119f66cce7308a9ae2b0daaf886a57024df7e13cdad09da85908e828169b6b4d

Analysis

max time kernel
120s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2023, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

119f66cce7308a9ae2b0daaf886a57024df7e13cdad09da85908e828169b6b4d.exe
Size

1.3MB
MD5

f164f84f616092d2df64a7c2bd486a39
SHA1

8a429e6a4f5bfe81f099335d90d720fd1f3a8a3e
SHA256

119f66cce7308a9ae2b0daaf886a57024df7e13cdad09da85908e828169b6b4d
SHA512

9ecfab65d90fad0f3773e4cf32f9c52e3ce6c6bbdb55c02af1e065912ec3b51b3b4fe86ce60e2557b1cc443436fbd969fb3d46474bce5fdf4095ed1021210370
SSDEEP

12288:KE9B+V9ltuhohhCRu1uPxope7YS+Paleow7vwqi2VNN20zhCUeGI:KE9Balt/hhCvJae8VowLwqi2jU0zh6G

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2904	alg.exe
2160	elevation_service.exe
1276	elevation_service.exe
3244	maintenanceservice.exe
1416	OSE.EXE
4620	DiagnosticsHub.StandardCollector.Service.exe
1096	fxssvc.exe
1132	msdtc.exe
2776	PerceptionSimulationService.exe
2668	perfhost.exe
3520	locator.exe
3024	SensorDataService.exe
1856	snmptrap.exe
4024	spectrum.exe
4136	ssh-agent.exe
1508	TieringEngineService.exe
1572	AgentService.exe
456	vds.exe
5116	vssvc.exe
4656	wbengine.exe
2296	WmiApSrv.exe
3372	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	119f66cce7308a9ae2b0daaf886a57024df7e13cdad09da85908e828169b6b4d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6fa3692eb759df4d.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_136968\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4348	119f66cce7308a9ae2b0daaf886a57024df7e13cdad09da85908e828169b6b4d.exe
Token: SeDebugPrivilege	2904	alg.exe
Token: SeDebugPrivilege	2904	alg.exe
Token: SeDebugPrivilege	2904	alg.exe
Token: SeTakeOwnershipPrivilege	2160	elevation_service.exe
Token: SeAuditPrivilege	1096	fxssvc.exe
Token: SeRestorePrivilege	1508	TieringEngineService.exe
Token: SeManageVolumePrivilege	1508	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1572	AgentService.exe
Token: SeBackupPrivilege	5116	vssvc.exe
Token: SeRestorePrivilege	5116	vssvc.exe
Token: SeAuditPrivilege	5116	vssvc.exe
Token: SeBackupPrivilege	4656	wbengine.exe
Token: SeRestorePrivilege	4656	wbengine.exe
Token: SeSecurityPrivilege	4656	wbengine.exe
Token: 33	3372	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3372	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 644	3372	SearchIndexer.exe	129
PID 3372 wrote to memory of 644	3372	SearchIndexer.exe	129
PID 3372 wrote to memory of 3832	3372	SearchIndexer.exe	130
PID 3372 wrote to memory of 3832	3372	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\119f66cce7308a9ae2b0daaf886a57024df7e13cdad09da85908e828169b6b4d.exe
"C:\Users\Admin\AppData\Local\Temp\119f66cce7308a9ae2b0daaf886a57024df7e13cdad09da85908e828169b6b4d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1276

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3244

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1900

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1132

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3520

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3024

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1856

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4024

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:680

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:644
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
07b75e169e3ace47365a9a323900379e

SHA1
968511d29d6c16b5af0d68197e919dc99354f415

SHA256
a0fcf082308e78cffa964eb785450198d35b6101e82483867fae12c0e5764a72

SHA512
ad1c914578621573a7b55a0961b1885ab641734138252594e3e6421d01eac58044698d7f758a672bb5299f32b361912cb2127d765c5dd139fe75403a55f0793a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
df65f5339ecf752428cc79dae503a479

SHA1
e4a029d5f9b1484dbfa367c6b93a3346f9a1b797

SHA256
679a742b983bfa6a9ee0b4e7fe0ea6e6e42cf0bc78e750a03c0458ac39bc0f59

SHA512
69231c2f36b3c311a34b957471c0a7d23d0b9fc3a7da83e49f4a274a8606f0ede5d15f164a617c0b816fb6ee07bcb97f6f9cfe2d18ad368e1f10d19fcc46fc82

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
df65f5339ecf752428cc79dae503a479

