fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
Size

6.0MB
MD5

7a0e0387719130d08a93277e967635cf
SHA1

bf4d4dd666b71b9b2dba70e8be4c9eae886901f7
SHA256

fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7
SHA512

d06c552f1f3e5f731618b3e94069b017dade22e50b6e4648e67e67e69c198dca7a5752aa5fadc383d8d77745f194c5c815ca4a93e7b924f557078b47d18fc5c7
SSDEEP

196608:D7wqheSVYK/bua/BlWWnuVhsus8nm+q4nIoQ:D8qgSmIbr/Asb8nmFS/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeSetup.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4656	alg.exe
1900	DiagnosticsHub.StandardCollector.Service.exe
2900	fxssvc.exe
2396	elevation_service.exe
1040	Setup.exe
2388	elevation_service.exe
3212	maintenanceservice.exe
4024	msdtc.exe
2968	OSE.EXE
2352	PerceptionSimulationService.exe
1096	perfhost.exe
4324	locator.exe
5092	SensorDataService.exe
4260	snmptrap.exe
2540	spectrum.exe
3372	ssh-agent.exe
860	TieringEngineService.exe
3420	AgentService.exe
2160	vds.exe
5024	vssvc.exe
4424	wbengine.exe
884	WmiApSrv.exe
3100	SearchIndexer.exe

Loads dropped DLL 5 IoCs

Processes:

Setup.exe

pid process

1040 Setup.exe
1040 Setup.exe
1040 Setup.exe
1040 Setup.exe
1040 Setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

msdtc.exefea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f4f10315293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\System32\msdtc.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\vssvc.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\System32\vds.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\locator.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exefea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exeSetup.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a31ca18d0acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d57f018d0acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008ac8218d0acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002af40c19d0acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038a41d19d0acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4488018d0acda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

Setup.exefea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe

pid	process
1040	Setup.exe
1040	Setup.exe
1040	Setup.exe
1040	Setup.exe
1040	Setup.exe
1040	Setup.exe
1040	Setup.exe
1040	Setup.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
Token: SeAuditPrivilege	2900	fxssvc.exe
Token: SeRestorePrivilege	860	TieringEngineService.exe
Token: SeManageVolumePrivilege	860	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3420	AgentService.exe
Token: SeBackupPrivilege	5024	vssvc.exe
Token: SeRestorePrivilege	5024	vssvc.exe
Token: SeAuditPrivilege	5024	vssvc.exe
Token: SeBackupPrivilege	4424	wbengine.exe
Token: SeRestorePrivilege	4424	wbengine.exe
Token: SeSecurityPrivilege	4424	wbengine.exe
Token: 33	3100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3100	SearchIndexer.exe
Token: SeDebugPrivilege	1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
Token: SeDebugPrivilege	1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
Token: SeDebugPrivilege	1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
Token: SeDebugPrivilege	1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
Token: SeDebugPrivilege	1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
Token: SeDebugPrivilege	4656	alg.exe
Token: SeDebugPrivilege	4656	alg.exe
Token: SeDebugPrivilege	4656	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exeSearchIndexer.exe

description	pid	process	target process
PID 1404 wrote to memory of 1040	1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe	Setup.exe
PID 1404 wrote to memory of 1040	1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe	Setup.exe
PID 1404 wrote to memory of 1040	1404	fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe	Setup.exe
PID 3100 wrote to memory of 3584	3100	SearchIndexer.exe	SearchProtocolHost.exe
PID 3100 wrote to memory of 3584	3100	SearchIndexer.exe	SearchProtocolHost.exe
PID 3100 wrote to memory of 1624	3100	SearchIndexer.exe	SearchFilterHost.exe
PID 3100 wrote to memory of 1624	3100	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe
"C:\Users\Admin\AppData\Local\Temp\fea310cbebd09be1b8df83060646138e1abbeaa7a10fc8866839f819eff2deb7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

