f15c69823a60162af9d6ba8c9fd851912e4ddfae19658aa65f4d731bde90917e

Analysis

max time kernel
119s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cea7e2067db07b510e254551a8964a10_exe64.exe
Size

2.0MB
MD5

cea7e2067db07b510e254551a8964a10
SHA1

d2b4d1b051fe1a1886dda8efabd58a6333088152
SHA256

f15c69823a60162af9d6ba8c9fd851912e4ddfae19658aa65f4d731bde90917e
SHA512

e7406dbf878d89f0a76a2c253ef60db5e04ac616cb1ecb89e2d10a9b5ace5bb07c33b479cd5c89d0acc09c39ac6ca08739d7381d5a7f19ed7cf7595dc1e20751
SSDEEP

49152:SLbYI4I0bVKBUhx8CRSrzQ8vbeKgSRpXxmDYeQeaUx7qE7YPRVlbnXf9gPTTW7H/:iYZkBU6ZvCK/phm8eQN8cRVlbnP9WXWz

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4480	alg.exe
688	elevation_service.exe
2032	elevation_service.exe
2816	maintenanceservice.exe
4152	OSE.EXE
228	DiagnosticsHub.StandardCollector.Service.exe
2472	fxssvc.exe
4516	msdtc.exe
2816	PerceptionSimulationService.exe
1784	perfhost.exe
4752	locator.exe
2860	SensorDataService.exe
4176	snmptrap.exe
3380	spectrum.exe
2428	ssh-agent.exe
4688	TieringEngineService.exe
4260	AgentService.exe
4264	vds.exe
4668	vssvc.exe
1444	wbengine.exe
3916	WmiApSrv.exe
3828	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\695ec9634ed6cb1a.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	cea7e2067db07b510e254551a8964a10_exe64.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4960	cea7e2067db07b510e254551a8964a10_exe64.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeTakeOwnershipPrivilege	688	elevation_service.exe
Token: SeAuditPrivilege	2472	fxssvc.exe
Token: SeRestorePrivilege	4688	TieringEngineService.exe
Token: SeManageVolumePrivilege	4688	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4260	AgentService.exe
Token: SeBackupPrivilege	4668	vssvc.exe
Token: SeRestorePrivilege	4668	vssvc.exe
Token: SeAuditPrivilege	4668	vssvc.exe
Token: SeBackupPrivilege	1444	wbengine.exe
Token: SeRestorePrivilege	1444	wbengine.exe
Token: SeSecurityPrivilege	1444	wbengine.exe
Token: 33	3828	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 3724	3828	SearchIndexer.exe	124
PID 3828 wrote to memory of 3724	3828	SearchIndexer.exe	124
PID 3828 wrote to memory of 1644	3828	SearchIndexer.exe	125
PID 3828 wrote to memory of 1644	3828	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cea7e2067db07b510e254551a8964a10_exe64.exe
"C:\Users\Admin\AppData\Local\Temp\cea7e2067db07b510e254551a8964a10_exe64.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2032

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2816

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1360

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4516

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1784

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4752

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2860

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3380

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2552

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3724
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
de43e62440a45335b1710a88fa3c536b

SHA1
c3c7dfb0284953a3a619528fbd9f9a66422b19a2

SHA256
2dfa9462f711bcd7c301c2ab8f0c8283ae9da5728fd1c1c492a0d4426ecc1510

SHA512
f66d5e821321bdda6ab4b89724db0151695b73aebd9fb273cf13cd801925ebd0df87108d2677aee4d9e6ab6653158635514547fe44743d21d3e5e60146dc4ba7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7814d774d6cf08b49be7e15af1d3c5d7

SHA1
d03b6801a9dff50e30fb632bfbec93f198838a7b

SHA256
86620ffe29ba64068ff409220a511a764b6c64c745797c84d04f30854145550c

SHA512
d97bc86a114010ff6e436c2078972a4fa5d3823582d87523c5e7837cf2d7509df1f75b02c6e8096507bdd032ff413bba40122d6ea1bb71085d7b93a2c6072cb0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7814d774d6cf08b49be7e15af1d3c5d7

SHA1
d03b6801a9dff50e30fb632bfbec93f198838a7b

SHA256
86620ffe29ba64068ff409220a511a764b6c64c745797c84d04f30854145550c

SHA512
d97bc86a114010ff6e436c2078972a4fa5d3823582d87523c5e7837cf2d7509df1f75b02c6e8096507bdd032ff413bba40122d6ea1bb71085d7b93a2c6072cb0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
fafbaa9f6625d0970419d7196b3a6f4f