SHA1
e4a029d5f9b1484dbfa367c6b93a3346f9a1b797

SHA256
679a742b983bfa6a9ee0b4e7fe0ea6e6e42cf0bc78e750a03c0458ac39bc0f59

SHA512
69231c2f36b3c311a34b957471c0a7d23d0b9fc3a7da83e49f4a274a8606f0ede5d15f164a617c0b816fb6ee07bcb97f6f9cfe2d18ad368e1f10d19fcc46fc82

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
1f3f0ecfd44224e6f125c69245ee690b

SHA1
9f3f7cf5c0093c9aff1bd4b8a035024d06a33e97

SHA256
d2fba7de28549405f1db7ff1c402e683c6d379a95f366a908c9594fc289ffc0d

SHA512
daf4e5646cfe941d68e551f38378065809723c2bacd867934aca9de50741c66a67c47b8dda269e183679d14e1e6651bba6f132d964bbe1f087860cf5ee1601c2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
1bd7027feb4e7c01a44d2544dcaf7170

SHA1
961d4106741e0f8227ea0e5a08edc54f7d510b62

SHA256
1da847919cb51b4aca92d90ed8ade71b888a9208440ed1df64827c34e8b46ad9

SHA512
6226d194fba6629e7d0ac2fec0bba84c5b05158f1c1964a9c801e16a633a4bdca4304a145e6c16a93fcf3af786650758c7ad66f300ec614a9384ee17d1103211

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
f3ec33c275490ec3331ac27f9bda7d71

SHA1
2bdb5039f3601483a80bbd1f416162ddf19f6bd3

SHA256
053e66e11e37c68c593971d4f2506ba7f35427d37ba844705239b40c5da5a413

SHA512
85b89056f2d6586aee56202880cbd8e8e79e9f26f29932764430fa3d7eef1c1b8767b91d62d766531cacc62ad51873c2fbf1cbb7b7c6c6c58a0e75b147830e82

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
2769feec219eec93934269ed8c305065

SHA1
8f72e3730c2e78aad066476f2aaf8c8dbfdee8a7

SHA256
3f4dbc2645a0d6022485ee055c4ae7d71372f8a0d2cacf74f7c0f8386a4311e7

SHA512
462431a69092b5b6882ce1fd06415a833399926d9762cb4cf11c68bcd9f0ddaf3f41f15a481f98e5551bfe820ed9ac3584b0d087d07a108ec87222448ed67bcc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
feab2c70cf461c400a00000a4c1c9b3d

SHA1
1ae44cdcd3880ec4501e45f5f33b302fe2fc2bb2

SHA256
8a0be4ab330de31e7993a6fbc71a61cda2bd7f2646aea4dfb3cbeba3a070c473

SHA512
1ddd7077acb4f04d1b2c30194d11a442822539ff0e31b7ea2986d0b29c3f2fde75aee9a76d50e2532aa9cb9851fe7f82af0b49becd7be1a86feb39f9efa6b7c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
745f1bd567debe63dc2403db8824115b

SHA1
c94bb661eb469124baca3988f82ea017953c279d

SHA256
b88ea178fcec4c07756dc461131ea3442719adfccd5cc82e038dbda994fa9f84

SHA512
2021cd4904699af2ba852f2361dac5f46d58a911633e36755712db00637b47cb5d9e357335ff56562e12831b63505788896ef82405d9a2eea793a86f178f0b52

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
03c69f605ce3dddcb5902b71bf8e7a50

SHA1
e4f0f886623160490351a2a4b70d6ac47c13300f

SHA256
20cb0ba611851dce084fe1e6eb2b765862cc817ee9c88cd9e4b7c0a2e3135804

SHA512
655371586dfca52891b88eebb922c29d62f784e1bc7eb1b24ff594fab71207adaed2ffcdbf60bee0c7d784cb479cc5aedb1c1d7a8390931e2961a235c3e3003c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2f0e5ebbded05e31e1430e3fb7520f87

SHA1
150b33d90390f7750ae0291b2be3ae8f3cf1c6d4

SHA256
40d8938d2e4a32a2f3820d63333b246e73960d34eb764cffb08b9517426fce44

SHA512
9f6e84176eddac3b90ef557a2d11658e1c2662724641f34111673f23754d5aed54361649ca20f6eae8b0d0214166aec5b891bee270c7002ab6e8b6aa665bb541

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
316f27932088581d875335c6c7c6dba8

SHA1
748cb67515dbd6f14ae8881fea3636a6623a7e91

SHA256
5aa35ce229b78d8e4ab33831f4d1d8bbcb7efd0a154451053ef4ee30c15b7532

SHA512
f6b1274c42adc6cad5d0e4a67a97321b18550269cceba7963ece4021a27fb79102f7ccd0fe7805f98dd8f25b97f85bed7b618652b52bd8f512ac7b1914969af2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2b26bb9b514b12765412fb40276b27ce

SHA1
baa47f1a40dc575291a9babf7b72c7a3067e038f

SHA256
58a91227c8dee0df95a3890a6b603653901bd051336d2888910e3e4b5904f8c6

SHA512
3d82738260037f48f9f08076d71590202a4bafcb59e6bb90da32c86229c787aa8e3143dbae3f845125211536febe8221a3a4d5f120df87223cb79ccd65f3358a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ed0e26504fb429f2d47999be41bb69c1

SHA1
c18ead732cd769c40c5f4da66482f1fab8e3087a

SHA256
56203b4a4cbaa7a58071991605d595fd870195e72dedc3bbb56705e45f0f01cd

SHA512
51553f59d34dbd16c274ee32c51ea5b9c87a72b3dec9122209c0cb1dfbb9740c8080e1eb2265846a7cf24892cf7fb8e9c24989af9bd24ecfb774c99e84ea18f3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
5fb966caf15985cf6aa31d03b35b6df5

SHA1
b85ad014df4cd5fd4a6dffc50326ad1ab5b4ddde

SHA256
7f55e69a7fd568d0233a95cf601be8158a15e90da70e70105387574bb15b38a3

SHA512
5b3234b9637fb3e55c0dde4e04deb4fc3272cdf98deee2e3870c16262ff1a40d41e106859e9308cd5cb97f9c9e684460a6fe47ad5c55e6b8cea2754c26f322a7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
32e2798a00ce67705f2a625abbd49668

SHA1
43d0b26642dc1807889d8ae9c60d98dc94d3b3da

SHA256
5ea6eb9dd64879ac37dbb2c3fced451a95f5563260f412e0b07d134c34babafa

SHA512
afe32d3b6f467bfcc34c4a39d10eab968946081d04cdea444a670c6354a2bb8bae8167e7d5d4257c89a2bddb29741bd3bd92ea012b08e4bb9dc269eb7e132e6b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
93c8fdbff212a525ec732c722b939892

SHA1
ab876971ab0391f9105cc5edecb3fa16d46ca6a9

SHA256
b1afd6921f9d8b41ca03c7bb7547932685f15cb480c28eb37400eb2189b98d8b

SHA512
d40f7f1e6551c559763f2b54f1dc7586042600469879e53c1f31a0af4bdc3aed657d7ccfb3a1819e006a58719a22d322c91d3a6e5c00e71f2cda7d1cda778721

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
8da89b2a643b7d769c226c8c0f778dcf

SHA1
5a50d1bd46cdef926565b74d29bc4cbf58846984

SHA256
cd2da2c41121cfda0f16c118f55e5744db0d03e9a7d2c71635394fec832debd3

SHA512
9f140ea91c3b0454232dbddc7d761320fdb47cd550a96929b618e9a4da13140aad3d79e10ecabbe19f5702186cd8f9ff22ddc61c2ed5919f2d68c0ac7cca21de

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
cdca171d9dad8f561a37f88bc9c9d532

SHA1
fb8d918a6157b27898a4eb9ddc886aa02bb9377e

SHA256
d8ffd7c9ff9705dc421c0ee646e1d741431c2bc17fda232940ec58e7fc87d27b

SHA512
016c57ca50c8694ef9b0c5e9a9cd5bbffbf8e3a3e4369e39bbaf22edde50303a0f9b2d5edd0fa337c3640f57bf1919c8b5e3c0eb4c146bdbe6bffaaae492d8e7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
cfa65afe2cb1dc085f299db6c219b6ad

SHA1
92e440ffdd38b575a505340da4a2ecbce5447359

SHA256
27b9215ac181f8af1c23b10344f4e26788dd79cec89e46fb85bf4e672adaa3e6

SHA512
f7adfd8159483257f49524906517849ce24fc82944519c38f80be9f1689112813c586ea370db23a90141196a6aba60184c8ff64a39bd13e759c55affbdb3c530

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
1aadeb777d77655c70aa5fad1a5c4800

SHA1
87c407a7ecddaed71037907c78d9aeef726bc668

SHA256
97171901e5b4fbe11f05f685acddd6b910b67b604e8061c6b26593e65ffe3d9b

SHA512
881ef708db33a2a3854cecb0a4d5542473133369d32de0c46f15d28278522eea9116e0003df610475d6d159145e28a58d58b28bf04760d4806a836b9c38636ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
d79e6baae6d12b76ba8c8a3c7d97f15f

SHA1
5b9c18857aa44875e46c002db54097a45d969a7e

SHA256
16c4b023db9d716159c822ed2d1c6e0906cd4d2e658017990f1b59ba7b2d8d22

SHA512
3eac6a43d48b427921758944a9b5431d9ba70a14449ae63d6ccea050d9f8ffd5473ddfed7ebc76d45853d61638f0b97d7b26b8688c321f09a74f218a45f953af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
e30ab0b3382d429eb50f1d1b88f7092f

SHA1
58e41e52b7e0043e1cb847f0587b5ae2046b3b64

SHA256
95b5ff60827d48a3487e5a973462c611af0a4a089775d44f4585f64167682a85

SHA512
0ff0b1ac0c07e8cab70f0e3eb88ec6c55be2a763757030b772717239cf839e54d862ce1ca87a4589038238df71f10a85240b2b54c619c068c83282e69825c2cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
b99d7eb997ed415491158eca178b0d01

SHA1
55bac3354e2d025fa4f9a47a6476af4c6b27fe54

SHA256
850e9fcb240638278a1962a4ba49e5f850ba4b238e41cbd18de0ee3323342ba5

SHA512
e6ca7ada922c5a059d72da27d98a7e208fa7d5920c41f42373843a152ad4a050108a1bcf51f7602d34f3f01d3c5fe0165a8a441343ea2e4c0d7bbe9ae53079b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
2609b4a74e14a69cb33477744d8c7ee3

SHA1
d686f7e03767c115ee5b4651ee497cce296e1ce0

SHA256
95849a333072c706c3aec2e1b78994230ccd0862032bf0bae8b7f4445896be3a

SHA512
6c04b5f3a87a3722c8255c68ccf7e434b2e5af60a30f251e69f185e87f27ef07dad34cf2a9d62b4051fe910144360595dbc1df5a15718cfafc06f14817171c2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
8d84317ef444179c93481eff4e140a6e

SHA1
fa6d773eee75969f774bd52fc242a06145e3af00

SHA256
0f86b490368348988aab284dad12f3c1762944c5bf7b657ee78bd38949601310

SHA512
ac74ed0181f3b770c87c021c2617d6767e0f15a1326085e6008964633311afe30b6e9b6b50794f6e80e9bc8f499eddea9b1a472e7a996bc9cd72361e8fdc6907

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
ad27b3166c4622cca7e1dc72cdb05e49

SHA1
6d842dd583a1c736e6efcef7376f9712ad2434cf

SHA256
37c499a4bef0c331fcc7c6cda803e468e531e553eed1712f1e3996283c9b3ca8

SHA512
948477c7678eca668ba4d6055d0bba5385468cc6ecf5f267a4d1207bded94636649bbcf5910f6cfe80a7b5802488f706b1f0b3e4288d6203513b49ed86aa153c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
053277b1a4ceb7c79d56e2c137a15ad7

SHA1
5d136bb204891ff066c1db1ed33742cf373cf56e

SHA256
26414f2e186d996e681de1bd2daf66aa63207f8e45156bab04b9df911e85d740

SHA512
ed67afde7665aa6a7da64c5017cb7485fc84f1c591b9afe23ac04386254529a769494ff92c20d19c03ee6f0bc9fe7e55d815a052b1f01495aff3f300bfbd3907

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
5dea5b5284ae5e9dfed35d9e75a1476d

SHA1
250496d818d2659bf98411290368c5aca3d8b0ab

SHA256
aad4b48eba50d94bf0f7fec7358a19465248e2b56414e767c442511c0e7501a4

SHA512
f7e846a98f878eeacad95afa444815443918f5b64ee376c1ef9b8964673cbd4e4963bf96f25348b3eba3b5c05485c0610f8a999ae3b8c8910b33d9423f857ec5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
dfc3384318335b888ecca48c9845cc33

SHA1
aa0ad28ca379a639172611265ed8edff533244ab

SHA256
7bf23109750947c05cf25ab20bb15a68dd6f8e64ddce704aa4af7ae068227be9

SHA512
6f38845b9dc079fd40eb29c9351e25145790b3915e194822c7cd7e1caf9374708a6ba0477702bdfc4471cd430091df5d80d1277cb99c1feb60c9d5f20e68a06f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
f5554f4cc036101ea2ef1d9b8fd4789b

SHA1
14b99ca7c33b831770aec5a4b1b6686624b99c46

SHA256
b6379f9bb7cd0f9d0b450410e716885294f82ffc413331ab7420fb2326888c09

SHA512
512d93e01be12cf44e8e493edae3e146dda68082eedc9ad766454c1e2dcdcc2d5cb8d4933dfe24fb541779ff2180a5cb2ec87afac6420567e4904119d97e18d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
6a0a80f438e939382fcb50c0519812d5

SHA1
f0db0fc50963c99e0e5d040c3ddd7c3fd68681ca

SHA256
11bd82e03a3f32f84f0c9af84f99a1f7e0417cd3b4047fcb47dc22d95afb89d5

SHA512
c634eeaa8357714c491f229ef1445f915d3f75d0a14a994ea51ade9743ee02dee15fce8d9974e83afa76f9329abc3cf8de6a0368fd818d90da75146016298ac2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
84083895d92f078ec44950a3f331eded

SHA1
ff8654ddc3c4fe0f4315d4b7dbc1743d9b715c2e

SHA256
aa8ac1971ca95e4f328f7e98c1d1ae7858af5a5174174c9f5ec386d66fe9715d

SHA512
b1b01ef2932cf9f5d629557e208eb85e90e6db24ce5c2eee8cc92d89304807ff3d94fae9f7eb255a7abf7ed4439c7f6e703bdea3b93f6574f4044c2811332374

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b0bb4acae9c8dbf71d1b858c4aaa5932

SHA1
2a534bc4ac667ad8bd02d94d4d4ec481ef49d555

SHA256
7c0d5d1e4e982a1170bac4974471b1d8315bb57a1e588dd492f2617b6b8f42c1

SHA512
449bc59d5f84361cdc9bf41f5daf3bb0910a516a27e86873652c512cd1e23fe4ef80a421735fcb5989a78ea90095c600fbaae6cc0fcd867703961b52ecf8e44c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
7b8c7fe8b5f9944a487417e882e8d0df

SHA1
a1f09b1e60f17de89a53499e8b74afb9640cbcea

SHA256
11fe4d068bccea7465a2d881d0016ecdad50ba9e10aabf4e7857977db1b23940

SHA512
82cb01f6b33f3fdadca3be0425caec62049615e92841006714a9ed17e7ae0440e95aea2b21462b1f03d0eeb3c40d54ef7d021463c045268a352b9e32de2e54b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
363b41f30324159f646b5929406deaeb

SHA1
a8a1ad6838b913d9d9344d6b3a82b273bb964a46

SHA256
9d584059c56656abdcd7f3387e517de7dcfd8f2e6f77ecf3eb96b47ad8ce397c

SHA512
eaec69038becbbda9fc49f0a41252b1477cb6f8b50fcf382a37413f642bc9f4c79c0cb6e94a49eebb328639c4699421973bebcf94a7b7df3d9c0e0f30471b4cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
df4a1ffe4ed19c898801cedf9aea11fd

SHA1
01ffda7d17210ba029c5b2638c6fa7e9735ab213

SHA256
fd9a1e94bf09469fa8f5cb1dd601ca79b44c1c60683cfa5e09f5c6e7890ad69b

SHA512
d5d73a69a531342e73e7b5736de3f8299a359daf6593e5635d6fdfddf8f3d4fe742a475175f167703400fb9205088418500a46dd2d19d9b7ce99af66d4af1fc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
af0c78e8f61143774eed87fa12ca26c2

SHA1
70e48b23089dc9d6cd79edc491d953015245edab

SHA256
71597173358a15aa275c0eea4aabcfc02cbad17808d669fbf48ede60fe70193f

SHA512
03e611ce39ecdfc6367c89d49bb7a378ec587072699b72351615cc34613c1356f7d3cd08b6ccc7eeacb8636d04dfaf6e843599ed1c9f8fa1cea2c50fc53127cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
2b94041bc4f748a56478ada975a2d0ef

SHA1
191b5080b0c570f77e2b4823d1675d809e74dc4f

SHA256
e4fdf86b9433f2a1ae3e0e4408cc6493ffabc75669be6e1b6ec71df547652224

SHA512
d358d337a23a4df4a1cfdd5213ab3f9e4f42defd2d3755c60a78ad30d4ff5339f3ac705075fdde29e53618effba9b67cde5edaef77c8055032dc71cd583e4cad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
1909d755b468c853f86b4a29dae7e430

SHA1
bf5ddaf955795adc6764dcbe9f7030f588e1f7a0

SHA256
66c17ead1ed9f9b41f963c03a26164f99b24d33446dc50cc99a0a843bc81ae85

SHA512
127f95c04a5456e85a393e6e385f02cc029a72705656cfca9952e6daa9f8027fd70462b44b84ad676691538bf3c4d2c2c3d5ee04755817f8e9fc3488361bea33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
ecc23b7b082d952c8ed05e49faa78ffe

SHA1
e24350fafad11adae2b9d699367fc9e5964ef897

SHA256
4ef43a25f294c633822e598af7ced7caafb48529a12f614f5bea2f7f86a49b4f

SHA512
c76a131d300cea2569e3c369dcd622e5b80f5eb8189e42a40a550d40608831aac1a136a148fca3ffef3d48f3b55010200416e2b1eb5ef83eedaa030483205f39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
d69152abccee87652f2dce929e170e6f

SHA1
b5449ce0997a48833dd46ab6d290289bc14299d6

SHA256
ba1fa0deb8b58226b850cf51d4f730fccc1aa729d34d2347996d8eeb3fc68548

SHA512
cfca3c1dbcfbde05ccbaad12949e55bf0815804ee287511dbf50eac358a171ee24a4746235cc3c6e9f64fa3435b8b8d8524cfa56f1969ecef2c41342ef380896

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
e068d6e5b6ef90afb32cf3a8a44805d0

SHA1
889ec73a700215678a474d6630604ea5317b7ff3

SHA256
6b2ccfd365277cc23ec529326ebfc16eab370705069c301b2a8800dea6bd6278

SHA512
588f735e3fc70bfb393592b2fa927d068779a8ffc905df058eaa4faf9d5558562ac50fc888c60120a9b66dd21494fbd504704ab1a07be56dd202dc839e65415e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
9ca8d15465d4e69ea88630c8336f29b7

SHA1
69a06c003009b8c905797f6f4908aa435695382d

SHA256
8128bf98d98c2b4bc193aee39fe5b1e5291a469837374faf0ca38defef3ef96c

SHA512
0b3233cef55f9764330f94e98493d2ba8ed7f1ee34abd6d2103f84d7c09cd1127421f00265d88122a8fe1f7112a0c70400decd612ea49686ed54c687355c1a59

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
704319fd96f498c59dfa1106fdec4db3

SHA1
7768bad5bd3cb73ef7ee0bf2fe426bf6f3380d71

SHA256
d884bcbecb083db5df558ec9c2203a9e94161861c141450e2b3b89ac043b4c8e

SHA512
5c161695cb64d43d03238d1e3aeccccdc6ce98ac8625dddd6fda04fc924cf53830611ad87254d91a94b447801b462f8e6360d86c8c1cdbe7f030f8e51793e61c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
82aa5afbf3ff7657b33f27069f94ae6c

SHA1
381f399f2ceeadccf69a37410b6bedabc671a305

SHA256
2f24ce14ac294a98dc07a79329b9797e044353eab8af1dbbe6816bd82c34ff27

SHA512
5e9e7ccea4383e4f715b9226a3533e8d1346c011f1920413fe465efb0cc3928d6563958c97e08389e4e3f5fad6c55adee00f614eb239906f7450c1fb81c41fc6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
33219f49b8d697bdedd62a8e4afb23fc

SHA1
05345819de2aa55b455f2f8f65032a8ac919b764

SHA256
289e489d0e8da08220e935b4a8a313f607d993e83021c0f647fe8e7c5b133be3

SHA512
8f1f5b82006fad8981dfc12741feedd6692ee1c6f8e29c162f4dd63748ab65cdfd16fae122b5a909d13042d9bb0bed8cc9eb6c7baf755e9dee0cb918405730e9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2368a3bb2a65c54e7d629eb44428c4d1

SHA1
de241e4bafd62d6c5d4788a0ab662989fe731c4c

SHA256
d064886888e2d84dc9848ec560877ef246969d58029a6b64d72ce82fbebb3088

SHA512
94e65a8ddf9f099dcc5392c036e4908cf1bddc598dfe839621de674ed7f9cce04a7b357e2a9f4579c3ed490369b1d798fe3593dc52a42fefcdd0e8109e7c37ab

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7b26f50bad55181e1ae2a5cda19c1dfb

SHA1
8a98491ea76bb031b5c95bb4597acdf472781154

SHA256
3c0a8628f96152418df3cadffb2bd0cd85e57b7ee0b9e012fe1a7ddd29813c4b

SHA512
a4ea2fbc400666f5fe6f809be7b9f4f7c0c316d92a79c2cb795c750f6db072674b4e42b2132bd597131822712e0188c896d4ca37c5dfd7578b23312d990a767d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ecf4d63d0f9a8c2a436738c63226908d

SHA1
2b77f23b640dac0bfecfc8044c8f8d74fb019998

SHA256
c480a5fc2252a48e2a45f4df3fd489b3515bd7251636ad0bed1ad790597efe54

SHA512
ef13e81a573ad1a74e1c38db180c869abfb38501d0c51a8bfaff1e22331c60948fe155b7338b8347a3d39e258f19a303d885a1e2de556d37b0dd8cee98e79817

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ecf4d63d0f9a8c2a436738c63226908d

SHA1
2b77f23b640dac0bfecfc8044c8f8d74fb019998

SHA256
c480a5fc2252a48e2a45f4df3fd489b3515bd7251636ad0bed1ad790597efe54

SHA512
ef13e81a573ad1a74e1c38db180c869abfb38501d0c51a8bfaff1e22331c60948fe155b7338b8347a3d39e258f19a303d885a1e2de556d37b0dd8cee98e79817

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2b2d27300ffa518025cb46f7ab347e17

SHA1
7f8c5d4842fdbe50dc224ec06fb750595790501b

SHA256
b6c5e8f747ffa092020b899cf9b7cb7bba4ec7ff08e6c49b3617020c169092c7

SHA512
eef954604f96458a7972b2eaa4a9eab65b4cb7ce8d603279c6816f134732964df559835d090261e8334d77cc286cf7f9920f33b0869ef41f7178fa37b16f4e37

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e598dc34351f111c03decf7f464b6333

SHA1
07486004ebe9526d6a78f767c49680fe48004df7

SHA256
fb801511b54b3b4f8655c2ae364693e53b407c8dff9dd351d8de5a306ca2ba84

SHA512
90e210737063f97fd98579816171baf79135ad33fb9fc42f14dfabc1948ca62062b0fb87ce122ee83264d38eda57bbbcf82da96002c6c5a7c6b334cddbc4345c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4372241ac8571b2ca26705407a7c360a

SHA1
da5ec2077ecdd19e7e25ee8d2b9b54b4b07fbb91

SHA256
fc01dbc7f67142be7a86217d60380ac5cecce8d92b6e20317ffb09c48e4e0e39

SHA512
7be8f4b36aa71c3c3deaf6d7dd836d097d115dd49ed1782c9694a8fcd8cb8b36d84bb55bf34a1d5e08baa107346df8b4faea71273318211358c7cab5bc00dd37

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dfba112ffaa113e470d8b83084148448

SHA1
abf76a2dd93a49787125973dbbfc0c0ceef166a8

SHA256
63a01954cdba2ec71fe75afc8600032a02a2c613768e0daf3f5baf2515dea0c9

SHA512
46c0e507c77d3762f1b8737efb01ef4dab4077cbb7decd04038903410bfee371d2a905cc8f036e1149800df45e07fc2c223ca142efa4e906b03a6635dd9fc01e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
552e6bcdfaae96fe5cce93ea2f91d453

SHA1
db9fbab61ad97255eff3109c1a7ab38045a14dc6

SHA256
394d19b6bb844d4de70874592e4a22a1e8e7c0a842e9f36cfa12dc979127b115

SHA512
3b9c02684807edb2e29b75f0312b22d30606072751fdc3937e222ee9d998b1bb0bedcc37cd581732f2214b1f244de827c0a58e1fbc82f7661fa30ca0afb2af0e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
97e3a78e94abe4c4684d9ca246621bba

SHA1
0ac2ea5f7f206beb859f72ee38753f617ca94577

SHA256
ffe4a20154bde61133f212ba2de5819c753f4a389187e624fea9477077d6af56

SHA512
46da835845e1bc6feef3569ea46cc1ddc4188c870bff01d13bbe5cc2820f94c0cba7544af511f3915c6abe42845d0bf4cc43b912fdd78797e24e2c25bfd3d54d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
859b18cd3942b6226e28166a945a427a

SHA1
fb1662613c39b7c4c582b73f4dcb5ad4e1b886ca

SHA256
93518e9c55352d68b097d78f5f9aa696664deed0ff42b158184f5455043117b7

SHA512
2a6adbebde8f7d2d4e2b7729d94430fccad61b7742af5a8c2a4b8e39a560777a22b583dfdf876d91a6d9f3fe8e944534b07c7bcb8fdba22b1b298b3d22f418ee

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ef78cb6332f865578182e23845b41f7e

SHA1
5151c79329f7168b25f5557aa580723a52d2b961

SHA256
7b0816b42f96bdeeb3359ba75c25a3d6b2852a503a00b9c387b1cc9fcdf961e9

SHA512
29a4665ba957eec1b6d398960d39d2ace64495e091bfc87e4d88da9487decd5fdec8708e273f4d9e00a23278202918b0b4ae6910db5d7534ad07750d62afa407

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
73e45dfaf6a3bc1f0b569dd66aa41693

SHA1
ebc733afeb7b2ec04488638e2dcfc4754863e2c3

SHA256
0c62a126fc295a152ec192ec7ede4de47703fc9b6393b01c34258fa36a85525a

SHA512
2a64c69e3dd51865e428729ab631b789c31dcf11523de340f7348dfce3ac353b9d7e0156c1dc69fffa25d8dcc517837e2738a95c6f7a252678286a6f160caeb5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8f4f45037fda163dba641cd4faf345cf

SHA1
a89599f699588bfe8da8b746c54f745d14587e54

SHA256
433975b32724f95f90d61e02a0f6f7e15d34267716a1ec7fe087fe1a37fee37b

SHA512
e3bdef7de3aaf1cfbefc6e1f0c9a92a3658fcba895c192ed6866c94b8bff605b42e63239e186e0cee28bbdd3801a3eb5af7b27e7d3f5718b402a09114f2981d7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
6e48e8547654300da173eaba648067c6

SHA1
e9e9dc85dcde2d08c0d20859850d223c3f33c489

SHA256
f99bb3de82d9ef0a9c4fb803cbdbf9b22ec8c576cb2ccc028fad5ab43b391946

SHA512
e19d6c3e26ef0a523a4eae06f680b14ff2f9533650be701c7d33189a2a42fb1f2d0846d849f2028826e0ff9b2f789608892504c40a4d8c9e920db4e08b101673

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
532c7b41818ecedb6cb1dd24c44b82e3

SHA1
c12a581e6ddbbd7e4c4b992b968efb04536a83b2

SHA256
0fb5e28e82e4f03dcf5c32b7969aa7d822c3c72fce392f21df8cf8332db32263

SHA512
333fabf224420aceeb19946c422c6757ad839910118b5d4c6eb06f58479bb384a981c5199c3c5d4ba987db473024cf8277c04536fd97e15accebf039c1618cba

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
d243775bad174376fab9027e53b32ff8

SHA1
50007d5dab61fe794ef79f43ee191f8695a0946a

SHA256
fc50c6348c5e870293c9f5bf57057e717d0c4ac16f873751535a558be1e3401a

SHA512
179eed2dd2eb611903d4f4ea6c99847d4ee977e84a39d7f56fa5b3a743a2f8f6ace00ef7932f74eec0c657321bab0acda6f0b540faac37292129d6ff1428b1da

Download Submit
memory/456-434-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/456-403-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/456-418-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1096-258-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1096-274-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1096-265-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1096-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1096-257-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1132-339-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1132-282-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1132-273-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1132-344-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1276-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1276-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1276-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1276-212-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1416-68-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1416-69-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1416-75-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1416-238-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-381-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1508-373-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1508-410-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/1572-386-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1572-401-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1572-400-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1572-394-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1856-396-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1856-341-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1856-331-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2160-28-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2160-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2160-35-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2160-36-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2160-175-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2668-367-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2668-302-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2776-298-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2776-287-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2776-352-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2904-15-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2904-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2904-23-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2904-84-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3024-385-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3024-408-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3024-326-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3024-319-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3024-409-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/3244-59-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3244-60-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3244-63-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3244-66-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/3244-52-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3244-53-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/3520-305-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3520-315-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3520-372-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4024-404-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4024-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4024-355-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4136-358-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4136-369-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/4136-405-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4348-14-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4348-0-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/4348-7-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/4348-6-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/4348-1-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/4620-245-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4620-246-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4620-253-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4620-313-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4656-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4656-443-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5116-422-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5116-430-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads