d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
Size

5.4MB
MD5

97606d332f02ce35dad93e21ddd5e167
SHA1

774b2f67db7eef11aea5ada05659fa20dea0f29a
SHA256

d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489
SHA512

e36e0bd24457e2ea134bc79c227d1a0d41226bb23ea44ea96febc0449f54cb292b5494afe13434c5281269bdff447141fa2775d8bcd219cd099e58705beb1ef9
SSDEEP

98304:xuLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0j:o7wq1W6HqULS8djZDTaNNeCKVP5ORsgJ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
2524	alg.exe
5072	DiagnosticsHub.StandardCollector.Service.exe
1008	fxssvc.exe
3932	Setup.exe
4888	elevation_service.exe
3056	elevation_service.exe
3596	maintenanceservice.exe
1048	msdtc.exe
3880	OSE.EXE
3340	PerceptionSimulationService.exe
4712	perfhost.exe
2768	locator.exe
3120	SensorDataService.exe
5068	snmptrap.exe
2636	spectrum.exe
1576	ssh-agent.exe
4052	TieringEngineService.exe
4160	AgentService.exe
1156	vds.exe
3448	vssvc.exe
4156	wbengine.exe
2236	WmiApSrv.exe
548	SearchIndexer.exe

Loads dropped DLL 5 IoCs

pid	Process
3932	Setup.exe
3932	Setup.exe
3932	Setup.exe
3932	Setup.exe
3932	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\System32\vds.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\39707c9c253fadf5.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaws.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a4954ad3c5cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000663167d3c5cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008962bd3c5cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079116bd4c5cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f579f1d3c5cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000501d73d3c5cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e146a4ccc5cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000648056d3c5cdda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c11e9dccc5cdda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
3932	Setup.exe
3932	Setup.exe
3932	Setup.exe
3932	Setup.exe
3932	Setup.exe
3932	Setup.exe
3932	Setup.exe
3932	Setup.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
Token: SeAuditPrivilege	1008	fxssvc.exe
Token: SeRestorePrivilege	4052	TieringEngineService.exe
Token: SeManageVolumePrivilege	4052	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4160	AgentService.exe
Token: SeBackupPrivilege	3448	vssvc.exe
Token: SeRestorePrivilege	3448	vssvc.exe
Token: SeAuditPrivilege	3448	vssvc.exe
Token: SeBackupPrivilege	4156	wbengine.exe
Token: SeRestorePrivilege	4156	wbengine.exe
Token: SeSecurityPrivilege	4156	wbengine.exe
Token: 33	548	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	548	SearchIndexer.exe
Token: SeDebugPrivilege	4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
Token: SeDebugPrivilege	4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
Token: SeDebugPrivilege	4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
Token: SeDebugPrivilege	4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
Token: SeDebugPrivilege	4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
Token: SeDebugPrivilege	2524	alg.exe
Token: SeDebugPrivilege	2524	alg.exe
Token: SeDebugPrivilege	2524	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 3932	4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe	86
PID 4360 wrote to memory of 3932	4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe	86
PID 4360 wrote to memory of 3932	4360	d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe	86
PID 548 wrote to memory of 2256	548	SearchIndexer.exe	112
PID 548 wrote to memory of 2256	548	SearchIndexer.exe	112
PID 548 wrote to memory of 2276	548	SearchIndexer.exe	113
PID 548 wrote to memory of 2276	548	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe
"C:\Users\Admin\AppData\Local\Temp\d00704a825727ffd6d27588e2be455cc4b7778469f3c1bdcc169bec722120489.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360
- \??\c:\a2c4c9f8284461d73fb53b\Setup.exe
  c:\a2c4c9f8284461d73fb53b\Setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3932

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1824

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3596

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1048

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3120

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2636

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4724

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2236

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2256
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
37fb59873be21efca630e1a19a786974

SHA1
8fdd4cb919a9a604468a848cb003dbabb46f1de8

SHA256
1e27c88c1ba0e5c94cfce7a50a1791aa576ad6d8f1b79453498ddda8bbe57e48

SHA512
d4d81af1e390c8c056719eab51996184008aab1640647b24ac096f53e9bea0e95cbeee8d0a0c51e04f91ca11399d866cedc9e38fe6da50c781c639d67826e223

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7704e2556e128907e4b7ddcf2ef7d58e

SHA1
ff5c6ec0717fea5e2704dc463d8dbf9ba502bd97

SHA256
5f9d69b0975f3a4389d21fe39b8fa91d037f5f7de0ebcd1ec5563c21c6ca5d89

SHA512
23c8cee8826d6d3c02a4fccc07c51e1ab91dca1759c55b14708eee0bb0c20af5a52e8784e1bda54446c73e04281464e998ddf233c79e2f0b9ff2dde709f4abcc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a492c08fc8c70f2e05911ce6356da76d

SHA1
90af6440fadd54237a6d3be1a9ee85a27ded866c

SHA256
fec53a3353601171829b5341f498549074384eefb0e573afbedaf6d79e4b2bd6

SHA512
e6bc0c995f083b502792060fb1cc5f2d27c40fb982292a27746f09a33b72a0dde5fcc339ec10c783ed0267ab550769ed206ffbfb75700ed45666495e25f87ae2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6fbe73f56cc7524906d372459df1ee8d

SHA1
a5ec208befd8b6bef1988e28c26baf39da098cb6

SHA256
a09fcc2f455f9a5dadef054c111955bf06475dbfea53c7d477dc9f897cf69125

SHA512
cc6a29b99e60812691d7f2bf09db2c27ac61da5d7dd7bc09004b4cf122a05572ccdbd9688b4959513dc930afb6d815f0a83516f7bb59bf6dc1b7a1bcb5352c43

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0c59a072fc3b8ede040d36f5afe913cd

SHA1
84ef968e5b22fe035cb6565ddff1944bf56c24cd

SHA256
b3846b5b4cf79974b4b93a82adc3b6b1491405703b0fda07afe92b45cd88d9e8

SHA512
d61c0cb4da6186858b99ec361d5a893af77e2e47a9c68264614df77ce630bb8488902a2cd59290b3f43607664e251d21a126ced2decefe1e7a0e5a453391bbb2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
128c12b88b53fae44ec9abeff3b5faf2

SHA1
d803510f5240df507a505da24e68a9f9a24bd9e0

SHA256
b1b56d355f64f88edf15a16681402eeeddb59f0e3d24f1cb379adaf4486226a6

SHA512
b93a72982bea54b59bd22e686f07e0a6801b242614dda159443d621a52cd595ac92937b638a428c7eb7d3ad9775ffd763b4625691bf898de2aacd495f54140e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d2cf19e497f0865ff75678ac842b4ecc

SHA1
bc51bc3e09bbb36fc8428c31e6d3a6f68aeb5443

SHA256
fbf5c40250656ab7b540ac19972169e63be0c716e3830821eb3b1902949704e1

SHA512
aa0ef7f91b33c46f735d48bf8f8d43ac740f8e8ba1c183a9259b0045eb8c05ffd686ac553540b61426a1c69138a0398635cbba5dc62dd6f408235bb354f2d3c1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
86033af346bc59cda3a61e3ee83f3acc

SHA1
0b890dd9e18f7f048a388feae20b1351f267d7bf

SHA256
e7038875791449df2846a1c07e01ad4dade7f145b06dc2be72758ff54b3918ca

SHA512
dc02fe3e828e082d53f5e543174171cd59cdb7aacca6c9ac3d66375395570d91ff5653ff0649ff01fb0f2287819b1c2bd965a98cb255968fd8b158d32e12464c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFI48C2.tmp.html

Filesize
17KB

MD5
293a05b6aa873bc97f2e3fdab720e0f5

SHA1
bd4451e28475e6c611ea23ce0e22bc3a870c232d

SHA256
21cd7246ab94089ee54e2acb0d05022313c515626eeea5cf4fdee6693a0af3a3

SHA512
ac24937c62072566c1666f01170f72923ed3506c00d1dfff4a4da9f232d6d89532e8df61328b2248c799349c9c9e8f4bee8b4980a8f293fb26c249ab2bcf22aa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
07e0293f4f0e80c487e634ff982e9cd3

SHA1
49bbb7fbc350451471bbb0d10d9ba4dfc99eca92

SHA256
b4477e79a62e0490860628f78bf7d19dddbb897e991414d5b073b80977c9bb5d

SHA512
d24ffaf7ba0ce8a5fc465cc01a48dd158514148b43e8efeec7f4b49aaf98f16bf530ce33637b85edc15ed8a8b82a97cb995bb8cf2f250c0477ac4ac59fbdcb43

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
86a172f7a783192d2027bd1d299af8c1

SHA1
c1965f93e634f9ad4b123571b892c3c864b80fc9

SHA256
e0535f4b358b9eaa6ab7ae6382f92e6f5788fd62cd8f47f70c1fb7859cc4c281

SHA512
9e2014a1b45203fe8c44088ddad7de4cd7f14ebf755692fef44cc0eb0e64c3f731dd7e5f6ad30fdf20266495fb8df768c3bc75f24b14f28d5caf78e47885e7a1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
aa85d562491684574808a7722e55d7fe

SHA1
da7281c1d379deefe4c9816f26bc231593afa8ec

SHA256
a1cecc0323e930a3db0ea4d0d40099e4f4f54b7b118c2b9e85109b8ea2fd09f7

SHA512
0d17ceca22b5c71b427f48aed3fef539ac6089f6d396d4820e100cd3e12b547cb1d83c8c010265bdc11091b35cca539fb5b70f778ed73d94c44d1ea377e3dc2c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b69a7597e3dbb78df88106554911dcce

SHA1
59cabbb930d2d8bad5184f86748b436aa917d268

SHA256
9b7e8577b1f921385d087ddf8bec1816f9f6b1aef473491ad7bf53503c799b65

SHA512
25ca0a1d96293a631b416692e61ef42f278138c989786d71d3d82540c8a4f1e769918c21020acd5aa368420fcfb6b6d8016a46d4c11f5286abec2949d96bd2c9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8a190c1cbbe2b4320f11ff65cdeb0b3c

SHA1
db2792d45e52b49a7bfeeb80257b45fe47bd6828

SHA256
71c19c3f47656cfc2dbdd972cd841a0db3b40725888f800905b965333fb5d6f3

SHA512
69bbc5ae182812b3110e235844c83eeba627b998d0ec5d578807e3c2437ba5e253fc2b863ca257f4f7d37f61a893a2564ad02f71f8c0d86a1d7dc6311a6bacc9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
5b3eb92b4564330a64cb656afa034888

SHA1
0820798837d329894481edc1c73daa183b89cd50

SHA256
eef8f04f102a347d123acc8c74da51c91e05687ce06ce75c5719731b02aea652

SHA512
faf4e0d33bacaba23a98f8043f5d501dee6797f33dd4c7e107993dbf4fafcaad958466061ccbe377e14645c6c34ac6c87948f16fb43a3bf3a67364557268a4ab

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bb792af4e423f85215f85ecf978b8499

SHA1
11516b366e9b62cde6b0873937367c5f69db4a05

SHA256
2b7fc6d611360f419ff9e40984247b177128c70375096de3ab7263756c3d2afc

SHA512
1e9d5acb347d7fda18f14f1da894ed985d18a9a1784abd2736cba78cb6e74839749e43de155f04ac66f54091a944acbbebd3d4a15a33cba1dbcd75f8bb4ca97e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
aff2d7724f6bc3b948f8d3b0ae36be3a

SHA1
a3b5cf4a00a9c36447662703148f0ab21f74ad74

SHA256
3d0d549db4e80aac8edff38eea0f3b8c080004f6a5e0d99c1f5b533f125d8262

SHA512
29a11d4860b4a5d6138b2c25b2f5e7cce124686dc5cb613250072f7f31b72edb3b861dcef5f7b5e8db7a99b10aab3a5dc0d35e8f5500f24d9fca34727ba62027

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
60d451844913db9ea40181da63754bc7

SHA1
dfb9f96d6d808c7ef42df71a2040a576a5ba1814

SHA256
ae2130654ad842396d8b9a5c730b016173290f512ddfbb7b0dfa853e1acc368e

SHA512
36ff4bb8c40a94c68880f49eacb06521b8b5acb32bf1e79645a0554005f1e5a2dc674635362598920789d391731fb24ac128099298af9753b269620a29447470

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
80f899e2b14639f47799f7b9ff39b1ee

SHA1
a4836e3877c29365875eb03f7d4a7da0be9345b8

SHA256
de13c6efd48f5fa48a2a581b9fda299e0fcd186c73bdbb67f5107cae079517a3

SHA512
5fe60dbdc3611313315cf6e80db233e9335ef1b8433956ea17778781ff75c8ce814380988fe6f381ee9c5374117f8a140f5ad69510b2eec1294b90b83f298aa0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
107ef23e44ef5add8276a3be70f2ab49

SHA1
1653214aff399e381ad69a7aad2076ad7f9f6bf8

SHA256
88ba77e231f0e1785a9f98cfb708b3c6c369c78e50a35687b01aa91cbb229652

SHA512
7c8d912cb9ad7df2dd639af220e792d2734f1db2ef8b83c7c546ab099cf1563c2bc29935ebc223e95b363c3160841342076941abf7fdc1cfc8121b2bcb717f31

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f1e10407a1c28d64a3c9651a03719202

SHA1
1808955edabdf5739c9061f8757ab3346f00cfb4

SHA256
ba9185b5ace0a2cce3a11396cce4d3d5da7923966954dba6d88db0934010d0ac

SHA512
75db4b34697ffcaf09966cbe6615d69c29b8405d30706c69b0d3937c955382d1609e749484d2aed77426a3a3a3c6c51cec65bcce2119b1e9ef03bf1e0107c44d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4a4a9072ae474b00de4f6394930abeb3

SHA1
85538c8165ecc368b14441e299832b10217da55a

SHA256
7cf6940c460fcfcf0c4fc44f4c6cbd517246a6602cb3c082ee31b28dd28c0e64

SHA512
1e8b30b17af52bfb9a458b6ac79e848268360af9ee7d939c2aee925f1ead852f3cf46305010caba5067d69e54caac6aada179f60af7b7e463307626e48bfaf02

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
cad4db914ede5faf31ccf8820e098775

SHA1
38335dd1007e6f573732f91990f8dcf4dad6d1dc

SHA256
3ea65c91faeb1370f7f83e14f4cdacce0b9a95ae595e112c5568b9b50844b4e5

SHA512
416cf4eee8bc2f1518fe62c851cbf995178db7f23e18eaa6b629e5a3f0d9ecc454320586ce41e7d19bd78aae8faabd7b40e2f6daa0abf5d363c1728707eae694

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f1a01aedcd6ba02ac5289c070f05c5c8

SHA1
fa13dd3d7cd411074cf583d65c933de47a3de6bf

SHA256
a4e59fb5b6a0f4c3f524265b8d59f62e41da7a9e6ebd2d8762d07a9af36df60f

SHA512
81181115b6c55ee8eea3552fd44ce66a5e8bc6c883c2362027b7eaef748f36242f7a22a7e6a9d0fd1b463ac488e9f3cff77f2f3d699d728042ac70d87c98b70e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e7f3b8234cad9f6ecdc5bfe70b98a989

SHA1
c672979ee797ea21896f8d09af10f5707bf539a5

SHA256
c8d99e14c9028c932b5ee29e7a2eefeeeb6c8cea011db3a9162f67a6d5cedd13

SHA512
a3b32e32fc5dc1f23b03f966ff7028caeeffd386b7b3a5f07fad579a6eec463ac2d2cca6b7311dbd4ddcaeb46a3374930078c3ff291b6988bb3665a984e4c13b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
7379af59b1d7484a9ac8986e2a277de1

SHA1
0c1876c5f56fcb5e13c19e8261b75b438f9f13ba

SHA256
d99b201bc1de8b504c04451fea0231ab89622bf43a439eaa87094e0f2841d4af

SHA512
d2a9ac352a0b1a0e5e02ee7961e094b197190cce0a65ef8a5eed2e686f21b0292613703925641848adac490e40da02009c586950f1dbb16f7d954ffcbc455a8f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c54a9cc208e52c8d764a2087d6c43191

SHA1
c5d736edd21989fc62cfaa466a03102897641165

SHA256
930752a0251423797706d583e92e797c48d55974fa24a5605089901a431153f8

SHA512
39ea6fa4210aada072885cc496d2d1a9dea081fe5a5dd11465f939b933ea2d8f4438e2e95407adea8fadfedd156b0178f9961b95298a77b54625638bd80b0a7d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0748c62b60127f5926dc8a661483a8e9

SHA1
9bf7d8bea4c48cec1d8a726f3d6141a55ad3f0ce

SHA256
d1fb461fbb2f106a01f18ae8a923f2d0bbffb1789b9018751cc235a854711c51

SHA512
aff9e9b3bf791b6a435d00eebed0768aaeef7a6a00344fcc05b63adebea60e2045d62624955e900f87ffb646908ad3084390bb6ad35ff177dc7deeb0c6585f57

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
bd95b9e414e6ef68ca52f6345235e8b9

SHA1
e43d970897b447bd140ba76336e8e5f225dfa5b8

SHA256
24be147c6c0312fa4cf55d704855707a27fd1a2df08e69667393bd021dc50777

SHA512
44826e42912d5be93c8ef07ca3571de77d3d788e95c9c67cd9e42d2027a56160165a240b6dc78ecd5a958f09e4ceb3359debb7c28f9e6f176ebec0bdd6d7fc55

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
b507427198e28b4d824cdbd02396d0cb

SHA1
41b8d8682d6dd407bd90d9b45af461ebd8a67513

SHA256
2470f3c395673f2517d99953828fb24dd760ace7f03fdbde9d49b97c00be00d1

SHA512
4f34e2c92392cf1b6586d911b75eb687d29fc77607a87810a6f5451974b95cb434d69efa8e5b6aa13af4b055733f74b025b3c8391e3d4e849cce886677cacaeb

Download Submit
C:\a2c4c9f8284461d73fb53b\1033\SetupResources.dll

Filesize
16KB

MD5
9547d24ac04b4d0d1dbf84f74f54faf7

SHA1
71af6001c931c3de7c98ddc337d89ab133fe48bb

SHA256
36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34

SHA512
8b6048f4185a711567679e2de4789407077ce5bfe72102d3cb1f23051b8d3e6bfd5886c801d85b4e62f467dd12da1c79026a4bc20b17f54c693b2f24e499d40f

Download Submit
C:\a2c4c9f8284461d73fb53b\SetupEngine.dll

Filesize
788KB

MD5
84c1daf5f30ff99895ecab3a55354bcf

SHA1
7e25ba36bcc7deed89f3c9568016ddb3156c9c5a

SHA256
7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd

SHA512
e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3

Download Submit
C:\a2c4c9f8284461d73fb53b\SetupUi.dll

Filesize
288KB

MD5
eb881e3dddc84b20bd92abcec444455f

SHA1
e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1

SHA256
11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7

SHA512
5750cec73b36a3f19bfb055f880f3b6498a7ae589017333f6272d26f1c72c6f475a3308826268a098372bbb096b43fbd1e06e93eecc0a81046668228bc179a75

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\1028\LocalizedData.xml

Filesize
29KB

MD5
7fc06a77d9aafca9fb19fafa0f919100

SHA1
e565740e7d582cd73f8d3b12de2f4579ff18bb41

SHA256
a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a

SHA512
466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\1031\LocalizedData.xml

Filesize
40KB

MD5
b83c3803712e61811c438f6e98790369

SHA1
61a0bc59388786ced045acd82621bee8578cae5a

SHA256
2aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6

SHA512
e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\1033\LocalizedData.xml

Filesize
38KB

MD5
d642e322d1e8b739510ca540f8e779f9

SHA1
36279c76d9f34c09ebddc84fd33fcc7d4b9a896c

SHA256
5d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9

SHA512
e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\1036\LocalizedData.xml

Filesize
40KB

MD5
e382abc19294f779d2833287242e7bc6

SHA1
1ceae32d6b24a3832f9244f5791382865b668a72

SHA256
43f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf

SHA512
06054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\1040\LocalizedData.xml

Filesize
39KB

MD5
0af948fe4142e34092f9dd47a4b8c275

SHA1
b3d6dd5c126280398d9055f90e2c2c26dbae4eaa

SHA256
c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248

SHA512
d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\1041\LocalizedData.xml

Filesize
33KB

MD5
7fcfbc308b0c42dcbd8365ba62bada05

SHA1
18a0f0e89b36818c94de0ad795cc593d0e3e29a9

SHA256
01e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2

SHA512
cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\1042\LocalizedData.xml

Filesize
32KB

MD5
71dfd70ae141f1d5c1366cb661b354b2

SHA1
c4b22590e6f6dd5d39e5158b831ae217ce17a776

SHA256
cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331

SHA512
5000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\1049\LocalizedData.xml

Filesize
39KB

MD5
0eeb554d0b9f9fcdb22401e2532e9cd0

SHA1
08799520b72a1ef92ac5b94a33509d1eddf6caf8

SHA256
beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c

SHA512
2180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\2052\LocalizedData.xml

Filesize
30KB

MD5
52b1dc12ce4153aa759fb3bbe04d01fc

SHA1
bf21f8591c473d1fce68a9faf1e5942f486f6eba

SHA256
d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3

SHA512
418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\3082\LocalizedData.xml

Filesize
39KB

MD5
5397a12d466d55d566b4209e0e4f92d3

SHA1
fcffd8961fb487995543fc173521fdf5df6e243b

SHA256
f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89

SHA512
7708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\ParameterInfo.xml

Filesize
8KB

MD5
66590f13f4c9ba563a9180bdf25a5b80

SHA1
d6d9146faeec7824b8a09dd6978e5921cc151906

SHA256
bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f

SHA512
aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\Setup.exe

Filesize
76KB

MD5
006f8a615020a4a17f5e63801485df46

SHA1
78c82a80ebf9c8bf0c996dd8bc26087679f77fea

SHA256
d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be

SHA512
c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\SetupUi.xsd

Filesize
29KB

MD5
2fadd9e618eff8175f2a6e8b95c0cacc

SHA1
9ab1710a217d15b192188b19467932d947b0a4f8

SHA256
222211e8f512edf97d78bc93e1f271c922d5e91fa899e092b4a096776a704093

SHA512
a3a934a8572ff9208d38cf381649bd83de227c44b735489fd2a9dc5a636ead9bb62459c9460ee53f61f0587a494877cd3a3c2611997be563f3137f8236ffc4ca

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\Strings.xml

Filesize
13KB

MD5
332adf643747297b9bfa9527eaefe084

SHA1
670f933d778eca39938a515a39106551185205e9

SHA256
e49545feeae22198728ad04236e31e02035af7cc4d68e10cbecffd08669cbeca

SHA512
bea95ce35c4c37b4b2e36cc1e81fc297cc4a8e17b93f10423a02b015ddb593064541b5eb7003560fbeee512ed52869a113a6fb439c1133af01f884a0db0344b0

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\UiInfo.xml

Filesize
35KB

MD5
812f8d2e53f076366fa3a214bb4cf558

SHA1
35ae734cfb99bb139906b5f4e8efbf950762f6f0

SHA256
0d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283

SHA512
1dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\graphics\print.ico

Filesize
1KB

MD5
7e55ddc6d611176e697d01c90a1212cf

SHA1
e2620da05b8e4e2360da579a7be32c1b225deb1b

SHA256
ff542e32330b123486797b410621e19eafb39df3997e14701afa4c22096520ed

SHA512
283d381aa396820b7e15768b20099d67688da1f6315ec9f7938c2fcc3167777502cded0d1beddf015a34cc4e5d045bcb665ffd28ba2fbb6faf50fdd38b31d16e

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\graphics\save.ico

Filesize
1KB

MD5
7d62e82d960a938c98da02b1d5201bd5

SHA1
194e96b0440bf8631887e5e9d3cc485f8e90fbf5

SHA256
ae041c8764f56fd89277b34982145d16fc59a4754d261c861b19371c3271c6e5

SHA512
ab06b2605f0c1f6b71ef69563c0c977d06c6ea84d58ef7f2baecba566d6037d1458c2b58e6bfd70ddef47dccbdea6d9c2f2e46dea67ea9e92457f754d7042f67

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\graphics\setup.ico

Filesize
35KB

MD5
3d25d679e0ff0b8c94273dcd8b07049d

SHA1
a517fc5e96bc68a02a44093673ee7e076ad57308

SHA256
288e9ad8f0201e45bc187839f15aca79d6b9f76a7d3c9274c80f5d4a4c219c0f

SHA512
3bde668004ca7e28390862d0ae9903c756c16255bdbb3f7e73a5b093ce6a57a3165d6797b0a643b254493149231aca7f7f03e0af15a0cbe28aff02f0071ec255

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\graphics\stop.ico

Filesize
9KB

MD5
5dfa8d3abcf4962d9ec41cfc7c0f75e3

SHA1
4196b0878c6c66b6fa260ab765a0e79f7aec0d24

SHA256
b499e1b21091b539d4906e45b6fdf490d5445256b72871aece2f5b2562c11793

SHA512
69a13d4348384f134ba93c9a846c6760b342e3a7a2e9df9c7062088105ac0b77b8a524f179efb1724c0ce168e01ba8bb46f2d6fae39cabe32cab9a34fc293e4a

Download Submit
\??\c:\a2c4c9f8284461d73fb53b\sqmapi.dll

Filesize
141KB

MD5
3f0363b40376047eff6a9b97d633b750

SHA1
4eaf6650eca5ce931ee771181b04263c536a948b

SHA256
bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c

SHA512
537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8

Download Submit
memory/548-731-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/548-373-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1008-164-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1008-166-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1008-103-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1008-109-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1008-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1048-196-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1048-171-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1156-325-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1156-612-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1576-280-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1576-578-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2236-730-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2236-360-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2524-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2524-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2524-20-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2524-223-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2636-567-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2636-275-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2768-359-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/2768-240-0x0000000140000000-0x00000001401D8000-memory.dmp

Filesize
1.8MB

Download
memory/3056-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3056-279-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3056-147-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3056-142-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3120-574-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3120-364-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3120-252-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3340-328-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3340-221-0x0000000140000000-0x00000001401EE000-memory.dmp

Filesize
1.9MB

Download
memory/3448-725-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3448-329-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3596-169-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/3596-161-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/3596-155-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3596-149-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3596-167-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3880-202-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/3880-324-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/4052-291-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/4052-579-0x0000000140000000-0x0000000140225000-memory.dmp

Filesize
2.1MB

Download
memory/4156-340-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4156-728-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4160-302-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4160-314-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4360-0-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/4360-7-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/4360-193-0x0000000001000000-0x000000000157C000-memory.dmp

Filesize
5.5MB

Download
memory/4360-8-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/4712-224-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/4888-124-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4888-117-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4888-118-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/4888-266-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5068-497-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/5068-263-0x0000000140000000-0x00000001401D9000-memory.dmp

Filesize
1.8MB

Download
memory/5072-46-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/5072-27-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/5072-231-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download