SHA1
b577d54653d2a77058d988429940425ac6bd9b11

SHA256
6a292086aaf15eb66c214e560219f0ad6e74ed3ba8b1dc1d7d15706c82124ff4

SHA512
2713166a531d566ea7f4b5c0ff529c2eed99143483aec76d6eaa6172d7377fe37e84b0ffa721c93c18322def3ef704e608c368837516d1be3f98c4f73d090c21

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
fa247f48cffc3d8e1fa04e3d1fc6bbc7

SHA1
cc7890552de37beb1bc3f9ddbb5df1807f0f87bd

SHA256
47f811d6495f3c9f595143ac87a2728e76d44774eda31e2d641cee7598bd5e9d

SHA512
7744c6128298a025f1dedd0637ec33a96275ade73514c7d56ca8302a9160dce22e743099d6022365b52dde988a347ad70d3b851e2ddfc54a787f173a85eba206

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
952f9bb918affc0f161269c5611eba67

SHA1
7c3ff90aa27c474eb52af57401ee4cf2c21dbe59

SHA256
5ff8fe69e2295c1e15984dd94d8cd0befdebccc2c02e94671a5c09fe20412c5c

SHA512
0e9feb77c25e18fcbd0caf420fe577a5c8660d0fb7f6afd932738d71a0ffb2e9450df21890e7833f79c5ddbb04505ebf654585e06fee80e8dd5fc99d5f9a9684

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0b02b02a964783135623222c090879af

SHA1
1ad01bf9708c8d3183f84eef4a8f01093133b253

SHA256
c557338aaa673e0622935367d4779ca231b6a1fa8f6cd5a5179a0c0ea0ae89f2

SHA512
6b2c3c5ebf3696468acd02044bc9a04443dc653f338356031c4d5168e0366a83b85cfbfdf3fdbe2ad979cdae936846570e6fb2355d6be9acc4378649a95c9eb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
a3f32f130618caa48c116bda15972a7b

SHA1
39a4e0be6ec5c0cd84dd9ecd6ad3babf9d756598

SHA256
b210305ed83e2eccd4d0c0b8f67fbf3af0fc7406cfba876e56a7a645ffc4a2cb

SHA512
fc10edb3cb2a7ab7822e4ecbe548dc66669e270403f3e124daa7eb56180126171fd7ee19f384ef4cb5b1a7c44cf337eb53fea8c1c613a6b88f52ca2ab5aaee8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
422e4a966b97f363bc09bb9fa2b6f1b8

SHA1
937ae84be7d4edcd4d7912961a5d587081ec0626

SHA256
9aef2213b348e3dfcdf6a802397b2266d8d5ebd765e42b4fcd32cbd3b29a3e04

SHA512
c4495151b4c4ff56b9e333d0e18ad003e312d028e57bcc23768d36996a83e96bd1ce67804056a7c5d09be2c41ea9c13e52f555acda3ad9e2d0edcd14d1b5d96a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
6dd80bdce681a4a5c403b5d02fa37b9c

SHA1
fe02e6c6432b6204826fbca1ead25af7db2cfb79

SHA256
71423f58c6bdb1340d14037fb9c83f4367ba26c760c71f378221de4bd6c52c36

SHA512
4b82cb8c42dd6efb7fd77fcff3ba30c969b5a859ec6f715a61faea7c37bd97cc2dd9591b517f39b1d0189d11d8099576fdb70269601326d3d81306362f8e1599

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
34794931320c9bda71486be2171d07b2

SHA1
e5c2ef0808cb044b0afe1f5021ca09f0e3afa190

SHA256
796a22563977cec48d1c5406f662c5f52e6a07b25f16b6dc3a907f55c495af3d

SHA512
d0a12759260eab95bd56e7d407b98e5ef9e52d3414c813f51f68b9cfce222bf6772c76da5e9883ee001d709322024fe81ef307ea3650d0839f37fc46d61e26a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
229d474e2dbe4f5fd04a8450a725187d

SHA1
61000cc34c889153d78087e69a58e71d5518f8aa

SHA256
8149d0c4733141f0739b1a7ec4b2ccb57049c7b99d2fe85fca560424621a794d

SHA512
3e055e783602d6ca46c09e5b75a2a2d4109bfab51abba3640c5f8a0bb5c329a6bc5a71af7e486eeb603be5e9510601015f0a52a85bb6d005c24218483af0f0d2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1c41594c779d433733610db1e2934c53