\??\c:\e2f6eb3d71bd7b37a25a51\Setup.exe
c:\e2f6eb3d71bd7b37a25a51\Setup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:944

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2388

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4024

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5092

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4260

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2540

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1972

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3584

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
8e836ffdebb5f42df923a3cf3a4a6c0e

SHA1
64ae25e5a17c46a16c2f878133084fb7454f7468

SHA256
bfbcd76cc61717ed10707cbec529cb9ca77e72ab776d32b16f692f6d83bedf1f

SHA512
6952cb1f55c927e2a1fe6ce36f6b31473fcf63ee260dfaf618490733de6c3f862fc5319843ed873d7849305b1448018d70ab2ca05ba9a6c61e894fb4b0eb2ebd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
a829c935d15233bc68f4ea1c761edb27

SHA1
9879d5881ab9eeb8420a4301e6c6332699dfb9e5

SHA256
eab54b0400e4a9a618ae934735dc299d04d9c385a7cf91eecbff5d6f4df50899

SHA512
a26f2c801acc580a361b61c7fa454a217c7ea09c5b76bddb64d5bba2da30e87065d8b77cc683fc11f42b16ba697bb39a1de1620b48ca0691d070ab3dba5a7272

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
648c3975bde8ec17311451133e33665d

SHA1
ac9c82929cbb954864138598864478c753749e61

SHA256
eeb70f450bae8f7f824e5149b1c80bcae18b4cfb291ebe647a293ce79f4ad84b

SHA512
fda27f799bc4255fb9c4bdf2ade7bad5f77bc04f0c0ca7b6b301e59d225cf034556b7cc14dd68695bf1e18a6d88f28d35d9d9fbbe362b45b1f9f5897b9f1e8c9

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
a46c7648da461820f2e9108eb93153c2

SHA1
58f3c6e9e63bbcfa81e3272938f9ad7fc53bc644

SHA256
9290df3494d7b94e5a32f5d40d822e7bfd76090fb9b8de9164f954e9dcd58d44

SHA512
f1361104630329dca47a2ab283d9399031e7de701bcc85788c502696cbb97d1985396f0de2bc9c91d21e58b8657423305d25d6a23180feedf8e3a691c8cb0d73

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
09c68535b8f3ecb0b075a27f16e67efc

SHA1
29706f36342c0fabb11ae47b1ad27b3c6c7a47f9

SHA256
3cb8742e07875ee70ea2aedb35f96c2079c6bda749806265c0a153a1fb8f415e

SHA512
6616b9750ee2c469942e3efc3310da467e3100ef279e492dbddc93f4740f2488627be3a909ef9acac55b96b5f9d2070e63b9365fb1b1df282706da60c41b97a3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
3d55be9836f2d8322c11af2c59269cb9

SHA1
2ed0caac91388d9d8f726fb5b55a51dd8c4bb314

SHA256
2760dd143d7bf234a7d63487727ed6ac4a6a1bdd6ee7541d8dd7ba82557f4a96

SHA512
ee3316c0efacd3d34fefc6b664422908da1532fd3fa40e1f364d5849ac57795a895c3c2060792b37d1ff2e67708db1e5e2167c0e53eb1240c6d747a66d3e74ad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
e107a422fd04229dc116ec9a189669e2

SHA1
79360b108e42d0e2f6d01f69757ec2736967ce23

SHA256
57544c9156a2da2220f05ef8b182c7cb1d04aff0c9a86c78e3074f7ba7eb4751

SHA512
2039c4082d33ddbdd87490e801238382517283850bc603b2e187ab56b9fa9292d79979b68fc4ae2c8e37c3b6fdfae87d41708315f8f72aa78927d2c6136c4bcc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
4d82640a8a4f347595c4efe0fe2da551

SHA1
4b2f3c2238f6f84932514bd7358554f137d46d2c

SHA256
e3919f42b3ca54e56ee7b7aa4c3a292674189554ed2512f227e8bcd181ebb7d5

SHA512
806ae3ab68e1f7e237d1f04b1f0e6b7f4dfe10d4ec1b3e5ef85532d0b582e0d3273596feca7c9df6aa0ebe89d8b4e83cd4931b8afd1d502a602a18a91e283960

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI52A5.tmp.html
Filesize
28KB

MD5
3dcac7f667ab4e48ce4ea0e603361470

SHA1
70be301ccc9d8754c4e15154dab5dc04edf96399

SHA256
49e98de1bb1e2b2b4c2b360ced07546dda560f67f4cf7a0995be8cd548595115

SHA512
850123ffdc56fd689f3a3a4cd64300c1bbb2d42f77844216d9504eff46b82bfe165cc63ff320f021031a5a053e7f857a47a513b603f55a1ed394af114f6d32ec

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
4bb4d501ef81cfe6e7975f1ba36511c1

SHA1
e66f9858f4ee070f5fc04b5045faca04ebbf6a5d

SHA256
d6aac81fd1695698822d6fdf1db8a885eabcc84cc787f9dbef72ea38dd4ce981

SHA512
08862779a56ab8632d281499dfb44e8d010c0732850c72438d571fac0e320278bb91676f3918a1f987aa77cab7029692ec586e80c51fc773aaab77d086d06a77

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
023d395c1ee788aa2e536cb0da5102e3

SHA1
47d635cbe1bfbec6e0aa11e43e40439ed13d406d

SHA256
f7c15296440d485b0bfb7f53add719eb1c93569b8438acf19124831e25adb659

SHA512
98c29dfa1ba5a64adb13163bbd61390d181e503b30bd997991d2f6f265daa2260f66a2c9dd27d3b316eccf69f297f94ba41f323e5476705c508385e08836c386

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
c83080917787223f9dff2e5a1c75aa0c

SHA1
4e60cd7b081674af43db4ec8a771f58eb75900df

SHA256
195dfe66625d7072a3f442362a4226066da532d722574a37dc2d2d9e1c06c187

SHA512
0f0c35784446927e1f22a4f90956012ac24054a4447b3ee66cd07236540caff9ab72b86fd40a9f715c10a3b1f0ae1678aa287d0878e239788c0b8263bc66d51d

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
8a9531b9d33408846afe65ac52697ab0

SHA1
0988bc5ff977711aca74374fee8623e4f7b4835d

SHA256
98a25100bc91717a54a27844e98829fc07008112b15029ee18be821b5eaf574e

SHA512
82b5749802694a5243681f0f61d49a84561b326fee7150089cd3e008123e32f761a539400b19d368b9e02b68ee671d6d303813acf3b4cb41c09ab634eba706d0

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
a0592c47bcf5d649f6f5f85d246269c4

SHA1
e359c2de4f0eb5df1e41060425f9cdb6f5525074

SHA256
9f61b06004f748ad93fec9434484f1296c8b611dd8d6ba040c2583f23b879f4f

SHA512
5d64d90b017057ebef303e227b26a165ee66935ce811256a157dd452fd940e7c2f6557c0ab368ce487503e589725ca9322b53451fc626af3acc0aefb702a151e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
cbf0b370cec1efd5197cab0302431354

SHA1
df8821184909b0c931e66c544ffce5e12ef4656a

SHA256
4ca03f6b88495f7410b114f9c0e28cb6cd0e8c9eb495c7e7e43114c05d0d7ac7

SHA512
d7a7c249bbfc632b5f781609e632eb724a0935da4aab09dcc22c6894f5c836d3ab6d81f333ff8f35608a7b74cc5793ddfff434e702f9d120cb8382ef7f37268c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
188b36152b3402dc13cae1f0458ed39b

SHA1
3274d7f8b6ca678d76c1fb1e4d7c861b30ae383b

SHA256
6fae67bd30b024a4bf1b922c9892554a8b9c1e8e7437a3ca27d8cc2ed33bb819

SHA512
71c5296ab3b3cf0d9396b23d0463c4fc478bf8ba26987a112a9eb5d80658781183fa1851822b62fa0b6e4c0c794475102174ff5511fd5fd1ad9936abf61930d4

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
49c03099857c6e5d8748cebe4f4f4b16

SHA1
3f603640c10b2d24aed53ca25602a9f987a51d87

SHA256
c44ef4e607be63e27f54819614d5218f5d75be11aebeeb8efa56de8ccbddabe6

SHA512
a879a6454ef821a416d5449df79c7f533e3cdf5dffb9c9d6909df5210d3c29ffed3086a1328fbe2f1995d0c87c19f6cc60c3ca0d147fbc4b7cdf7bce61963ef4

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
18ebb78fc6afcc7e78285c99e6c2bcdf

SHA1
4a6b6b0ee7ae9702347af64bcb3623e4e0b1e974

SHA256
c05d6f6c570a81c0a752328246a121c24e0feb88de0ad1988619d5b63cb06189

SHA512
b269084540b4b3d4136014484f160a37845879ba367e0e338acd98c68021516599138f2be5af71e813268c021a159dce1777221d8c814b7b5a15b16189cf54d5

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
fd3e18bb952fa230aad2e130a7a95d76

SHA1
34f2ea47f25ffb2f13538dadcd9216c6f6f6110b

SHA256
dc11b5c8c4a996c0870e91d9ce40ee4431b8c36c2fd198f70602d57a6a57e1a3

SHA512
5caebda9a43388d7883d256de17f33817eef122e76f41e56001a1a4096bf106fcbd4975a408d583693d0154228da6a364572cf1477b5e5588493dcc1795eccaa

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
f6ef4d25d3caa6e98d36bbbafa32abb1

SHA1
d80d5a2872de30424518ffe453284c35c3df7785

SHA256
7f9cd92495897cf167782924569f2784ebbe0d5eda6c9d9ad0e44e4436ffad95

SHA512
aa47130b751b7a2ed98f129d701317db826c746785f807cea2a511dde2eaa026958176bd7cfc858b20e8878737f9fdf87f9c9843154a20d3eff53aa962a00b97

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
755e4fec706f2735b30e5a336b87fadf

SHA1
7dbab1c280db14a6691e73e276eb124a13dde28a

SHA256
52a325845b89aad02b92d47389724fff535a128902f73884d7bdb7dc63f5aa73

SHA512
4ba9a0f0815e7dba6a1a5a5d52c619d3c21f0c9695a5960599aee74acf8a05f465cfd33a71d788cf4469974ce26aa9d1c03635a11faf598cc33d1e1eb6d7f4f5

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
f857d65ff547c9fd5c1096e938f935db

SHA1
563d8c4aef9a300d744056730e4270034d3a2af9

SHA256
4c95e652b42f2e142de010b481ddee08183e687b9fe4b3a6032423ef903c45d8

SHA512
9bd7917023902262bc6c944849fd38bc3e24768c2de4c0bd7458712aab8301a6efdafd9ab991c8916f9b59c428322013c540756c9e8d80aa30ac438b8c97a7a0

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
6caf19aaa89347d1d6fd384eae2d0592

SHA1
a1467648e62b882544223d779179ce508f5b607b

SHA256
72fb090de06ca917390f6b4f9443d88dfcc35d2329952fe055264130117957c6

SHA512
907fad6a999c6e5b78950a57b20ca3138f1809e1e262f96bda3b3d6bcf8f6ad522176bb588447cbb019e726c36f589fe4a973e81bcddaba5fb6cebfcedc91213

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
2ff603dd518d6c25eaf1363e744c114d

SHA1
d5bcbefa17a2e76f4851f3828cd106558888bcfe

SHA256
3a97bab0e1fee9a22db4108e7315a4f3a35796aa103f986aa00168c509c02b69

SHA512
0904238db1a2ce2169b1ac8e057d522ac14c674db2cb30324e1c846fdb98c38e3d60dac3553470bb2a0714c7ec17263c96e628a61d8629eb00a25c1baaf44e54

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
9f07f07b209b8e496e042d52dff0fe8c

SHA1
4a4100f5dc03b5170277e8ff33b9103c54db4427

SHA256
9873b79e9dc636fff59cf528375987e8d32f02deb3950b06f4fd60ebbbc0a8b9

SHA512
ab6323b8dff5acaa9d5590092d0bc7ed9f4c216241d3f54a7fd5d68e05bde9065ac6493d6c6131bd56c0e5e3af130e77a413d8c53d05841610796213db8200f1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
caa6ec17be99cd5ef1ad41c5bc177d4c

SHA1
667978666dd6999d643f95aceb746b252a712a9a

SHA256
4331be6738bdc321a67d22fd3068697528f195127bf0b99c32488e751c0a60c3

SHA512
e0d2043c0f7e415bbaf46e6773c386e6d02035b1279b7b25b829d6d5b88f917e2353fd98757c49e21153737722df201b9dff518157286b3a33e3a32954fee5b6

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
f401483c5224b44af0096c8c0262f728

SHA1
37a12835a094c5bf69d5a57cf53747ec8fa8a617

SHA256
e3418a1526cfd100eabcf9e2edd51bcfe07423385ba770c528712f8a1aa6ae3d

SHA512
015faf408436f4b70298c2ce3ff162df45c4947de662eb767888525bf6493e431df39e472f0b16a56f7690ca52e49a6caf7cf6960426af0afedba4f94dbd0f18

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
60a0aaba4a15c068491c26041115168e

SHA1
fb05cc8ada49077a8695026a76a0adfdb7ccc2df

SHA256
f586c654685f58d0aff124b9539686ae7e2a0e793bf84167fe1994462d8b5f46

SHA512
abb1a442605e30e0cd18bd9782b158c2272fe2c7ce3c521590886725ac20fc60382436bb19fe82bf64bd6965c2be670af3fa0eae1e52e6b07f96be326da5e0ef

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
f7e65afece950588e4bc2f96e168cbe3

SHA1
92d94ba5a558fd374ddd7908b0151ed75fb909cf

SHA256
2d75d7a5cbcd6eb9820e700255c6ab5309c0f277fac4e9dfe04dce73a3879e70

SHA512
05f04a6ab1f3b3a2572f5c0dbdd7f103f49d2a4e60f753c653459d9e017f292b2059dd7da1812e346bc47fb92d62bcfcaeea6b46ca778ce122176516be3c5efc

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
2f9973e967be56c326125d6c6722f6ea

SHA1
1edda5a81481ff7c503250d650978d9c1fc7239d

SHA256
8afb8d727110293d0af09d694d86f08d5e16c028675d853e2738ebc536bb5dcd

SHA512
3b5783c8f7f98c1f97f5356f2bea21e6c64dfb522fdc7f766263efe67fd6513c1ecadd3580f5347631fe8363836f433ec0fb79ff1b1755aaf5a883349a601b91

Download Submit
C:\e2f6eb3d71bd7b37a25a51\1033\SetupResources.dll
Filesize
16KB

MD5
9547d24ac04b4d0d1dbf84f74f54faf7

SHA1
71af6001c931c3de7c98ddc337d89ab133fe48bb

SHA256
36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34

SHA512
8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

Download Submit
C:\e2f6eb3d71bd7b37a25a51\SetupUi.dll
Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
C:\e2f6eb3d71bd7b37a25a51\sqmapi.dll
Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\1028\LocalizedData.xml
Filesize
29KB

MD5
12df3535e4c4ef95a8cb03fd509b5874

SHA1
90b1f87ba02c1c89c159ebf0e1e700892b85dc39

SHA256
1c8132747dc33ccdb02345cbe706e65089a88fe32cf040684ca0d72bb9105119

SHA512
c6c8887e7023c4c1cbf849eebd17b6ad68fc14607d1c32c0d384f951e07bfaf6b61e0639f4e5978c9e3e1d52ef8a383b62622018a26fa4066eb620f584030808

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\1031\LocalizedData.xml
Filesize
40KB

MD5
b13ff959adc5c3e9c4ba4c4a76244464

SHA1
4df793626f41b92a5bc7c54757658ce30fdaeeb1

SHA256
44945bc0ba4be653d07f53e736557c51164224c8ec4e4672dfae1280260ba73b

SHA512
de78542d3bbc4c46871a8afb50fb408a59a76f6ed67e8be3cba8ba41724ea08df36400e233551b329277a7a0fe6168c5556abe9d9a735f41b29a941250bfc4d6

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\1033\LocalizedData.xml
Filesize
38KB

MD5
5486ff60b072102ee3231fd743b290a1

SHA1
d8d8a1d6bf6adf1095158b3c9b0a296a037632d0

SHA256
5ca3ecaa12ca56f955d403ca93c4cb36a7d3dcdea779fc9bdaa0cdd429dab706

SHA512
ae240eaac32edb18fd76982fc01e03bd9c8e40a9ec1b9c42d7ebd225570b7517949e045942dbb9e40e620aa9dcc9fbe0182c6cf207ac0a44d7358ad33ba81472

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\1036\LocalizedData.xml
Filesize
40KB

MD5
4ce519f7e9754ec03768edeedaeed926

SHA1
213ae458992bf2c5a255991441653c5141f41b89

SHA256
bc4ca5ad609f0dd961263715e1f824524c43e73b744e55f90c703b759cae4d31

SHA512
8f2ff08a234d8e2e6ba85de3cd1c19a0b372d9fca4ff0fc1bba7fe7c5a165e933e2af5f93fc587e9230a066b70fb55d9f58256db509cc95a3b31d349f860f510

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\1040\LocalizedData.xml
Filesize
39KB

MD5
fe6b23186c2d77f7612bf7b1018a9b2a

SHA1
1528ec7633e998f040d2d4c37ac8a7dc87f99817

SHA256
03bbe1a39c6716f07703d20ed7539d8bf13b87870c2c83ddda5445c82953a80a

SHA512
40c9c9f3607cab24655593fc4766829516de33f13060be09f5ee65578824ac600cc1c07fe71cdd48bff7f52b447ff37c0d161d755a69ac7db7df118da6db7649

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\1041\LocalizedData.xml
Filesize
33KB

MD5
6f86b79dbf15e810331df2ca77f1043a

SHA1
875ed8498c21f396cc96b638911c23858ece5b88

SHA256
f0f9dd1a9f164f4d2e73b4d23cc5742da2c39549b9c4db692283839c5313e04f

SHA512
ca233a6bf55e253ebf1e8180a326667438e1124f6559054b87021095ef16ffc6b0c87361e0922087be4ca9cabd10828be3b6cc12c4032cb7f2a317fdbd76f818

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\1042\LocalizedData.xml
Filesize
32KB

MD5
e87ad0b3bf73f3e76500f28e195f7dc0

SHA1
716b842f6fbf6c68dc9c4e599c8182bfbb1354dc

SHA256
43b351419b73ac266c4b056a9c3a92f6dfa654328163814d17833a837577c070

SHA512
d3ea8655d42a2b0938c2189ceeab25c29939c302c2e2205e05d6059afc2a9b2039b21c083a7c17da1ce5eebdc934ff327a452034e2e715e497bcd6239395774c

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\1049\LocalizedData.xml
Filesize
39KB

MD5
1290be72ed991a3a800a6b2a124073b2

SHA1
dac09f9f2ccb3b273893b653f822e3dfc556d498

SHA256
6ba9a2e4a6a58f5bb792947990e51babd9d5151a7057e1a051cb007fea2eb41c

SHA512
c0b8b4421fcb2aabe2c8c8773fd03842e3523bf2b75d6262fd8bd952adc12c06541bdae0219e89f9f9f8d79567a4fe4dff99529366c4a7c5bf66c218431f3217

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\2052\LocalizedData.xml
Filesize
30KB

MD5
150b5c3d1b452dccbe8f1313fda1b18c

SHA1
7128b6b9e84d69c415808f1d325dd969b17914cc

SHA256
6d4eb9dca1cbcd3c2b39a993133731750b9fdf5988411f4a6da143b9204c01f2

SHA512
a45a1f4f19a27558e08939c7f63894ff5754e6840db86b8c8c68d400a36fb23179caff164d8b839898321030469b56446b5a8efc5765096dee5e8a746351e949

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\3082\LocalizedData.xml
Filesize
39KB

MD5
05a95593c61c744759e52caf5e13502e

SHA1
0054833d8a7a395a832e4c188c4d012301dd4090

SHA256
1a3e5e49da88393a71ea00d73fee7570e40edb816b72622e39c7fcd09c95ead1

SHA512
00aee4c02f9d6374560f7d2b826503aab332e1c4bc3203f88fe82e905471ec43f92f4af4fc52e46f377e4d297c2be99daf94980df2ce7664c169552800264fd3

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\DHTMLHeader.html
Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\ParameterInfo.xml
Filesize
9KB

MD5
03e01a43300d94a371458e14d5e41781

SHA1
c5ac3cd50fae588ff1c258edae864040a200653c

SHA256
19de712560e5a25c5d67348996e7d4f95e8e3db6843086f52cb7209f2098200a

SHA512
e271d52264ff979ae429a4053c945d7e7288f41e9fc6c64309f0ab805cec166c825c2273073c4ef9ca5ab33f00802457b17df103a06cbc35c54642d146571bbb

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\Setup.exe
Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\SetupEngine.dll
Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\SetupUi.xsd
Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\Strings.xml
Filesize
13KB

MD5
332adf643747297b9bfa9527eaefe084

SHA1
670f933d778eca39938a515a39106551185205e9

SHA256
e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca

SHA512
bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\UiInfo.xml
Filesize
35KB

MD5
812f8d2e53f076366fa3a214bb4cf558

SHA1
35ae734cfb99bb139906b5f4e8efbf950762f6f0

SHA256
0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283

SHA512
1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\graphics\print.ico
Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\graphics\save.ico
Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\graphics\setup.ico
Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
\??\c:\e2f6eb3d71bd7b37a25a51\graphics\stop.ico
Filesize
9KB

MD5
5dfa8d3abcf4962d9ec41cfc7c0f75e3

SHA1
4196b0878c6c66b6fa260ab765a0e79f7aec0d24

SHA256
b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793

SHA512
69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

Download Submit
memory/860-289-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/860-716-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/884-350-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/884-726-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1096-227-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1096-337-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1404-180-0x0000000001000000-0x000000000161A000-memory.dmp

Filesize
6.1MB

Download
memory/1404-7-0x0000000001000000-0x000000000161A000-memory.dmp

Filesize
6.1MB

Download
memory/1404-0-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/1404-5-0x0000000000B10000-0x0000000000B77000-memory.dmp

Filesize
412KB

Download
memory/1900-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1900-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1900-35-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2160-718-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2160-323-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2352-225-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2388-156-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2388-276-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2388-160-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2388-166-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2396-122-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2396-264-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2396-120-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2540-265-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2540-566-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2900-111-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2900-109-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2900-84-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2900-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2900-91-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2968-202-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2968-322-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3100-363-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3100-727-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3212-176-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3212-170-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3212-181-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3212-182-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/3372-651-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3372-277-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3420-311-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3420-308-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4024-185-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4024-198-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4260-255-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4260-541-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4324-230-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4324-349-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4424-722-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4424-338-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4656-18-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4656-201-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4656-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4656-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4656-19-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/5024-719-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5024-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5092-362-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5092-241-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5092-650-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download