cb5c23af689df5fe7475b17eccb02f939e6e7a5c0872f372a028980b8477d4e0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
Size

4.7MB
MD5

496b8c3c0d8c246c35ad1f6b60f19f44
SHA1

b669212553d8a5d2e36dbb398f4a44cff8b16bd9
SHA256

cb5c23af689df5fe7475b17eccb02f939e6e7a5c0872f372a028980b8477d4e0
SHA512

cf09ef70f3e0240bfb81f47e402a5471f3c80e9244a7971869710bf5c67521927d5dfb3d50b611bd8742328bb638ce0e65963c3afa8f28bd8c19197ce807eeb4
SSDEEP

98304:rfAE+xBgUbR3S8UqSUcjKW5GTmDYSiU0aPfyK000ibS:r7+xBbA8TW/ckIU0cqg0iO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2796	alg.exe
4164	DiagnosticsHub.StandardCollector.Service.exe
1836	fxssvc.exe
4092	elevation_service.exe
3376	elevation_service.exe
1500	maintenanceservice.exe
1892	msdtc.exe
4816	OSE.EXE
1324	PerceptionSimulationService.exe
2844	perfhost.exe
1560	locator.exe
632	SensorDataService.exe
1172	snmptrap.exe
4560	spectrum.exe
4936	ssh-agent.exe
4440	TieringEngineService.exe
2204	AgentService.exe
1444	vds.exe
1572	vssvc.exe
2424	wbengine.exe
1980	WmiApSrv.exe
4436	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ca4d1955c8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000979b0be663c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5cfa1e663c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040301de563c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ad606e663c8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000822515e663c8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c09768e663c8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000126d9fe663c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df0a9de663c8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae287de763c8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4164	DiagnosticsHub.StandardCollector.Service.exe
4164	DiagnosticsHub.StandardCollector.Service.exe
4164	DiagnosticsHub.StandardCollector.Service.exe
4164	DiagnosticsHub.StandardCollector.Service.exe
4164	DiagnosticsHub.StandardCollector.Service.exe
4164	DiagnosticsHub.StandardCollector.Service.exe
4164	DiagnosticsHub.StandardCollector.Service.exe
4092	elevation_service.exe
4092	elevation_service.exe
4092	elevation_service.exe
4092	elevation_service.exe
4092	elevation_service.exe
4092	elevation_service.exe
4092	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4480	2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
Token: SeAuditPrivilege	1836	fxssvc.exe
Token: SeRestorePrivilege	4440	TieringEngineService.exe
Token: SeManageVolumePrivilege	4440	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2204	AgentService.exe
Token: SeBackupPrivilege	1572	vssvc.exe
Token: SeRestorePrivilege	1572	vssvc.exe
Token: SeAuditPrivilege	1572	vssvc.exe
Token: SeBackupPrivilege	2424	wbengine.exe
Token: SeRestorePrivilege	2424	wbengine.exe
Token: SeSecurityPrivilege	2424	wbengine.exe
Token: 33	4436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeDebugPrivilege	4164	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4092	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 4956	4436	SearchIndexer.exe	106
PID 4436 wrote to memory of 4956	4436	SearchIndexer.exe	106
PID 4436 wrote to memory of 3848	4436	SearchIndexer.exe	107
PID 4436 wrote to memory of 3848	4436	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_496b8c3c0d8c246c35ad1f6b60f19f44_magniber_qakbot.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3376

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1500

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1892

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4560

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3680

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4956
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
aa5826555a6c44e594bceac224484d0c

SHA1
b1002b411394dc35b1c7b90ae5044b9b376b17d4

SHA256
3ef0d65eaa70c7bd42f9a6e107756cef78bb5832467a29026beb8aa47d0049d0

SHA512
2007dea191c65347d260cfbbdc07ff5c9326e665484827d1acb5021a605acae3c649dba4a9345e3e838ac29e03ef8683acea59ebb2bb51c339ce01f65dc73756

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
f0024b03c4bbb3e5f110f95ccde0d3a6

SHA1
0adc4dd5dcca1bfe5ac04672f0ad2d69c9a46f6a

SHA256
7c62bcff1aa32fe1d2b94860352e0aea38abb37c85c107231871f3deae9eecc2

SHA512
f107dfec08c92d37838487ef136b3e1e657e5aa68345f158dedbff7ce949b6b5111c9aa95f9c5a2e5635df0adae713c05599b312843efa4236db05693839b0c8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
dcee4684037f1ae7258aaca79837f8ef

SHA1
3e044c0da0d3ad23e431e408c3e8a94f919d8d7d

SHA256
e4228c189d121d54742d3b759fc75608756a9c69429d8b82a6c7029c248db642

SHA512
4b776ce9c5198f2f3882bb6869e4e07f476804b5569538860560f25e138eda147714d60b68f191e30481a1ee0ee9728e9df6ae9fdeb75ad337263a56215d510e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d0f74c14aad1aec9c7102c9d30c8a9ef

SHA1
d2189fd38934ac533b00d8058d559119932ea3d5

SHA256
cb8f6cee511c2db9d10d4e8ee10dfd8794f50aa9fe769236ff85384883003b48

SHA512
8b71cf22d7234a69461709e2ae20d5a92a77d59504d5d61ae82ff582ca29e866387397d07ab09b9c5061a9d96d904fefd58509c0ab123fd97b4bf1fe65c6f2bb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
749fd2e4ba2ef8f000fdf789a1068337

SHA1
146767f4f9f3874bc3184a3a11702ef837af4f8f

SHA256
2680a48ede66fdd73471cba02b189c11c784fd3c9db2a16d9a1c790dc00fa650

SHA512
a4c23c44e80a4d00f2357ebcce431400ca44721f74f06495d0e7d5f1ee4ee8f2a4acd6a7cfc9a632b33a1bc64e4b5ee7ba04632472768a91f86a1847c0793a3f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
761f028e150c2a76ceb3a116bff55957

SHA1
9ee5e7ceb027de3b8456eafc4a1bccc69d1efb73

SHA256
564de7338c89ed97e04460803b68115cefac5c21217441e1fe0a86161d7ae4f9

SHA512
82c0b19a7bb986a69e5b0e4adb69617b3f54564ac840e572ba652ebfde5eb4526ecc6f5d51e62ef01cea79afaf7771e819c780ecbcc44c9161359256df49c037

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
6aa9f98a68943a30d1e3eb2ec9f12dcc

SHA1
59920714f4e5c07f12d1ec7799ce0b3c3c470a80

SHA256
f8a273b219e22f131d9e725851b8ccb85812c23af6e46782756831286efd4556

SHA512
6cdeb5d02218381597ecc2f56f45e54bd6ee259748a627b4f8b1476c8ac58c016fc1a9a417d8c463b133c601ae4644b1c39910a6677765cb2c7a2aabc25bd36a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
eb2c2e2d929aa08e1d7ffff4d32ae84f

SHA1
a71f5365228799958c3d3808c81fa0f52c6bf078

SHA256
54ec4a7b12ab26dbe29cccbb667993a3ef4b5f17abe337b0c4c423b18cbc3f29

SHA512
87204fe101ff8e5e9f0ed03c1d67e89f8a8fb4a1eb7183d9ad1cd937416f02c5d2ccae4164fb64ebdef541fca3c86da82c407ffe58aee236e1afc8378a943c38

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
f7d3267588804428e49fbc37a4b74551

SHA1
37f3f5b7cbfe48c5a127e910f3d6505e7d775571

SHA256
66fb28236bdcbdb96044664876f647db8dfaf6db0207eac36ef065fe0e657bf9

SHA512
99a1281ca21dc317ae2a803c7681d606c434c627bcf2a0b446b38c68b92b64f59a9ddb9f422bcc562690060a82ec62756ee32714c72bed5e4e5accea80291857

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3cbf34eaa04b440bfd8d7cb497eec7da

SHA1
20c6bfd4baabeff7c262bf71d3f3e410afb1ef46

SHA256
e6cea00bf967250856b491e468964c9956863296782934abdbf5d22b872373a2

SHA512
cf15f0fdbb970a2190ee3ff58f7e3f607539851a35b42088fdc2e55e29a186f17327c685889b67ee992f46e4caee15cdfae1cf3f46d986d2e6e728cbabf19ac1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
917c6a3b2fb7b7138bf836bdf3600f9f