SHA1
6dcbb3e2d3e380ae91bbc6ea750908b7adf35205

SHA256
4f1642a7de6e6aee3e71b9065ffe02a146e2996d7af9b67bceff947c157ae732

SHA512
8e2a04f09eb2d8f15fdfebafd7d48b44f0d95bb9ed2ca94f40d07bc8af9004450b58a19e7a965eae281b559f84f6156e8a450ec91cb7d57a3f132490440ccb6a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
cd850caae33955e9078eee14074ca333

SHA1
716abdbd167c12c9a78f381ea93a6349d78f5c9c

SHA256
1deacfef5c9fa01d14a0d9d288ba56c1c3d9385194f0aa5edf3f0602f371da5f

SHA512
e8ad457817d62e2e3e353b27b490a145475dde35f0fed452e783277834fd2aadbc17cf62a150fb0fb234113cdfcf123be019c923500cae6366d6da321480384c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
9134d0c5f2ee9099b2c16073ba026fe2

SHA1
e36f723933a1d7807f6a6aac4ba65bc0b149cf97

SHA256
c2aa62d4633d17dd42e5937d7db569eb92012c6f031a28e5f4ff46076a83f77e

SHA512
326bf870f7a34af9f10f486fbb1a89adf75eb24073770bcaf3aefd23c1652cba2259fe7d7032e4e76a615b02f36a78a2019335cbd22d361911a82155e153b751

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
dfb66d1856e4be11e9d8aa557ecb3ee9

SHA1
b6e378f86d46388292764057452c5797897b7851

SHA256
cab9661b575013f12b6f9334cc7b65007a4edbe937198d9f234090db691dea3d

SHA512
11d24a6a31ad0f237c71100761cf18926b8f142901b896c3404bda1a64bfe1c0945ed61eca505bcdc31510ded92e4bd7320265c10eeef626d3a48b28b499cf50

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
cc774d5cb2b60ba775f6284897f7ae44

SHA1
79e6067c05338fffc1448679c4303f7b04419392

SHA256
891f8258e86fa6956fc55fce43cd779ab31139d0fa714bad18a129b18134b225

SHA512
e64ab0bfa9875592afba0f5f7c7d14b3ae38c06dea7e7db1200581cc4fbc7dd9b99d0875786f59c413d778d937aadcd398f7d8b12aa151c20b1c30f5b3fb6ced

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
f912b9518e74bfa9b2e4b2031bf07498

SHA1
861cf149bbbfea3046a1caa75afcd37508ef3f1b

SHA256
ef7e6bbb8361c5cd2a46464a67a03b176f8905fafee8774e5a0fe9ce8fe130ed

SHA512
c2b8aec8786438e91f954febcd40f9624c0b420a8324db0d1c397a2cc47b25eaa77fe7f71d11f34017806a5686a19e470aa5de3524f0720fef6ed4821072224b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
05ca85663789388edcd9b72fdce51e55

SHA1
a8b5f4248297cb1dfbab1a7dcecb5842b6eeac42

SHA256
4372549f36ae13c8007f57a8ce73cfcc54b91a151014aaf1fc05075f33492993

SHA512
2cca9c2cca91b90b8e9c358bbbbd355f573918fb04107b88a8cdd91deb9e8da61fe3c91e1002c865957e798b8d26b23d9f0b3266174060a9f85c9eeade53a1cf

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
33b3df405a083f56ccbb222ea2aea4ba

SHA1
d9e135cdb26436f4f48b2e51d2c99cc74dfb057b

SHA256
3ede7ef62607851c22eb3e52aff571d4569cf01592309949292e75825bedf18c

SHA512
b25d8c420c55dc936411697e8c16be9890c0d6aab915bb397ccccb4020a9b6e56bf520eb23d1b66806a55e5276b7dcee12b4b4490b8265475863c0efa372ac19

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
c07f15a592b70179d5d0b77b44f33391

SHA1
52393015bc448ac6f4ab04188e080870880d7f8a

SHA256
81c9b33133f19d9bc0ecc472f5dd27bffb9ae2cdfae99da1e997f0263254e72c

SHA512
17848a66f8eb31a2945e920f538c066512aeb2d030b7c6078d177170f8b3446ea47fd1727814a28736f1f1cebbdc48fbaa0752c09d81239e4f5a2426569210f0

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
16f8af076e1f09fd4b2b5a6287ccb45e

SHA1
74cb32329f766b3991032ab1ce4cb69d4012c948

SHA256
6833ab5c2d4874dbda011563c02f81e5966db33dc7ea6476838439796dd67646

SHA512
98d2fa44785be9781a5bc551fef8528cafa6abd0ab16f75701f1f3e7b5e1e81b25f7a33edc60fc78c1f8f462344e0e6e8f75f67f764091c53fdcd1bbcf90d454

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
52ec619120f097f7ece656d1b32a726c

SHA1
58fb77e2b5280ba0b8483950b93a72c278fc5972

SHA256
0bf15713988922363f47df00b7afbda6f2888b26c18c45a4982a0c8559fa2018

SHA512
5419b79fd1334d9febd4ba96fb5ccfe03a1a7fa60833d1ffc0b9d76713b93bc4733dc93d35161617b899675ab1b49a6fe70637a67ff1554772c6cb2a3728bad0

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
d69cc35f60ed97edf2ed9a40fe8abfa6

SHA1
acd204d3213882a298e294499f1b5c03833e013d

SHA256
0ffb77009cded945331c27b16ea4f5156554e7e74c8e856e03d53277ff8f828a

SHA512
81d1d06630920a9128b6c4554c43ddea4ed7e4ebb0b9a1dcf56627c1b29c50a4523fefc6eb739b4ec368b5f386fdfec5e40c8709c658a2134f53b30509ee2368

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.2MB

MD5
d869e715555fe153dcba587ac8811521

SHA1
d7839e15ce0cd288f5db03322b0e70e2ac2dd37c

SHA256
134bbe5bd085b330110790b6163176e850ee9f42760b4d3d4639bc80b5422228

SHA512
00b020b7a97ebb23d590d5126f93ad0d74db421c0bfcaa2d2a1f8bcd3454d8e00186462d5f7cc6019b252fe7bd161ad79fc9df93acad3ed46e8bb0cb9f0b3b53

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
2541f0f0af5b0bdf33c4a944dc6bb4c8

SHA1
fdce14467e1faddcfbf417bc3e75708b4cda9ec1

SHA256
3bc9538ce0fe4979bd9e2920d3dde231caa5f52d94fe2f2b1f2611526ee112fc

SHA512
2e4df197f5a0df354bdabb91c3d59eb1ee25f3e3b4623538936ba33a4057d727659a93b49dd68c1281311bffd38407bf308d22bc8aaea5b563d78702b1ac95e9

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
2cac2a6ae8af366eede767d9b0a94e48

SHA1
3d41457b372ec2418132c577489d75eef26e0f6d

SHA256
cc65f1f17a5de8535d292adf4925c66047cc620bd039ec812d3bd961e6a13f01

SHA512
c32826fc479ad4d4262046cce87219bddacdc4469fd48a7457050bf11189175c1ea750ab4ae182efa75b9edacad0459c389cac4f2a11adbc15a787100ef67daf

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
cdcf370b1047239b51a97d146898f24f

SHA1
58a15d18452035f992846626aee099e9e4c63844

SHA256
837e78976fd180326ce99f641d73dfd1d9a8ea67606a249016e3145acd46c6e7

SHA512
0eec589576bc3f0b6277ed1981ae1bda030aadc31e3dec1b83d9587895d03574d25b9d5fb7f8826dd5df0dd7674029838b1d8c1ba40bb8385c47c661f4c73800

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.3MB

MD5
c6e765e2e9f0b3cd89909cedf241f3af

SHA1
78fb9a0bbcc6170165692e5f8e56e3c2668e33e4

SHA256
0b8c21f1c8c58a9a4012c3e9947ba614e6a3b997116d06172fa4a1f7f7f3bd12

SHA512
ae2466d81d6020e80e2375f974837df318b5ed9f6485a4b25c6ac7ec4cbf41a9b17dbacc09853466f94e2824d3a097c93a3edcd8483dcda5205bb5b1008a9561

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
27b88ad53463e20f335059d811fef174

SHA1
43715a1c6f86659eeb843b818442d00370436403

SHA256
ada484074b7d16c14cbcd9328d745f9707438b20a78df4578febff714523593c

SHA512
21992d1918d4f54f2abb0aa63255bc98fbb7076bfa1a113309e9835ae9263de8d0fedddd878a97b154d94c3735bcca0523d627eb4925fefec8350a200df6e7a7

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
270f1ff6a7c0cb32d95b9fb39e32782e

