92eecec1f47711ddf70df36e77fd40933deaa0956e306402daad51adf00129a00c77e46507293f2e832d85ab53727fda73831aa6ea9113586c5c6e2802b1cb

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
d7846f1d9d08e0308aa529e130d2be07

SHA1
8625c0211e34d02fbfa6f151a26f323c6e032190

SHA256
e9218ed248339387e2e7760947d1409defa3b8952d58b2f3d9898a9164fedaac

SHA512
59b4d311d3b0f1f2f09fd386b77e6580fa31b01a34cfbca7a60bf662d98b9bbf49fabb88fc52333fea57578665e497431c9258c935dc1d6e7ace4f4279af41e2

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
4699fb5d8b4cdaef767c8d96011a55a9

SHA1
b801c6388bac3b88f5b27ac3d0e0aa8b55fc8bee

SHA256
cf6f0e21dfa25c443dfc3a075474fc32f03574c71133f65f13bf2d86036eb6e3

SHA512
93bc671c28488c188a8f7fade36b641befc1a6bb86f50bdef4b41f4ed7df17489a505b0d809622fe60f7088a68c4f21fdd544d169cd8b45b43c1b215486d3fd7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
34e0d11064b4fdd457187899eba3c603

SHA1
a9ee60f91036055330ee16c4b68d6c0d8d19cb06

SHA256
76073ffa9c2fd77f5d257948c06985d79e23216a2a2896871a4bd81500cf1cd9

SHA512
1e2a555fc58b6057914683a668c1975dc6a8e970550075ebad2c1b3e1bf5c3dbad8b25c5b9929cc10f919ab6689e6a40e9438242056b3200aa86af337376274c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
9ee450790622d29275c96def2a5bbd9d

SHA1
78fa159c4467449a09dd4efdb477085e95407fdd

SHA256
82bea2f0b2c0315a1b4427d70af066d02600e7774ad68ace8f072f353aece76c

SHA512
96c0b2ec4ff6dbc173955612d2facf579bff04c3b86645b635a178735eb563be832e256edb9c045caa7eeae7041c9a16228a77bd302848b1eb8ded86412450a4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
1b5a35dbe1046e4e82937b7b2e4b9211

SHA1
e268e4e0b14df34ceaa2922bd1e534cd0f57b80b

SHA256
49800e8351309ec3bf10014c539c5dbb51a274a22efc9416bf66e9d836a0306c

SHA512
319a5c604434516d0cf762ace236512c41349554a61d3a16e2f13ca302ea1cf67074d0ef306e617cccbb810377cedfccbe25c44f0799e4af6afef587fd1251ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI3758.tmp.html
Filesize
16KB

MD5
5ca73ffd7e86abe7e296b28469c5a696

SHA1
d4ca29a560e7b9acdca0c73889625af2036be45b

SHA256
0f24e0d6d36de4f39b4ae115ffff2cc66fa32317de01db745ce7bfbaa204d7d3

SHA512
ac75b2cd0d48d8769b6aa474a6903f14d562d821ae118bea4cb01e98ba7d15c5fd470205e1ccc502086ab733e82882b7023861d51b69e87ef22b36ad630ed837

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
e4cdeffbb2cba8f23e0c0e4f5288d9c1

SHA1
49282e46cd5f50c9208a29e1ec15e2e8746f0ae0

SHA256
48b4357c3ef517edbad894790c2a3e75304afe6a8e827dd3a78ccf1c994af0f0

SHA512
3bb487116bcc2a22118996899d143a85b2827e6a079f3fe2581bf5ecdc49e2bd013b267799530cd0443dfcc6c2c320ff993b87f4ff2e34bd74485eeae26aa5b3

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
4cc87698f4ac5e9be161bdf341a0f7a4

SHA1
8d42390a6affa02a045f5001f8e7dbddbefadd1b

SHA256
ad525933526d5f8cf769d6d0a59f2400486e1e2bc4df3a580face8438e6463d5

SHA512
527dfc299e11c70ee5319443476d34be2da22c7f48e08687f3522f6819dec11c4608730d0a16970b5536a22127373d554b2e273ad67c7cf18f1a3dd686b812c4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
40b0c9353d07cfd3dab0b6ea9f8755a1

SHA1
bb6a70a13e846061d0118e23d94604b770738901

SHA256
8962474439e310e9f295f8c5952f92ae1ea5797508a7d6ac25160a1c84874014

SHA512
43e4b7f2794805af55bb8f3a7e2befbd00af4042ce0c2d15b11e11ecb79bea599278d38d8b1271ed44d9d53bc01fcff737b1135efa43c1f4e17ddc2b1b637f46

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
9dd745b5e3ec069b5191cd272180f466

SHA1
62b70dccd591920c95eab32c76be02e55891e4d7

SHA256
937b763e5886702acd7ee6d41e4c05a946df003eb0e89fa65acc7abbe62b705d

SHA512
daad6d03529af2e897e4867f4df06a451930dd44afa57e5467f70a8b3fe4d4b56a10203bf49f6b87da3f8ada84a54dbd98b1f8a6df9f6d3df9d6e15ee7b676a7

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
987a99f29c2a438b64e569f807c0976b

SHA1
90a35cefcb71bfd68a9f23a6970a46bc00ee91b8

SHA256
9accba19a8dee6d06c26c6fc93a147f46e899f1ee35db027d88e23c7a6d24f00

SHA512
f941505382a45585622799cc62d6142ac2937d8cd51417e29809c6a099574d29888164fa6cb1cabeb1730c5d795005a1e53162230904d0f513b49f576f73ea72

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
adf2dafaa07e8f5df2d1639510ae0804

SHA1
1cc3584088e6cea78bd9d0e2a1ebc3b18f7583b4

SHA256
f5b71e66cb7000ad4504a6fd92a08fe5ee4534c44439af31f19a841b2a559548

SHA512
4afb372c9be3ebe34bf6d5cf72451f3191cca7556238844cc4c2e8af232f56709e243d73df852fad5cdb8520c2faf023f37065d95ebe5f7a4f72422619adf9fe

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
e18ed373767a7474da80d16293644d1d

SHA1
6800256dbb715dd8121527da68c6b7d34d744cd9

SHA256
5961d397634c2ec53583d0102d01698974fbc037d2f56eadb8d14f88653592b1

SHA512
dcffbd7631c6fab5856269356064493c8698ad0e97ca2ebb034151a4dce94d24a4302bb2adead5742c9497367716340a9b7a91e1e50d26305286607db8ce9598

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
e09754155f9fbf0ba2607dbfb1408637

SHA1
9859ed971c06bdae890eded44c14fc31c8e2b290

SHA256
688f87d1f346305714b89f62017588393b720603a592feb0178b413cd6dab1da

SHA512
29a7d52fe023f4fdb6bbb0fd464b608a82e1d65954790ceaea1c657983767a37bc3c51bd38a57d28a5319c6086862344cb670b3a2a654ffc1d6f1ff99644e768

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
182b13da83c0ac7e689eea0a0d574306

SHA1
d3162768b677f2eb38b6c63cd0249670d8747b4a

SHA256
2b68b8fa14cd492c8fd7df1d3c2c81356a2ac730a0d91b2a53dd34c4f017a037

SHA512
d6e52af1958514309da7adc8095c855b1dc8fabcd9ddd4ae0949eb6d814c3b3c831e0f96aa1003eb7dfd87b712654fdc9dabcf20169b6f2d7dcaa4501eecc79e

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
afb0a7bb06da5e910548c25bc9a4a0d6

SHA1
5753bc4212b823c9eb14be93eaeff49b80098378

SHA256
0bde61b909f3de77c63af9dac592f0fa9687887556a7ed49ecac65e1e13c9037

SHA512
4120d78d57f3fde1fdaa162af686295dc38e4160aab8d27abcf4ddb887454b5a716ad2c9e36ce1d7532efd5e4df14003448c723262ac5eaae1cc844c640b98b4

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
c131051147407ed10f3f22fa08702f8e

SHA1
407d816e7b8f00c29ad828d5b7acc6e642f0d4bb

SHA256
8e4a5b90397b1a22f110518c49992fb95c615ce5f4b0f5fd15f40b5e62ee02d6

SHA512
4122790073ebb837017c90b4cafbb594c0cbd1ea9b1947241712eb48f6ed89123ded3d8f1b85124c06e6e6724700b62a80023e4851e95f50ae58bfa6550db096

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
67a6bca2784e774485c6b8311c91efcd

SHA1
94a1cb882994905a1194c2d743326705a6630929

SHA256
9a59049ce217639b24c4e6c280118ceeb94435e1a6c351d0b549d5977e8787f2

SHA512
3919c5660b6d59662eb83346bd03414121a6b21bc4a58899a358c69b47af35e6c758b641522e2cc8eedca820ef719f4f701f33539c8bdd08823b3737683b091c

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
6740813b73e5809e5a1938690e1cf9a6

SHA1
0d22fa342ab1acdec3d47dbf5384faf09282631c

SHA256
6c93dabe94b2d44bafa0b5228eb0bef53f88e99dce34bdad9bbd49616c73529a

SHA512
f177cd864baefbd17c357f2d5af5491393ecd2b65330e17fc2df39d0bfbc092a1fe6fdc3990bfeb28949dafb0ca0de3e593b9db5d590ff30bc2bcfeb52866361

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
3d05c66fcd1a6c51d6b9684a93057add

SHA1
e380152c71a832a3f1fcd1c0f0ae00fa0b3539fe

SHA256
2d37ccb8fc9a8c39842ecfe8f83d3f42045c7365b62ef82f74a4b5897c5ddf1b

SHA512
4306c2f9a2b64cb8c019cadc62e56411792f98bfcca21ac751576ffaa87d85894d074a8fdb0eba5ab2f8e3c79d50f060d819027f6f891c81665bb1f229e1a1a8

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
d3191b4cf25b29ed73a0907db208e71c

SHA1
b2aa7fd9f1c03cc4324899350f8b596391d8dbef

SHA256
b2bc7ad36b5e0f376dbb49e6858205993b1add7192dcbac7571f6d2e57da1864

SHA512
177d7a041cb833f4a218827a8b4efb5174dffe545db143bbab7264fbb4e0a06d6c63515cc5227d03a48254f4630772b03bafcba2014ea570a76ff49b7e4c8f20

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
d3e6c4fa47825489936015f019cfc74d

SHA1
b98eaf870ac6b80d88b2a453c2a06a7682f72a91

SHA256
73eb33dd81636c360c5f8758dd91045488c9692c86387107b0a055f6b4a4bd1c

SHA512
2f0e55e93d24d1aa50921eff15657cec6dab84296904f0b16da77dd6a8cc31538b03e053a325bad3207566984dfcd3f66a9897d2c4b8b6382369158dafe7b810

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
5dc1ec141d2455fe60c698bac6799a6f

SHA1
6d51ee8f81c24bd8649b52d6d6077f93c6340a35

SHA256
2f0fd31fca772ef53eac660ec3dab4147d548330defb65bd8cdc4b5b4633e48a

SHA512
047466b1fbeb0fb892604446c20ac9405e75bc54256ffd48a0dbbc1c82aec62c04609d7e449a8026370527b9c307199744a9d8684f4e6f02346cbde417d4f3c7

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8e789dd02dd17d6969f4b7e828660a55

SHA1
a6b6e81e83eb8f2f73fe36d22671b2f4ba25da83

SHA256
72bf07bb2245da4cbcaf7ebe61e0dbd7f488bc68de4ff13bd170f4da58f7366f

SHA512
60eede7fbe372b626afd72c7a5e0c29d8f0536f394e3f0fd0d8f4e04234a05cf1860e1644c625dcc54873ca6fd3059d71d688bff63c8f1db3eb60801110f7ea2

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
c16a6a11242429d4b18442bba6179a00

SHA1
adc461b72e73ed1fecdaeea71482c4b0cd61121f

SHA256
9261e8235d15f52b4ce4aec1db0b3203ac1a496fceb90931dc787618e6a96566

SHA512
2486ebb76dbbdc1a5e1aa694942f1c838bfbef8cce657fd2aac15fa7122d81087f3f7662e0249e44f47c87107903272d1b417357daa21ac7ed0b8ec5c64273de

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
ef35765cbcdedcd304ed0b8cf594a9c6

SHA1
3b2474b8ba89fc9d2520eeade713a76b02db7728

SHA256
9156a588dc708323db035620f447c40dcf0e74a381b66c1d7b3f069c53156802

SHA512
7a95bd1c269cd5d645e6b38d8b4fc4d9a9e76bee469b834bb0f79146a0f3b54a0b43caa56ed5852b935a185b7cd13aa41b79fcaf1d5fd9636bcf7533ce64a6df

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
b941248890a58a5d0c1a174ccf698bc6

SHA1
11b403e806f2f71e24406d777013deb279d1892a

SHA256
211ffcf2aa7f0571315577e6bbbeada8313a5249726c84890c0a360d4d7a2beb

SHA512
e9b43c4d3e081d45175e5c38126c27828d9ed99a84d1f289d87b56eb8825a5b4bb5008f4b8570b18c8bf915326f0fc1f52454308927333c032ac56cd09a8a266

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
fb9d2abb61a9d4b78a1146e17b5da3f3

SHA1
74f20c37e19497a79515018bee57e616b3ab12b7

SHA256
f5e87c19d8bb9df4f3c5243b915f48f688b87c5d79d8dc6c0f63fe80aa2d534e

SHA512
7340e4c9668061d563fe1aede417944a29674944c35b940a786e0f04763486f4a1722df8b9c29d8019a68c878c3b0c32244bae059d3508bf57940d728f23618d

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\1028\LocalizedData.xml
Filesize
29KB

MD5
7fc06a77d9aafca9fb19fafa0f919100

SHA1
e565740e7d582cd73f8d3b12de2f4579ff18bb41

SHA256
a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a

SHA512
466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\1031\LocalizedData.xml
Filesize
40KB

MD5
b83c3803712e61811c438f6e98790369

SHA1
61a0bc59388786ced045acd82621bee8578cae5a

SHA256
2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6

SHA512
e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\1033\LocalizedData.xml
Filesize
38KB

MD5
d642e322d1e8b739510ca540f8e779f9

SHA1
36279c76d9f34c09ebddc84fd33fcc7d4b9a896c

SHA256
5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9

SHA512
e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\1033\SetupResources.dll
Filesize
16KB

MD5
9547d24ac04b4d0d1dbf84f74f54faf7

SHA1
71af6001c931c3de7c98ddc337d89ab133fe48bb

SHA256
36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34

SHA512
8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\1036\LocalizedData.xml
Filesize
40KB

MD5
e382abc19294f779d2833287242e7bc6

SHA1
1ceae32d6b24a3832f9244f5791382865b668a72

SHA256
43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf

SHA512
06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\1040\LocalizedData.xml
Filesize
39KB

MD5
0af948fe4142e34092f9dd47a4b8c275

SHA1
b3d6dd5c126280398d9055f90e2c2c26dbae4eaa

SHA256
c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248

SHA512
d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\1041\LocalizedData.xml
Filesize
33KB

MD5
7fcfbc308b0c42dcbd8365ba62bada05

SHA1
18a0f0e89b36818c94de0ad795cc593d0e3e29a9

SHA256
01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2

SHA512
cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\1042\LocalizedData.xml
Filesize
32KB

MD5
71dfd70ae141f1d5c1366cb661b354b2

SHA1
c4b22590e6f6dd5d39e5158b831ae217ce17a776

SHA256
cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331

SHA512
5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\1049\LocalizedData.xml
Filesize
39KB

MD5
0eeb554d0b9f9fcdb22401e2532e9cd0

SHA1
08799520b72a1ef92ac5b94a33509d1eddf6caf8

SHA256
beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c

SHA512
2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\2052\LocalizedData.xml
Filesize
30KB

MD5
52b1dc12ce4153aa759fb3bbe04d01fc

SHA1
bf21f8591c473d1fce68a9faf1e5942f486f6eba

SHA256
d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3

SHA512
418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\3082\LocalizedData.xml
Filesize
39KB

MD5
5397a12d466d55d566b4209e0e4f92d3

SHA1
fcffd8961fb487995543fc173521fdf5df6e243b

SHA256
f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89

SHA512
7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\DHTMLHeader.html
Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\ParameterInfo.xml
Filesize
8KB

MD5
66590f13f4c9ba563a9180bdf25a5b80

SHA1
d6d9146faeec7824b8a09dd6978e5921cc151906

SHA256
bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f

SHA512
aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\SetupEngine.dll
Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\SetupUi.dll
Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\SetupUi.xsd
Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\Strings.xml
Filesize
13KB

MD5
332adf643747297b9bfa9527eaefe084

SHA1
670f933d778eca39938a515a39106551185205e9

SHA256
e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca

SHA512
bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\UiInfo.xml
Filesize
35KB

MD5
812f8d2e53f076366fa3a214bb4cf558

SHA1
35ae734cfb99bb139906b5f4e8efbf950762f6f0

SHA256
0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283

SHA512
1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\graphics\print.ico
Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\graphics\save.ico
Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\graphics\setup.ico
Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\graphics\stop.ico
Filesize
9KB

MD5
5dfa8d3abcf4962d9ec41cfc7c0f75e3

SHA1
4196b0878c6c66b6fa260ab765a0e79f7aec0d24

SHA256
b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793

SHA512
69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

Download Submit
\??\c:\5a6d094bc9d83a0fdabcbf\sqmapi.dll
Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
memory/1096-227-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1096-367-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1120-350-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1120-563-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1124-370-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1124-583-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1280-207-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1280-349-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1480-32-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1480-186-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1480-35-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1480-26-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1976-153-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1976-306-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1976-90-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2136-250-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2136-430-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2384-0-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/2384-6-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2384-7-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2384-1-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2384-60-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/2700-194-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2700-337-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2824-338-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2824-550-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3228-83-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3228-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3228-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3228-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3228-87-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3476-544-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3476-326-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3684-266-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3684-442-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3768-284-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3768-480-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4164-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4164-374-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4164-238-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4212-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4212-283-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4212-64-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4212-72-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4356-592-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4356-375-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4364-47-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4364-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4364-45-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4364-39-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4364-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4380-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4380-175-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4380-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4380-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4628-325-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4628-176-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4632-508-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4632-295-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4676-58-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4676-265-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4676-61-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4748-313-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4748-323-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download