SHA1
13f6d4542d851b5fc31d10103a821ce5579cef52

SHA256
7abe506bf9443567e435aa0c273c817ad33538848451d0d76d4e09a07d131bf0

SHA512
9c9ca06b3d0b52aa8c798db81f933ec5e2417450a6e376b87fef700d0d37bd8d849e47d72497fa9d53bdca1834349a4298def0aca3b83cd02c4bcc35d798e89f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
112202ee77076d20bb1aafd18f16c142

SHA1
7b961629e50f05225b8461f8632572928cc75111

SHA256
d6a45401969ca40df393814feb3cef18e21c0c1ecaeae68c684a1c10fe6d5655

SHA512
04fe6d71581a14bda6201069a25a4ca01a04e3130fd73f3de0729991ccded715a9dcd645b338ff4bb1a3e0be7c11f8c3abebcd8b2d74ce8da7db6a2f148289eb

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
163f4e064e170dcf9b148e4170655fcc

SHA1
0034fb882901039ace7e937058ca1c6ac6a7fc7a

SHA256
2a03ec13dd4edd8e4e8cd6be61117d99da728cc14b00df3feeee2ef111ae3f9b

SHA512
4b0b0211d2f773c272bc7848053abe8e0bd8bcee4e5befff44169a668c96cb63d586bd5e1f32242f311b4d412c897013dbe599e55ee5fde425b26c8c13f786ec

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
5c8263ef2d59633fa61fbbbe73440aae

SHA1
ca4ee0bb7f48d47be2c06a717d749c8f6a6dc681

SHA256
e4629d3be14db698920a9086a58800677a3063a53bb2c2db48343fdb2bc7da15

SHA512
10cb249d398c95ef16c4179a77159936b25823c38378d2c66871e6741f6e21ea80c42524f878624b072b5f9ade552ab23fbb11590b38facd286383a3ab288051

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0d9daabacd13d047a113c6997691623a

SHA1
e9f76a5f6f0c93cacf8fe3158e54170cf48b78ad

SHA256
84b02e355b2274411dc7eb4922c7014225b88e6040f7b3061609d7faa6056bc5

SHA512
b8d601bc5eb71c3577f83e69c2ad34e15f8b8253f8ee15f700e497b826ffa7848afc28f82531a95f4a20837995e633b2d7069d43b4690e37ecedc178364f2370

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7f789637974b7751d58658fe4d86cf7e

SHA1
a9cee92c1989df16b50df83c9aedf522e30db60e

SHA256
f3c270aceb30c4e838c432ac263c9e42095ddc9d10efe5d600d7d3e49cb3784b

SHA512
14f29706d2050906563c47d059471e07fcf8c1f127f9b4a59453e53db95668faf48c01d9bdc2d6920caf144afa2219deaa89a14db85df51446e36e6846ec036d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
09f332674f267c859aeed07fa2c39bd7

SHA1
7af5ae43f69763d1106db533dc5bb5140510d93f

SHA256
4dfe4ec94219f2e55e741fed4d41d0ec70c5d7ef76576d9100827c3131a74476

SHA512
2d9b77c936cb6b16b8dea67800c115dd11330b3a517f07235aeb65f85ef3b8184390571f9ee6d1edd06ba3d841fbf82ae1140e049a079c0df36e84a7eea39ae7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
17ea91c4424feb89f7da5e4b9ecafe12

SHA1
57ce3d75ac3b41bc71acd03aefdd9a4580022a73

SHA256
bc2be6bb6aa8a8ac84d45ecafbabf243dbd79fee1f35901618173ea1006ce65f

SHA512
db4353030af9708894e554d6f32527ea9966ebe9d9dd0f25314694e2394156d34b926f7f6a70bd1afb565e05bc08465dd7302d5060368704b94450c7c791ba8a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a0941adb34e5ba4491e50e85af908900

SHA1
09bcf6cd11fa6b01aa9f3aee565efbc8c9ff245c

SHA256
c6be5edf0280c0e5b44aeffa99e15a62c161b5b9c00be14865ad93948f43f691

SHA512
5a8cdf55ecdb4af6316338f80cbe8a801a98e1d8759b0c49af2b4ad66a89d4e4b7b489fb5d57b64c8bf6733cd80b0db2bd8800c53d2825a92631ae6fe57118f5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c07668bb900470420ad0af792bfa51ce

SHA1
9c6f80e7fd6368fe1fd12d74dbb91869951e8439

SHA256
342d24a95ace6437a33876699e1881c3d81f60fb4c30c8f3d3135c1cc8484b1e

SHA512
dd554046deffa8220b4191542ab79f7b5c0b60c151cf5b7f3ec98a0c6ca4b3ac7bea159e96253b102219380c2e3e437e3a9baf80b12b8dc8b853d41e40148e2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
f58406a4f0e2d96db343b1dd780649ac

SHA1
33ad6cd38e69813597724ec55fe5faf1dd75c48b

SHA256
2aa35be30cdb6415594be149f1615f9e91539fb24d2dc8a2a841c5d918393a33

SHA512
5bb80768cb7bfd014f045c8f296318bae8379c1445594c8f853c851cec0f897e63259bed3b7453651bc3c5f024137a5265c6888543bfa124a957f8a7ffda2cf3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
721186ca1c7e36d920aa78b445fba7d3

SHA1
f725d875afa29405fafe9d228eb5f675c4a588b0

SHA256
b4576bfb8d1d827d0b00f0b63334b699edfc032ab1eb969299c0efbd67b0905a

SHA512
6181fef0ca0f77af68e9ccd849def78a2497f5fc2a01f26c6454ea8228ad01dcda622dbc2afb70e09718b0f0a8b5bdce75f83a6ab3053b1de564f36bbb034661

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
6818c17cea69cd1da0ce60a603d00203

SHA1
dcd168474c99f78256d244e829950b88ff23cf26

SHA256
6c4fa8321f3e279aea6c4fb210c16be79f27e6a39aebf7fef7b8573852f0c4c8

SHA512
4f63e44c7777f53102e01a21c753fb98eb288045b7e3238f14a376adcba7530fd200ef48dd1532d4439dd0edc1e99b55acc99ca0310402b5f3cdea4c5dfb3ff4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
808d109f9b894d2d9ef45206872645a6

SHA1
8d210d96e4d95e2310475b0cb1229f4e7e4f089f

SHA256
4792da6f2ff4a58c9fdf88caa25e42bd42cecf523b1a89eabd4736fb9f6efcc5

SHA512
aa50a9980e3f861e3dc798fa2e06ac5f1e40ba4184b443b303d827bde3d6bf2b2ae96e4e385545037ea854f120226a5d0a11b5135db251fac6cb0a0ce2cd529f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
025fb665c610748aebe22de2b1ac4695

SHA1
340995e8f0f4faee0ac5bd041ac97b4ca2e2323a

SHA256
68b4868439084d27e5878c164e0a54143cf37758bc6b14b0893718ba8f29ada2

SHA512
e28410bb1dfdbcab3666bfae75704370a1b787d965f53ada82970d99e8ed7ac548f30f77a26523a2e74e87e704d136711dcb1e9bef414c04c4de2a9dc5e76cb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
1293640687fed24cd636101010a76867

SHA1
3c78b287ecc6042caabb6203114e9e3d513f156c

SHA256
c5dadbd1b9d81f3124ade27f2d60937e14897365a506e02408f397e3935c7273

SHA512
458f2e0d19016485d143c9eddaba4f707e567e08bd9d2c5e12ca51b1546b11218d38f4bd14fee0ad8e888c14b46f5a96d1626a7630b0d00896fd41fbf5cd90bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
97aeeda4a25958865c92eac9194a817d

SHA1
5d5db836ec39147d1d9b12aa98c644ef1eaac3d3

SHA256
0fc40580f5d2b5db573984a061dbf4eb910794e79d16fb0e0719a91ca4009f51

SHA512
97ca7b27f050d50d671f5115c3fbb9e0b1af6e823677fb30206bb53a280d7f4ca0f6437e225d6c98d1160074949badf83ea0335c82cfdc66e1be4f7520c37708

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
086ce640f866b3b761d24b4046649268

SHA1
584991b1eaf823daf33624503f6cc796a7bf09fd

SHA256
b133bac2eded403b3ee908f1084f82035d6db2ac88853d6eefac941914d5c63f

SHA512
bd2c687fa7979c48f9417bb44e3453ab9ccccb9e82a4b87722a274022e4f6bcc503c3176105ded42f589db076698c3fdc77c34b9bb325cafb28e5ae5eae94065

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
ccb2306a4ab81180349e854d1f8eaf0a

SHA1
f7a1958075cbf176d052ff1f0debe3c7017bb00f

SHA256
c40c9278251e9a0e8ab147ae90b50eeab816b9f9eeea116f0b41aba8c8f81a5a

SHA512
5da6f73190479e10d976d4fc552ced33ca445645f57c47fa9590cb881aa98282c65c27b0aafec6447a8868b0a87e07a4eed852ed0963ad50038343dd69e9c2ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e36005a74d996b68b3a52cfeb5f4e8ac

SHA1
138f94ed346f2cd7e52612a30d099ac92af65d7b

SHA256
591e9301e5c3ab1c0d86b6cab27516806bef780063dfc7f7eb8d9e82ec106e4c

SHA512
b1480feb00fd827f5a25a7eaa86c67577157f71df594fb505496e28bcb59c36f62a5fa1c88f16feaf975060251926a4cb9706e1de5e1a0d81eae2d6df8109d65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
cccf23ce1a32ce78b775986b2624c340

SHA1
a75c09da7c3e6c07997d372d73d1f693c4b26eda

SHA256
735d9504e98c1bf9f7a004e2564d3e1f1816b8d7450f51adf9a8113395134b54

SHA512
84026e049e222278370de102884bf4fe2822d51c3c17a8d2d6f4b99885d77d36f13ccac098effc033fc1ba03d13c8d732c50585d666f136632ba308362841d64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
95a1eaaf11de2372a0f4c027e8060471

SHA1
23a6b6b051503c39ef056151aa942844c811769c

SHA256
c7f450ff8a096928ae8d5674edff8ac76bf6e336d3d82a1af4d1e6ebe1058c75

SHA512
21a831bc52139d5689abd56ac5bcd189d148bda97f0df2a73c072079cab7a09a6d65920766f6faf4971edd07185ae0e1047bf25b4e92847c23cee5407894188c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
1f27402b568d739fdd60ecf085eab017

SHA1
35caacd63dbbaf52df182ed644c207981d975c84

SHA256
7b9ca09e297306abdbcfbc9abbbf77cb8d054eddbceaa3ced17f13b45a671dee

SHA512
2c105ed19d2b20c459d24df5b204795716ae11ee32a7c2a0c0f1a21531950b9642c6f75c767b4bc806ac55d654dfbbcb2d1211fbe9976e037a09e3501c4676a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
ac1c090c7a38e6c24dee541839722bf2

SHA1
ddabd5862ad520b1f9b15a88430f167cebf2950e

SHA256
190149df2bbf85cd84cee0b900c1b44a1e9f2c3938ac3cb67a37ea50ad5d73ef

SHA512
c96db6814ee4c871a1a53d6d925100e392776cf19f051576dee29130c43fd7d3ba6d5f4d2feb78db982a60cad59eadcab542425b0d19b6e4fd77ef1d1fc869f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
2dd1e8a29ff972c2b824455ccc8b3835

SHA1
aea032c3813f89b23be622f6dea1d21b48b196fd

SHA256
34f60430f5f8bff08f6c69b6f0a5284ec39616f06a22ebfc33d246305daca0c5

SHA512
ab3322c1efad818ad78871dc6f66b381ec50cfeed993a9436aa7ea4911f4512d61433cc05ee7c9ada5c2c3705397bcc04d10f96dfd9c0113e21541d9a8fd0cfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
10f875da291381850d24bd6600e5e517

SHA1
4558903a784080bfdba1fbc3ffb0949d5b83c267

SHA256
1faa09e9caf93cec51c7209245b367ff7aeed6a64afc565a954dc24d4b313a01

SHA512
1d464e58565af056a9a7cc1366774cda04c8251c82e63b6a66d321444e3fca6927870b6300370edb210704f749ddcf5757071871e5b7bdf94c0e4516ce34e51b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8fcd0fd84d96f76bbfe389d8d6fddd23

SHA1
f2cad9ab6b03206199dec7a4fa3bcd3965613bcc

SHA256
bce679ca2c3f5493e38b02ce4cc4de5238235294d6cf575e29f8455ac80b5f7a

SHA512
1e1f82d5fe6d5891f3450d5084184a3df06f790dac414f0f63f4c29b35ad0860f0690e8b762e73eb3c8ab6ba47b9957c81b8a5efe0f09b364700849ffdfcfcbc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
7311a80cb6d124f8b4dccb1b21e4fe40

SHA1
29f190024dc491f45238d35b4daa5b292b5ea995

SHA256
1305bb895c42724034e4f40cba318cf797c811e53d025f27d6f1f80a6ad9ef2c

SHA512
d5ccc4564b6d729922881b68c63f7739f641d7d2123c0b137ea852d7a686ce0240557b68c431ead6a7bbe354898f0b1076628f64e7c6cf9282c6406cdef0bcbb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a6c13b3aa0a2b478730c9de7ca339464

SHA1
5f01ff6e6db082d5f437bdeb03f6cd17cbb1a171

SHA256
392632b5629490f5cd1e621ab6761fdaa64845d80f2adb0ea754dd30d4df8b9d

SHA512
65d17b56faa13fa56ee6867f0a6dd38dd49ee559e39bdb4f165dc65e37d72a640a82e369872677350e00c93db48b5164594e04fb2a99f630a05ca79a27b0a4a5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c3044bdfe6773184def219836bd1202a

SHA1
86a3c257d59bb02eeb806ee03ad8bd094dadc9e7

SHA256
bc13179d7d79e8b88a0084a7c32c03f7cedf1ab72484231339689e279fa78cea

SHA512
5ff03f99baaa642cd2d2f6799a57d5408132eb924b184211e48f6e8c1c5240837abd78a477e56f495048713af87443fe1d208773d8f33e5955ab6a29f47d0406

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a741e4c3bfc918502b9cb0712d398ddd

SHA1
1b41ec3b58db3b920821899c4e2c50fb50256793

SHA256
2b60567fedc202d58e66e537b2b854453d34efa6574c57101b21f770326aeaaf

SHA512
3a71f6e59a9c02ed89fcbd60566d44727856a950a58e67964f15891e76b7bc6b3a0567bc6bb33ed90ceda4aa98700f9d1426a218007462a7bd4d55cae975a91a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1eb0deced9363e381ed2ee2f97375b35

SHA1
2eb8de79e1fbce978b4d454c2e9086af81517346

SHA256
ae79bb607ff407eee1e03dddbe9d5f3fd530220169b56669712de1308bd043cd

SHA512
3f7a4be4b0d655c041ee3a5ca2f495f663b4ac7b09d73695c97379db987dff182a1aafdc74fd7d80accc53b687578c86c50a5673d976f2582d97f0102e04b3a0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5dccc361eb81d7af62ec725c0b8f99c8

SHA1
2b4bcd82c5de8260b777c8f6c569825b2b6aa62c

SHA256
c46ed06aa92a15bfcd1a88e10a8ef7d925cce5ef2db580afe50b323aad399527

SHA512
12939f84cbc546da5931ffb38ab485c1d5bad15528092cbf3100e4e197a798241a12f44acf6248f9dfdb9949cde74b27f055547c43ff16f9a06ecf2310e8f557

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
a1b1463a3c051eaf0ba1aad38ecbc9d5

SHA1
b814631d2fd4252625737e29d0490b4153aa1f1d

SHA256
308030f5a437032ad0860d5b2256ed7dd1c2d4cfe12ffc3f4a73405ccf19456d

SHA512
2eae26563ccca5794ad5e470260efa6717f3a4344d8ab4c92ed81bffe75131e58f934bc399262312b970e54d84ffaa3ada0de9f3a06037d9457cfc5ea5887f73

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d73b3af5d5a74f53910b9295a84260c0

SHA1
0bca3fef5ae31e16c413ff0ef70adb103d53a964

SHA256
fd39e7b6e61f87d246fe4623e85d0934f163f722bea1260a170b352553fb2187

SHA512
0c37aaab2ff29648fc9c2971d7922f15c88a919769564c558a7a26215a9aa0cdc5052ff88445fbb93bdd76afcc3a87025c757682eb3af281642d4054aca4b8d1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b63edd5acfa0394826166bc736bbff14

SHA1
88b4d916d09a94664735fab159945ec38fa76ecc

SHA256
51ea82215ff1f7b9df728de16506af4404eac8c01264c9445c954c2a11505d73

SHA512
1f5cf79a4635c9809360850d0e734bd2916af9dbb1b57637d9979f2dd2acf2ce68a4a42c64ce12f662d2a35777682f85db4062780c4af3a3ea19156212937d92

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bb5b21b6a654dd52f24c5cc0315f90a2

SHA1
293e35eeecc95ebf0e9b2ab5e6f315b12d1486d3

SHA256
137e49ca07c7589bb300a912fa328e92dda11ae23a227198f971a149f6908394

SHA512
28bf5b2ae087d42458deccbda145d535a15181db29408f4043c45064296ac21715d07a1b828fa1a256867b22d688d88d6eec87dff0fd929ab58878ec11ce2571

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0c2ae54fd84a085f97edb38acba73029

SHA1
7a3cda5509d15a4b9dbace01d23f275c9787fdaf

SHA256
55c94022cef11e59094c94fda91bab7d27afe241ee7dac0d47f6fdad52e54464

SHA512
5cfecff14f0cd6301ad8c4dc7fac78f9987f8187513f9353736f5abd82ef6f161c3d7c3e7a1840e0b12b7912d65779e71202a70b6f835d8b1590104ca89bb6c1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
fcaf6bea3decb93e29e81abea2c1f4b3

SHA1
09e9c243a4eda54f174f2fbfd30450e74bbb050d

SHA256
0fb0604cc6a31d87c3d4e89c28a279a6146a645799f82f9a4a8847d9c2756581

SHA512
0a80494ef42c9ef44b6442103caa7fd02d7f18e52725376066b8b03764693295a84499706e428cfc7bc87c33aa11dbd26b33b0869f8bc6892720b897db2e6f11

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
57a3a19c0e1274a4809d58b46fe9ab91

SHA1
d979aa7eac171c337e7bdec99bcd9c646b323641

SHA256
17642274c30236aeed7459cd2f2c5db1a1f2dc8d9311fec8e6d92cbb1ca28807

SHA512
752454a2556deca7545708e072362e104878e233fd2540f76bd2590351127b362b63de98e0c9198dc680df0d86126225e017fa58463b4a3144562cabc787c56a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3017b25443f62125107202aa30f4f1d1

SHA1
20e1c5cd8d19ccca26bd7639f5a4616ba677db79

SHA256
855a7044c9fdcb7e1f6ffac4a9252b52baeaeffae0ab8b903f24fa9a4cc090ed

SHA512
b056e2b577236300a541a2421b1d5cf796a212e0fbed19a80838cdee0e5d008f933dd69a63dc948d6303aec9e68234a6490b7acfbb1c8c9b31ea55311b565cab

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
5baad27a6b8e2074a914a103ec3fbf09

SHA1
1c8f1578fd29b5da45808a3511d8d0607db46342

SHA256
ca907dd72dc4844a1a50fb9eaaf3072f9f12ac6254bd9ee09f511238aff4f7d8

SHA512
76f78ec3bce52c7f4dec15c6f5a5f3693757f8515702f8eb30bc58a715ddd693c964ff7d13ded0fcb2e378d0999c280d55a348a437662a9df3018b8118f402a7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9843c1bd806b34316a9d8f789f3b8d8d

SHA1
040670a539e2c2ccca19544c936dbace91662f1a

SHA256
738713809ae1ceb6bb83378a7def2d395a98b9c2543a865b0452ab30f613e474

SHA512
b9a3468112541301e0f54ae5e2af01b090fda8a66552fdcca07b0dd22e2c46bf8c8128034df7c7f4ab84ca9900dc4466eebd95440b0a45a55d60fc46a837ee58

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
84e5b94cc35caf4c30f695be57b9a8cb

SHA1
09f26c50f8080fc67187b83d0949fdabeb4e4f2a

SHA256
db2875b94c92c94a11a1758bd8cf9d652745006e5226e7c804f409c857388326

SHA512
a6b6df43bf52529d4be2403608d309a314b456bbf02f634df84966e4c24315dcfd67e36a4cf73793594e87d9b0160388f3a109f227c8b91096273a3738abe7a5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
13d8f3822d80760a4c2b0f5246868003

SHA1
b486e8990d7f3bffd1f70218761607d6d381859a

SHA256
b8b769b38a78e3322046b247810f21354d8e0af02af7fe59352ee92bdcd342a6

SHA512
17d7f2c7abfc924f5af338bed14d8d95cb62e039ac72bf40c3c49579fe0fa386295a0ff58a3c43f30b43b28d9bd4510f514ff64467dfe9b5c8a74b70d4809cd1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
708f01019d46fd9b9119c8018f44106b

SHA1
8c1e45e699dfc03760905fda01c5b0f774816554

SHA256
302e058a05861ff6b35440551a1e2331d0616ded1bcb96f83994deb6460ca62d

SHA512
9b3695e9291755d613c78c6ec0b84ce2015377ee8c29fd77c81915b33fc1ebb1984a47a3e6e95343f1280315c4b18a7f3b4d67dbd8bb406ade3750db144e69cc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b1b87a02331e6e6491a523d319d25b0b

SHA1
e9407c6188194ed1ea22b44c3ace9ef4a418ea20

SHA256
e1da2f6fd6f8a10277bc2c1b3e2bfe9269f0df03e16f8f364b3cac11b6b935ad

SHA512
33ea59de1ec5134a99c1b71488bfc626dbadb6d977ec78cb7acaf06e72c4ad7ee76780473c38e82683d2108a82eefc027300f4facddf25d48160d80df7678906

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
c921e39379f11c4835e5fdee3ad92c28

SHA1
b4c082fece2f98bebe85ef8a69885c7e271916de

SHA256
2f8d8dfa732decb32e323a2c1efbc32e6da45db6e6a67ffd1e2b4c1f744be9b3

SHA512
5d74af2845595a3e128ce8163ef16078a796a19119238e551b46141441ff86674e2227390b2c4d7a1049a1dfb11bb28600d0e5dee790cab134658acebf49833a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
f048c96c07fc560eb707d89ee01e51cb

SHA1
52bb27a2dc14ecbd37ed091a638ed82537dc7ef1

SHA256
11802127cb50aed9c4030e219572672aa48e2bcc4b076a124161a1eb91ae6d54

SHA512
acf251f5832588fabad0ad71bbf42556b8112d90692b3ad087dfadada68b47c0c6216746559cc59ff7f51f64129663334694dd2bab228aeee2c97d3ec2ab78b5

Download Submit
memory/632-456-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/632-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1172-157-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1324-153-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1324-84-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1324-90-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/1444-161-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1500-64-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1500-63-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1500-53-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1500-59-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1560-155-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1572-162-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1572-554-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1836-66-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1836-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1892-151-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1980-555-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1980-164-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2204-134-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2424-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2796-505-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2796-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2844-154-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2844-99-0x00000000005F0000-0x0000000000656000-memory.dmp

Filesize
408KB

Download
memory/2844-94-0x00000000005F0000-0x0000000000656000-memory.dmp

Filesize
408KB

Download
memory/3376-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3376-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3376-553-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3376-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4092-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4092-37-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4092-552-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4092-31-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4164-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4164-25-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4164-15-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4436-556-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4436-165-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4440-160-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4480-1-0x00000000026B0000-0x0000000002716000-memory.dmp

Filesize
408KB

Download
memory/4480-6-0x00000000026B0000-0x0000000002716000-memory.dmp

Filesize
408KB

Download
memory/4480-524-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/4480-394-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/4480-0-0x0000000000400000-0x0000000000947000-memory.dmp

Filesize
5.3MB

Download
memory/4560-158-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4816-77-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4816-152-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4816-71-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4936-159-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download