SHA1
1634ae976d914a3d39ef8f454fbfa0903fd79458

SHA256
22f4b2b1aea4cd754866a23147d1c255bbb3b09e340721c858d95a57a89709a3

SHA512
fe4f03e6524955262169d1e385a6b375161e48f495da48617a550501ade360c65cca7456f93b6f7be91d14ac280baf684fb8643d178535b023d7d7b6f40dd1a1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
69c4dbd771eb6b63afbc26ef73e47e86

SHA1
d54257b70b5afb4b3acf790d4d9b41a3b86ba95b

SHA256
6a36961147707d55fd6ae93882938994b0fc38bec78df65d1007ab8b29a3d0f5

SHA512
a517a3fa89bd1aa401380666769c310df159a728e6a292106133690b6a0788461a2644d88f8b0459a55d5bab6a75622fbc2c5704cfbaa02a04f680d190b0544b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
ac9eb8cf52c5802dfef63331087014c4

SHA1
9df80dd0a85f285a031ddfe7fac7af1ec85a2072

SHA256
fcbb07fa1ac82e07c395265992c10a18c0a164910036ae7a7054f136316e86c1

SHA512
1e359efa6eb9af925658a70e9376ea8c10a053232b81d06d25fa9172961c1c7a68ce1ff2f58da58d9d62f1e5f68079968a6693bccfd367d04d2b27574036d587

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
246246fe883943c44274ad0cae69b26e

SHA1
c3289e20fcac3966a03ec65ec74ce0879faa3433

SHA256
bf1bb5f4546bdcbf27dcfe2deab2acbd17de45a93786086104b6d8f643052338

SHA512
105bf598d0d706b38cfc7ea0fdde8cd619fd440f3b22a00a8f7428176d4cfe6c410b455daa70888fd4f4e2d9a6e49b6b2edb83eb2f74c6b108adb00c6fc82cdf

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
5e92ce484d22f73fc9e1877d5b57c2d4

SHA1
9284d80bce26e17fff093e09d0394a83dea978c5

SHA256
09cb3b86faccbd1421c7dda5247c83cd84cd0cf113aff0f27e960bd0d6c1ca63

SHA512
a5844c4e88bba3ada967583da2e573dd466b34f49217223dca1ac5b88114f788e1088dfe8f765e648bf720575fe44f86a4d7239b06155367f98e79b2b6252b79

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.3MB

MD5
48afc2ddf7c5e60cbf5ac2a4fd8abb8c

SHA1
936001e1de0fe7e85cdd9961412cc6335c640aea

SHA256
ee43bcea87cf642d3a3028c31ddb9b07c62e123d9d88a9cb4a0ab8ed8812c626

SHA512
1272f7022ebd1b19e5eed3e2748893d519fa91836a0a65327965e1a2d59cfc2a0d2b4e932bb8cb837b1eb50dbba677d0201e8b24602b87c36a37629a1cba9473

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
e425f77d4186909b386b8761b8b95a87

SHA1
f79cefb8705f0c83a053042881eec98bee902d61

SHA256
17b940447f7bac09cb13611951d239909d3317cd0606f833db752e9496acc60a

SHA512
e1c3ffe441a4b04ac9e04e9e712f8198f7bf15271e3fdfb0ef60716c6dce38941c6b72bbf97a4bbb4a4a4fd09ed3fdff0d14678b54e6130ba803589e0d922a89

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe

Filesize
1.2MB

MD5
d5d38bfa54aaebe604f244f333c9b284

SHA1
bb5fcb1072619d636093e4104f2044ae8cf1edf2

SHA256
b25f58c0b59a3bc87263bf614ece2ab2c94be160a02bbeab59b047186cbfc6a7

SHA512
c52272f934aaba3e1e6f8750e0d0ebed829719afc344aa37110e2fbedf0300d699c4bcbd93048aeaac844f7ed7ce010387dac7bb788cb386d38a9458868c4034

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe

Filesize
1.2MB

MD5
9db7a2134f7ceb9366bbb3db9fe6c439

SHA1
1e2c9499588975b7e2f121bf054b911110bcb058

SHA256
ae661b6ddf9200ecaab5a76ccea41ffa8e30d323b54955431e9cbe95a6a43016

SHA512
9045dc45dd1c1df02717ab7ef8e27633fe9a3f99f26611318f036600b643a85cb6fd600e48d0c3436b4c9e5d311ed8d3077851f7886c2f4729db3cb8a9b46f58

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe

Filesize
1.2MB

MD5
8b74ec483024dfa6d4016f4ec3e21958

SHA1
05953842a0926fb12ddc1a35c7097601c8727e36

SHA256
633bf7f806356a97186d737e785e820a943cdc9bcadfc889bb28f1a611969bc6

SHA512
139de8c74227631ba9e591e200e1395794de9042379c1c4c906fdbbe43ecd2916133a2b53cd7b1f06ddb8a40a802a1c4bf2757f3418c39c53eead1f75fbadcbf

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe

Filesize
1.2MB

MD5
c27530bb1912e0eca0fa233571f6e2ec

SHA1
b5604daaf1b5ab4321a7e3ec978f8d24dffcca37

SHA256
5dcc3a6762a3185dc946cf862e93b552d58fc2d3da42bb0b5cc1533f06ff9155

SHA512
eb83c9049ac39704941ee03ddf5e0bf8600daa3d4678f8a9e8d5eedfc506112b0d20350d1eb505b9ca8a1fe4666f47abbe67d6a474d262b9620c90fba879dabe

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe

Filesize
1.2MB

MD5
654252854ddd93a81f87851abf726b0e

SHA1
f4a01f2c3702d716744c620abc90f6e3fa7c01b4

SHA256
61638b9d07f15715dfd84db392a243477dfdc708d924a7f8b03242986f545134

SHA512
54959051cab538d26810f38750d277175c80c98851cfc7f6063d2890a68232c79a00bb8f24e1bff5d96a44f78d6506deaf984e57e2d8e8e371b9acceeb9ea8da

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe

Filesize
1.2MB

MD5
d2b8180b375ee569a27a9f5138a71905

SHA1
8e2be9902b2048f024d2bb2ceb0262d665ec26f9

SHA256
26d0e5acda47bc3746ac86513c0ff5eaa14894563daf8658fa200772899dad22

SHA512
77b6d52b358c21bb92e769ac65e63d6689785ad0dd9bfe1e2f368be4c73152af339b82134ce20cf65e59bae87ed0faf6bcfcd28fa07143c411e5bab93889cc64

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe

Filesize
1.2MB

MD5
b39d55c0e5bf28299ed536ea796103a7

SHA1
c5bea542f4f37c91c2313dc40654ed12e00f0e39

SHA256
62611c716f106b569b9ea0f21095c488c24784b9f9c1f236b55417ff0ec06a6d

SHA512
d972fe32c932a8af7062aeaf480c2ee3b19c2d4fd5957cec2fde5f14a7678fdba00ce3996331cc55c0d86b1b19271595572efaa83aa687a5ef9b82a567c222f0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9db7f9b8282aed6bc571f34980aed498

SHA1
a9fdd5c3b60603926634ac1172905f9365388d34

SHA256
3d62dd51b05fd2a94a6b9258da0c76cfac2b2a466f0f2ff1e53a3b46ca9f1a31

SHA512
9023c47cee6071ed8621bd692fd03a0df5c160711a20595164d873c26aae01252b764b98e86892f826a12aa8c8cba782fb893b7df944a105e3a47e1f65691db6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0303c4b90b6a8006c071f2856b002620

SHA1
e9c14b6b5db20116de67a659e632d62ab4dbad37

SHA256
dcea208817ceb13b3208f44638b86aac6b417b4dd74e98e9778046f1f9062f1b

SHA512
65de70cef0cd66e511ca203786aa071085371759eb2ab62d1674701ebdaaba82e477fa5b79db6bd6a68e649ce7627a308bd46ac71a0ffc86f81021f677dec7cf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
bd104333f8efd295816d38a4dae12c20

SHA1
b4237164af06c2e2a23d4594a80f052847d527b0

SHA256
adfafead9f2ca06f383c25ba9318b4133a9c59271bccdbb56cc18c3176f81939

SHA512
326072c453119039257f28c406ac2cfc552e69b442325ccb1c8475854a4f06da1cc90e814f1f688fce9dbdffa4fc7de5121e3eda4d2b1d9e98042975a7d560e6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b52353c91bb24f64d7bf45730b6cdd9e

SHA1
beae684d568a54fba7b30dae750696165fc7eaa8

SHA256
a1d270b5661d299a84df5c073f8e483e52ea3b598e4e4f2a54afa08b821ae796

SHA512
a82f5e1d83e93fdeedb466becf737316cf78b6ed1e6a486a9b1d3f57a04a6578349216a66d6b0e4f79eea9a92233617712b8f67ddcffb5971b67be7d80380ee9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1e61976819f2d43961147f97d8a3be1f

SHA1
368cc1cf2f8029b9c81efc5df02d31a24439bd81

SHA256
ecce9a14b90d94e2ffff6b8084c886fbc7d4a35b019e80d8fcccafdcec4817a7

SHA512
c3da8587306032393a46225849e28e76d306b27b094821c4e83f973ff8e8a746401cf39ad3879f58707078adb2afaecafee4c05b101521c8ca27b459e8e9501a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
30c1de7d8a34f711b9615b3448a0cc6b

SHA1
782731b912fd231062d462cd64b813c9f62f4a2e

SHA256
4140c44cedda045ff651666675920c93b3cffce42898e16760b9a7d55ca528db

SHA512
76c456037f53601ca83c708a143ed0450c4181ac9310723db1e8172ce6c30fc6901d9e1d746867a17e6bd8e6b55dc204e09a5a01c4baf2d27fed1285befe910f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
30c1de7d8a34f711b9615b3448a0cc6b

SHA1
782731b912fd231062d462cd64b813c9f62f4a2e

SHA256
4140c44cedda045ff651666675920c93b3cffce42898e16760b9a7d55ca528db

SHA512
76c456037f53601ca83c708a143ed0450c4181ac9310723db1e8172ce6c30fc6901d9e1d746867a17e6bd8e6b55dc204e09a5a01c4baf2d27fed1285befe910f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
27289efcb5e50c4ca86f1691b5a5f1b5

SHA1
06ac981097fea2fcc33c63dddc3c637174e53f04

SHA256
d88f4b315c6789e1c36f43fccfac6af57a8c2eac5b610d1a4570c6a19d80cf2b

SHA512
951a95df1ea47bddf40725f27be3130f471f6ccc33fe9349b309f6699ef8de03713e82518761487f9b19ae1d418fc58952f6b14a40789c8a8989751cf156b18d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0af7f7230a198baf1f0aa149b0be5590

SHA1
090b4ac9a8242805b5a753ef5bdc13e3479b7203

SHA256
e2990b37361990e9ec8b3c5edbfd2f62791a689546dfd242915810f268865fe9

SHA512
de8f761953bcfa1ce617ec61263174962564c6f066006a9a1e0cdac8b37a9c68a328a2287145d766ecae41c83a159c622d8782cb2113e0c04d302bd66b78052e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f3db5b32ef97810f868ab44c3f369d01

SHA1
67d8eb460aae815fc99a7c83ba94a30da6a3748b

SHA256
adba550f6ca245d9b71115e96147a15caf315a42290dbffaae2f7aaf6d3adc59

SHA512
2142f91f7e939e0e4eaf43f3ff9f5ff118c223c6358ffbbdc02f2adf2356029986cf342e1b01c501f7796a00c130f01f6ccd14023b44688346d941c2de052ebb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1ffcac0d4c2bfdc7db1eec00875d2a6f

SHA1
b488f4963f55f5479923638794e3be92957ef014

SHA256
6b29fa36fd6d47858ba2eb537160b86bdd68f4074ca1d13db2fcf4f996fbd7ae

SHA512
7c122a2385c6a54c18614417db55e2e141b568805cbb274124d8390891bd1e9eecf2f82d49f8ea4dbf3dd18b39ce1962453c47323fc905b60c7f036b32191065

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
67e6ced100825982590c50a2f66ffe5b

SHA1
5ffff6b4d4923e2a7e24660241a1d7bdce9843f4

SHA256
5b33c1b69ee5e39bd76a3cb088c86acd3c548629c0e2e7ec3a51eada4f7b6eb5

SHA512
c042e3d4372c45efdc3796c95cf76d212a9a4d3f90e37c768e8e4ad5b2522159f0d0670180e880079d32edb657346faef7fa42f2d9304f2ea8a8f3d48d6e69aa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b8c986534372fafada3c3ae6e43488ce

SHA1
0e4dd5173cbd6cb5b998ec3ade477c339ca3bb57

SHA256
b044e52fea5c50d5a3347ec759fa4e63dc981725cca79ebcee1a0e1d802f02e0

SHA512
0f356ce85a9b28dbf17eaf0b3fae34bf23d3c4dd0869a9e752260884521d2c78a40ed93ab46ba2df27921de590a07970af644ff6e94a494e76c346de5f5f8657

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
020877f2ea2b81cc0ebbaff3be2f2b1e

SHA1
bc6b67b7a8c67f112e40c1d1e80c592776ad5a77

SHA256
d1ca88aeb890bc286a5dc2ca48e6e0102b82d3231f81501b0781cc6821cd6fbc

SHA512
f7644909c53449f8cfd126abec4a6210cb60054caf11b5795bbae9660e2e4553307b47e73ff1a8a10a35e5e0503d7a7aea00d8b32ae8c2f39365b20cb84a4cd8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
af7970d7d426c6d87a96e4c628e3f577

SHA1
d09d0ca46f751b57676512650245df030674ef04

SHA256
87a3a4e0bf7b2206d97120cbe275e69e4252a62218b2089cc13ea7ec94439014

SHA512
dc5d9f509b21353fc99ed3263f5096efc970cac3a3738098bc7d65c3d83f6472903320b96d4ee5154f5c98471671c8d481fe556a815336f65d813a6735d66fc5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9a7a5a829355d990616d698e4edcccfb

SHA1
bcfa71e1622cdede34126b3be31406b6a8296c45

SHA256
4bdd4fa6cb6922cbeb86d869bd4587178e79edd2c532e4f156eaf2e3dbb41d04

SHA512
cb42ebb4fe53e2c1e20f2aba3c177453935e9313be3b786b1b287f2f8fe8cab5e7eafee87a7d5bedc2e914bc65e1cf761c18f53f32cc36ee997c018299dbe6c8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
aadb850cf08f8c019dbaa83fd98012ff

SHA1
de90f41e758f29c9e44fe52bdc6c893a63fbd33e

SHA256
56196cbd3d84040a7d63431e55187b6c6e0bbc324c0d1c355ee1005332951c25

SHA512
78dfc8635f37e80edc2eeb636d644ad0afc994253ef68457016a3048eeb8d9d88755178ec9dfdcea9a566c70066ec67767878f4a436ce707eb5b22c4cfafe057

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6b8144baf89a21f595c74af208c36a17

SHA1
b186c716b64cb3e1fd57ba027992d77274b75e44

SHA256
4e5f87d5689f2ca99e131a3a694734bf5bd516a99c94acd8b3f85775c235f4eb

SHA512
2400fe9edf9e91b23b1e3b8c37201f2f912e78277df99b74e3d6046cf9677c9d6d6101e9b946701d1f5c636337c5932e7d40d6c423fd9177d9a79ea658156319

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f4532bd9957dc8e64aa102202fcb620c

SHA1
ea3beb36aa14b8aa18a42eeec5656791a14e978c

SHA256
90d82cecbbee05e937bb713e5bca55f7b2ad97391ea1830551cf9349cf00e379

SHA512
d1b482b521e170b992a0349901414a88471c4f5956554c928b59bd49d1d93b7cdc835beb377a7b094262c92ceefb61ae8b2ba942b8b0d992c88ef0876def2874

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
0bb295e7485f2f24bff43d4c25daf7b7

SHA1
6a5916d6b107d298e2a8aeca85391b64017829c2

SHA256
c0a43275b11a80c75770d84ff5763cb6bc9cc37faea9dd7febbefff6a7048a5b

SHA512
5ea7a6bc7e83354d8f92212fc6b5f4d00c6f9366570e2176c1295517fa7f200592460186072754dd7efc0ff1dd5eece5f8b1393a7ce0bd64163589c27fe8309a

Download Submit
memory/228-255-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/228-315-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/228-254-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/228-247-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/688-95-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/688-28-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/688-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/688-36-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1444-440-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1444-433-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1784-304-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1784-369-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/2032-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2032-169-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2032-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2032-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2428-361-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/2428-431-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/2428-371-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2472-260-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2472-274-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2472-273-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2472-259-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2472-267-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2816-53-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/2816-289-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2816-52-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2816-63-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2816-299-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2816-66-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/2816-355-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2816-60-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/2860-395-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2860-321-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2860-327-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2860-387-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3380-347-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3380-357-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3380-418-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3916-453-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3916-447-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4152-68-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4152-76-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4152-69-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4152-218-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4176-334-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4176-343-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4176-405-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4260-398-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4260-388-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4260-402-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4260-403-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4264-415-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4264-406-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4480-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4480-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4480-81-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4480-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4516-341-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/4516-276-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/4516-284-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4516-346-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4668-419-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4668-427-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4688-444-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4688-383-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/4688-375-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/4752-374-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/4752-317-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/4752-307-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/4960-0-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/4960-14-0x0000000100000000-0x0000000100202000-memory.dmp

Filesize
2.0MB

Download
memory/4960-13-0x0000000001F40000-0x0000000001FA0000-memory.dmp

Filesize
384KB

Download
memory/4960-8-0x0000000001F40000-0x0000000001FA0000-memory.dmp

Filesize
384KB

Download
memory/4960-1-0x0000000001F40000-0x0000000001FA0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads