a3a8c8df7b1cafbdc6a3c2651fc4d62c8c63259ba1011270e4527fd102e881c6

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 00:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a3a8c8df7b1cafbdc6a3c2651fc4d62c8c63259ba1011270e4527fd102e881c6.exe
Size

1.6MB
MD5

a738b18d79b0ccb65fa7821db2b3b827
SHA1

e5389079c0983315ca8e1f919fce4dfa91cb2e8f
SHA256

a3a8c8df7b1cafbdc6a3c2651fc4d62c8c63259ba1011270e4527fd102e881c6
SHA512

3af808dc6de37234aca501cae5bbd2a0d2121a039b52cf3f3573ce36164074788aad0d8cf585e5e70c3189c17f602da6927d8dab287d05a5da04d66ba0722b72
SSDEEP

24576:Q4iBH8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:QdHgDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3748	alg.exe
4308	elevation_service.exe
1684	elevation_service.exe
3628	maintenanceservice.exe
3440	OSE.EXE
4840	DiagnosticsHub.StandardCollector.Service.exe
1768	fxssvc.exe
464	msdtc.exe
4580	PerceptionSimulationService.exe
4792	perfhost.exe
4328	locator.exe
1200	SensorDataService.exe
3172	snmptrap.exe
1668	spectrum.exe
4428	ssh-agent.exe
1100	TieringEngineService.exe
2492	AgentService.exe
4788	vds.exe
3056	vssvc.exe
1960	wbengine.exe
2284	WmiApSrv.exe
1416	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	a3a8c8df7b1cafbdc6a3c2651fc4d62c8c63259ba1011270e4527fd102e881c6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f31e794dc92b1ccd.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{6E55939B-E83A-4A23-9444-92FC9402812C}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127968\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127968\javaw.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1276	a3a8c8df7b1cafbdc6a3c2651fc4d62c8c63259ba1011270e4527fd102e881c6.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeTakeOwnershipPrivilege	4308	elevation_service.exe
Token: SeAuditPrivilege	1768	fxssvc.exe
Token: SeRestorePrivilege	1100	TieringEngineService.exe
Token: SeManageVolumePrivilege	1100	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2492	AgentService.exe
Token: SeBackupPrivilege	3056	vssvc.exe
Token: SeRestorePrivilege	3056	vssvc.exe
Token: SeAuditPrivilege	3056	vssvc.exe
Token: SeBackupPrivilege	1960	wbengine.exe
Token: SeRestorePrivilege	1960	wbengine.exe
Token: SeSecurityPrivilege	1960	wbengine.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a3a8c8df7b1cafbdc6a3c2651fc4d62c8c63259ba1011270e4527fd102e881c6.exe
"C:\Users\Admin\AppData\Local\Temp\a3a8c8df7b1cafbdc6a3c2651fc4d62c8c63259ba1011270e4527fd102e881c6.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1684

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4552

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:464

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1200

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3172

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1668

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2540

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3a30e3b005ac9b1f8ecd10c4ad9c3197

SHA1
74912d4c40859b6e3b4de7d5ad1c5d2e37ecc8b8

SHA256
59784dc62e3656591913209b2636e3a528be05bebc268aef76a125fcb20d201f

SHA512
7ce5689533645e708b35d67ea16807e0bd7199c9227eb7dc2d56fd77005dfa474d9be3a1b619c85512496f391684b749cd5eadd7b089770de5bf86f0736500a7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
5d3dfd350de38ecbf27198e263845106

SHA1
e1435b39aab7717794e1f68119769b2f27bb1884

SHA256
311c7e97eaa61922d93666f2189bd27f42fa3d4002265cd86484b125052370fe

SHA512
ca81f5791ff5a61f94169ef47edd731b4ae746fcb925bec48320c1f0d737deeb96d7831eea56d54436d4a6e7e28437f1d360ac0489f576b11620e49cdb1674f0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
462a140ee787b73fad11162bb71d2031

SHA1
134f308e3ed46b317b0bb62d59d586c557d14eae

SHA256
065ba565f15406195eac35ae78eb915f4772a2742d326cd8e211958e7e9eae2c

SHA512
58ab936db0b7c3f59bec2e5df02c23ed003508162d9822970717dceae57f075f4a176d5cd8189e4a6d87320a8d722bc630c9269e149628c317282d3b8d0bbfac

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
90e2f84f7a52a94150e7a2a3574bd906

SHA1
b6b7569dadc9754e6ad9863880c81282b395c1d3

SHA256
681c00f0bc0a5e77880d85d2ac9e7a3b57b5c1dd244f455ba7316bcb991b0162

SHA512
0c6c20f22572c22b1762d511eab833fe4f356fe22756fff4a560678a24083fe98b1d9ad91dde1798889aca6f1311baf78c125256c2481ff019460bbfd5e4c416

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
7509d9672bd96a2bc72e62670c563e8e

SHA1
9328d10cce50b5fcbbd344170da29903936326c5

SHA256
bd292c20cbd1d4ddcf04771b7c08d8db3b90132deeb058289b312b56fa5585d1

SHA512
1dc21d85a6691b153812c0b7eca67df14ea4779f5bf39c0717060883d7c0e0765e80f760c473019d99d088afdd617f85316abe477c080df2cf9c9a97fe4710bd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
efb107d642b95bc7e3eed496432e446e

SHA1
d8c196a126f32fa1660aaa0333ab185db2704944

SHA256
7238420872fb83573ac9d035719deb4f377b3000ef5deda92fcdb5fda8c5378f

SHA512
273805c2496f4752196449c2d8ed2ac72d24b6fb1cef76889c6878681b8f686dcb5829a6860dfc2bbec9c400fdfe06e931dc2aeda1838ca4688160f8e832d075

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
6846e023ab36a1445f8be5cb35e65a0d

SHA1
224e06a7c70c57c6a060f8ba286983c7c4a7c288

SHA256
6ea4d1ab3cc060c069238a49297514ecf705834a97b3eaef085eb186c8da710a

SHA512
4408343e57ce04965dfffd20cce0fe29b38d163d1875ece90055a7090e03f6793c34d0248b30710e653452dd9c55b7f2580f9839e1154d99f6179eb00f84e216

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c80e12b97af895c7e6a0108d64a9f0f4

SHA1
33a52e70efea881bbb0f0f2bca9cdb93c92ec51a

SHA256
e120d15461b2b06064f296d5f3c752aa13200f271e97a614fd00f20496442157

SHA512
abfd545b2a1b8f99a960c89c70d666a5aea438f474e8a316dbb1028ea8d7038ca8a4a275bcb4a6bc2385bf4ab554a816bb600a90fd544f175a247cef2196645c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
f2ba9142eb28ce45b9bd782ed94233d3

SHA1
f11dcbc2cac87fca61bebb303a0e2bc2f4e833fa

SHA256
53a3a63eab860aac72614ffe56a06c78f1ab8269d0b8c3719a47f81dc1ffa026

SHA512
8a7e5cc5f785424cfe404f87ae22290b11e258d65fb2245346b03bd44d6b7492f2691db4439006097b7768549c54f1fe8d9b829c4e8afe5803fb7e407fae0144

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
512KB

MD5
d0bfc977483bfa33ff62288d531b38a0

SHA1
1c6d9f8d00afb9863b70c10f2de904827d8c8b75

SHA256
05a104a09b832b951b42dd0308d31de160d092dba9be6cdeda7674be427befd0

SHA512
129376f479a9c60ebe07389f7b22faa0236d0e027101f77dd4fa6c0349466e022a0c4fb98079d31e212ad598899b4a2cd31f4da9b3dac7150978a39ccdbf07f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fbb1e2a92e7c749484725a84a509ebfb

SHA1
2d171e288a869fccae143d1e6459ddba9e5badb7

SHA256
1ff1f9fde9acd2a582173ad89e2c1a853b781d6bde1db75aaf9f40719f7f64e9

SHA512
efccaee894f9f2f1d5d20005ca3e5f3aaf161974450d3c8a9cce2be8908e24f39896a99afe3c97ee7a470895d4f9aeb9cd0b2da446e3a1ed7ed7f637a2e43961

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
640KB

MD5
bcdd025b8531b4dafc1224efe497d06a

SHA1
9ea9fc2c84ecd0faa7d31db0abe41a3b74d1a112

SHA256
d9404579d1ede0e6897cd0962afa7a4c4dbc3ac6309a6b0597a79e5a384a6a06

SHA512
e40fdec0bf544b60d5f6989e02e7393dc4a89d510d6e491674e8ac0fa92d7f3e4621f2ee8fa28c1c8b77dc49806b08f67b85e549433fb57bac2bd3563229eef5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
14e3608a4d574b8807f10841761a7996

SHA1
31b96ab80c9a7c68c4bc4f0ec87eaf8f4dd2ab20

SHA256
e0d15fecc1b997e0392490085a9c9fbf030f3683262113961fa4e6224ab71694

SHA512
935540afe1a6e1f9164704a22dc97a6a244e42ba749650ebb0dad695468273238451e68e2dbfb40953f6ab09c7451d8e475141a095e03a53d889bacacd95798f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
b4dc7c5176a11b26ee974ce37dab9e68

SHA1
cb3a6b077dc18f0e842181ff510f899eab254366

SHA256
cd17520ac5dd4a0c522a089f716fd69b71f038452935bfd80888eef38623296f

SHA512
b66d3e40c8038f07d3430bdfbfc1081852b89c48d79d8ef6229411b89c715867cc58c7dddb0b2a4dda00428ec69ec5af73228f19d22ed3037d4a5d255f31750b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
9bda182beab8a993a7caf24b62096abf

SHA1
d4ccbbf95f953aa48194e79e308ec59ece116d87

SHA256
cbc3999ed933f0155cfdcc9d59f6c7a056726503aaa865229519ebf4d4beac9d

SHA512
0463f69a42fc543e3691d743342228a028d535199be3d3390596dacadd296188af2cc39acb75639858b73381ffcef9aa2be6d1ae1ba3c5cc0f73a386933f2989

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
2ff3f7385dbacfaae8c07ad0810c7279

SHA1
3155ff0aa0f01c3f7203c02966c580de0245f388

SHA256
680dcbea2e07af8be8be4d2d3a2c97c9ac7709c838fa42cde227104f1481153d

SHA512
d0ede0744e5e600fedfb0cdb99613cd69f40b2f97c3f01af2449a15c390515396f0623cafc0c1d6911b3bdb80aa3bb5127c0711550a735336a98bd9b2cd45f75

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
f124d46e7f213379f1d07a863e085bec

SHA1
3ecf9540c5698534532a2c2e75b2207b9abb9c3c

SHA256
0d49c6f96f81df9075e63126419c0ef495d6b8f449ca3f4f4ad39c0e3c5db059

SHA512
6f05672b41f79a4bacb4ce9997167fc9a9148817a2005f78c70c0ccd8a0e3bda5508ea67abd1a3234890de56c75069c1cb34b13e2ce3c268b8b7087d4027d633

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4d2a89d332ba670cd43c844bcdb4d376

SHA1
34d4a476cc2daee0e5f620f51b03bdf2dab36e91

SHA256
ef1298bc65b5cacb8411b3dd7da26476189639ebb27506989eccb214ccbe9820

SHA512
8db61dabf66d36cdeb5f4f154bbfec28342f08de1273556b87e5ea13b1e594e55566ef756cfcfdf6d8b8b012d8529a80af6ac66362d7b3c6f904a6b5ca61865f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
1c8ed8d7ed82b89337ed115b2504de5e

SHA1
d11db1211c03e0cf90ef41e94f76bfd881404f0c

SHA256
96913ef86e49dbdc1365e400b59b93b0bc92c0b41af841b2b4dfb17310d3810c

SHA512
30f028cc4a82bd2fdcbf4cf3394f26433e56c1b9dd195e97b23067a0024e477c8c399125423eab4feb0c2c883a4e84b621d23563b5767b883f1f244e1a939fcc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
384KB

MD5
ac741358ea6a595819bcee9a926c30ff

SHA1
79e394abcdfe34e0b5f80ab37da0fbde543409b2

SHA256
9a3de9056622e9408ebd8f8a46322149c17486fdad61b084942a031c63f9d339

SHA512
1f9057edc42a5cec13eb6d7913a5939c3a7922d58cef4c48174736d1a7dbc640db793e5de05239e71f8fa7f5efea982b341d8818f09712f45fa3be809c350a89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
b64ec9df64e11bb94fea6acfe3d1a9c3

SHA1
9429bff431c89d9dff7dd186e93ffb387ed3dc4b

SHA256
cd241e34e0e2d9150bc328892ab47dc45e240047849436c4a3500be4f6c46ab9

SHA512
336fa4deecb5913312e9effc96f07b9715419ac1b3d48a93e7aa496bb90b3db21fdacf47ce87ed62fcd3fcad54ac63e691616949ae5aed8482b6928e3b86ebc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
c0a5df143a16e88c4df156a5c7b35335

SHA1
a1d791885a0b472d9507c5015cd2db5a6f04ca99

SHA256
ad49518d8b77d7f0cddc553a290cb0cf7bc523915ad25c6981ee6cd9c4d66e0f

SHA512
72d4876fff288a38c3869cf96a49fecef5c4efb433efa6f226cade2107ea186f1eb1cafd5c6586cdec3599314aadcf221f45d328842d65b7554c7407bc3b6875

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
b39a1f4df69166694811efdda3d9d551

SHA1
c4f203cdcbd4ca8658b85dabe11fdb6e33210595

SHA256
f9bc84aecaf5f299363ee346f7510242ee0228c1873310dc250d240d4e7d961a

SHA512
a2b5cb5127700aee752e67897869b563133fedacc9ffcc7ff84381f2cdbea35161483d3d28dd7984897e02bcca75e26050fe7339f71758ef19d5fe77cfb71223

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
d0c449a298e5ec22db9a6a52c6100d53

SHA1
766910f49e330a887d49063797fbc8b15089f9bb

SHA256
6e6048118ce2dcda71185e7a51255b976fabbf89c22f73cfcc43d8a65b6b0a6c

SHA512
c3104a854d9cedc5a4f7086c220dd62192f3cd1af80adeeffc7ebe5e8be74c6d209fd14f499f623a5a727c95f36e8c2169ff3d473208d40fd42f0c850894fd72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
12f3386846ed5ff174c469e3b516d730

SHA1
e4768591480a35adcb789be362e0d551cd2fe5fe

SHA256
e7f990203d3ed12b1d1720951ca64a3c6f198b56ff49d9e43972382ffc711766

SHA512
c0b2bd8cbd7f797bb24045ac4388767932f9eb1aae1160037d61ed942c268fa52926acc1ccce77258b4d53d4519063483aa941d43120d0d7418b1bdcd944f54d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
c649d0f4ed63570e8df8e44db5a4d738

SHA1
82232c725c6ccc12af1976ebf079266536e2e8ed

SHA256
965c3480f4d7fa8a4e0bfcc43ed8946e514c44131eaf9cc99b7bb8c7c6f93b30

SHA512
9b94c13be1dff13a8979fd3fd0da7bbaec415daf2de916b09f36da4e3ca24f1d1457bc5fc7e461680bd20822a426fdedf9d25f4bfc79a5e534ac8a68b62104b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
b19b0d31aeea60e859deea920de90a38

SHA1
48b5bf919642da64c4a76e4cb2af095ee286af78

SHA256
a1178da37dbb2757a56ed2b70a7c8941d65859475a9a690b434f21b20dc5a98e

SHA512
9e145b5f0e25908ea2fb03c37ad5374389cd5a904a5be0d13e26d6b5f6fa5917ed41638c81d64b6467cb05ee83719ab1239fd8b97ae92028785fb7273e5f905a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.2MB

MD5
a21b09fd884107e983e069192f6ca5b6

SHA1
18f8a275f40dc367898047c80388c99e95c5e2df

SHA256
0ca00e4653c49a41af96d2bb6929def01cd89e7e33419e5a941696323bfaa019

SHA512
f5ebaf129344ffac891eb21c472f7176f430890e7c570f60140af96a803935f60760f16757e5158db198d7348f880eb575050bdddb2e52d37f469b5ab8354b3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
0d07eab339bb7c6f966d89a2ae1312e9

SHA1
b058497d758d579ccbb0b138b15e7a939e0496ec

SHA256
842a3b09292672a28ce6a981ccdf4c1b6be7001d7851909aa44988417c93947d

SHA512
e43973a0eec7a7b4ee79fb0565384bfffa87046334a23258b003c35fc232d40c4fed07d6816359547dd4bd8c7302a976f055783d10f8847ff882666e002f3faf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
85a1e7df65846a9b1246221fc4c4eb16

SHA1
3321de983dfd7d6b182d01afde14e60701d9d320

SHA256
d3c75f8fcba337244455eee1106dc906b00eafdf5c61839f82b8feff7fac12b3

SHA512
487659b9d7837289842effd3acf60b21dfca22b37dd27aab57f8709808e653d42be17a6670df54e04cd9b4d6a59d4c8291ea91b073da080688fe60ffc97fa8ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
47709ca5f27c2460e086b5989930f173

SHA1
6347385c58d376675b7e3cb8aa9cc345ff3229e6

SHA256
bea793021cbbf7f2c830d12a600c003f9332ceb63a729430b594f794cec34ff6

SHA512
523c1c5a8eb0b9a59c18a20e53815918572e3b8c64d7e682ad9b686ca6732cbec42cf8f4e1e1179917f5ea8a02b7de909fedf6836da606a6f1d4330161b4e55b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
b75bab6420caa57a352601644db25ec0

SHA1
e2ddbf092b103b0f0922b715af3975513e670043

SHA256
28c1398df9abb7bb99ea575d205399e72c2d69d7824615a3e737c51dd5a36160

SHA512
def84f8792eed2ae480dc1fbc18e3033acee49090a863c88953b6497af233547d104c3c8c3685aedc80c6867cce443496c6a80248bfa1e104cce7921a0bb5f09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
960KB

MD5
9ae762c144b883ef3f97f3ddbc9bf70c

SHA1
c09bb0c96e9efbc89f24800d68b2fa42e455a961

SHA256
a4891dd83e0dc937e175d56e0feda80006e7b3bdad06a76f1d50f6cdf62cfe21

SHA512
f9baa3ea80e4f775e400e57eedf5606aa5a7a12b74b82264a88049bb2fedb3072fc90f00d3b9e551ada5d8da63eadd3c05e88988daef8863d60913ad1596e6f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
448KB

MD5
774cf143bb8e6e4f0d0fe3d55f8a080e

SHA1
9d30fa50f31380e7d303c8b4b5f02329bd563044

SHA256
3d091d629f122a29717d8c2c7b912c45f62d7b107d53e09bf8a2c7abf0f3ae0f

SHA512
323a5be42b8c1c79269f821f6e74d3c2cdec5f1f8b03762511b3838b62e8cc8f008b20cb150e97a6f90f2a065b23965ecbf64426952e8a0052ef36ce555299fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
448KB

MD5
781565104244c3e4772c22daf2c068e9

SHA1
2150dc27a2229ac3b81c48e64d990f1e0f23980d

SHA256
ae265e62a54e8bed8dc1a4007395cc748cbfc45bd4675930add2ce3d78225bf1

SHA512
ab37fe17b82f95a588c91b2f969880569fb12f4fbd0e3cf77d99e1225d9784e899f28b18df81673f1e6bd4b4e8c81967e358c8e31748c58763c530652631b620

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
384KB

MD5
8958940f5e65d3c7b0ca0ef443d86d05

SHA1
c5d90236cc3cb5eba0e75d767c455e9390885798

SHA256
c353c14e7fbf48dbef9497209aee58e571d3427fd43ca0de4184d2d3268ab2f3

SHA512
ab5d7f133d198c5113c167704d4649a63be61e7adfb5c4a9f4a7cde6f32e4cbcc26af0ed405c9d3f8769b1b751fb2966f549fbd7787c7b8bd9d53cbd97784b08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
384KB

MD5
765afee1c9f191f712f247d4f926af11

SHA1
2ba2516f078c084484976f5c8583db311b05bb65

SHA256
7f92072aa7921149152515a7726af0a9e1e50007d1173baced61f777437f4651

SHA512
c5156bb377fd8d1bfba279e6be02c71101d523fe667360d0046215098ea23a4242580c727495e33705ae29df76517d6ceb5270d82c1d946f9d53f616e75f746c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
384KB

MD5
e68b222e21dda38a9ae08d7d7b375499

SHA1
f8a788f2a54ad475aedfd15e9971600abca948a9

SHA256
148d28d3b90e2770d0f1d59e50906150c11228128d918945b36d716f6a4f8881

SHA512
b25f0f9d6db808cd4bec55f4d712a0fe9b3db92e359531f9073e106d82cfb32baf5e47adb73d726b012148a9abebbfead9e6e292ae2eabf2d0e7a05bb888a584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
320KB

MD5
b7bbfcdb8e852482a7ffc19aa3c5b5a1

SHA1
ff0df14d5a4f392aa6a6ff545acb80fde1f74644

SHA256
eb8a515220c6dc1e91682300c642b6194070c0a6fba16781403ca7a079f378b7

SHA512
f8444035af002d141524cb1625866853f988e375defc188d4aa45deb761e5418e9c2ac40f7f6a5c6da19e20f7c1dbe2ce8dd364048723603b2e94249835e5509

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
320KB

MD5
96276850a8e09bcf84f4efbf865d3ebb

SHA1
21ab1ec0bc48390e6f3d3a4ce8310542596a3039

SHA256
ecb20a71fa8f21fd641899f59269b04feaa421cd6ebc35e17328e37c303c6349

SHA512
686778ce743559a0724e65f625557ca135eef31ec91b0752c173dcbe89f8f759064d1f9bec345dceb93e7e84f056cfb2f38cb03791f21aaed2c4a1c013139efb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
320KB

MD5
0b842b4a65c2a65c465fbb7b6ce1133a

SHA1
ff3841b9c4e0ffaeaca825727b56ad5b2c24b6b0

SHA256
1cdade78033fe451b1c1e20f3aa0930c01b595c9c4a058c90bcc0757fe23675a

SHA512
40940e1e7fb71498d9c17176e35264c3ddda4fdf26ad249ccc2ed0c68aee3c345c7666ccb5a013ca237d01a52cc176cfed1c90a602bfb2e8ece18d7b83ceda12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
256KB

MD5
15e8092f0911e6cbb9be910d99bd08dc

SHA1
d1c79ee92f92406f1bd4de5e9d6d8cb84e24fc30

SHA256
54959097639e1b3207e0278800ffd8f40d5ed998cbce1d9bf4cfc18c2bfb6c76

SHA512
9c9119df8cf6201370713de4f2dafdf43ebcea86f4847961aa2191dbb82088fd067055c8fe60959b55f945bac44ec2aff68e279b044665e32ade4acd105b6177

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
f0842b0801ab36527bd109cd34d9416b

SHA1
2adf11445a1f581b437a9c117aabd2a8cf2509c0

SHA256
74ec9c2dc2c5cc18ea16a6b1972baec67142b1f1aed782f5b9ee48c3af8f2ae9

SHA512
9199c3a09c5ccf5983b52cdacb09b1c49dfd505aba27670f0eef3d998819f957e6e8391c192c368623f90b49e744ef08533361b1fb61472bd11519f1a977a4dc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
5cd158d9448a7ddd18c6cf399e8d65a8

SHA1
cc116c3481f756a62ce3ec64ce38a437a8a2892c

SHA256
61781aebe0ae39304d76df9bacf4a835bd628cf5d06da2d0881f04827aabc68c

SHA512
233188269651f11351c5e296691b835f915e1041f9645e77aacc19633b38f6fc0040b9a6c2ce0e0f8c91682b14e0b5543df5e2b4e93bc75fed85021737622f52

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6da26bc96bf9138b7b46553949473620

SHA1
afe621318cf4a12aed5e3ed0df11f6adc35f9d73

SHA256
8592d0d72897e56480e9f8782005a9cab6962179d250b38886187446b7bd4352

SHA512
9c4d4d5d109b418308fb708e218f76a1edef8fe0a78e395614096739416120ae49522f81afdd9052df7ce537760a27160e7ed1e976e398b9113f411e41cf4d0a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
31bdfbca68fbf749b63e16d5dde0f22b

SHA1
84e0979c07add2c3f0481f49922cb591b11afc03

SHA256
0f011bc1ad5b3e0460ca98c6f3700ebafd3b7e7b86cb8d9101cc4efb3b7b7bdc

SHA512
dfce4e099bc02c7f8379e13cbd11c611ef8e83b1c0c1e1cc1b7c9b7efd4497a2f31e940dd50b4a9de0dd8b89496b3526230543caf45c76864255cece02d35800

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
78268f1c424bc322dd58884a7b6b555b

SHA1
6f90a89e259992153fb1eda68e765bd08e949814

SHA256
2aa4b3f655cdd9e0b7166c098bba5549aad1451b976598a8d4c2f4f4464708bc

SHA512
dd303541b6b80143a173623711b5d4bac4743d1c223037301e54f8baa0c78b61df4750b5c890cbc142e499b490caf8a825b8a5dd4fd7cf618f74fcd733650232

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
c2a5c415a172fee0415822a51a9f884c

SHA1
e22e0ec0f88f0dff0b170015b011313b095774e7

SHA256
ba0e64cba0794912ca5882983463967684c0cf2041007febb8e8c2af88da667f

SHA512
35fc4a295d9e659789c7a9186781415222c84b5b499a77d1b5da106b364422729b2734673f36f7a18c74194120c201cdb1f3fc66ecb39ac1be8dede8701470a0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
557bdf08a13fba5d78043c3ce82e1fef

SHA1
c77dc1e2eea5717aa79e7a6e1fb3d9397d76cd4c

SHA256
895a8578744be7b76c25b80bda4b34fc3bfae3c249dfa10c6d5dc17463035c30

SHA512
1d92b43e0572d63809512170be023cc41ffc7e067074e7f6fb55bd16e49e5aa0f484baddbfd976414fce472d8e3279818c2bff89428f7e991850d551683c5057

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
f1384507ac148bbdd777140a14031ba8

SHA1
12d55648a1a0a30690a7f79cfbaaeca3eb30478d

SHA256
f2ddbf8e9763b035be23a655101cd3e30d1749757b41459e3ae6ea6dce8aa032

SHA512
119621e464f22957fbedcb5bbd6687d52b2d143af7605edc454e283dffca5b127498d52e28f0c9c1a320908f945f1d33947ebea30c2b0bcdf60531e6aaf1da98

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
05df93b4c6705af082ef547e97d7f56a

SHA1
d9117b652f1cdf54e9e34357dd3511dd5e054b5a

SHA256
fbbb3fde440d8dae0bff6f07eb3dade4ec163e896c6031a4810a172c54876796

SHA512
7c8a0e4eaf729493d9a4e0b4ce30179010051f7b514af85e9a05edec81dfb8f38111ad6029a608d72a008c65ca9ecb568410bcd8d96857111b747e2257e07360

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
10a30a650e1634e3328d196f873f904d

SHA1
dc4a5415938439afc9290e4a29d30235076e88ad

SHA256
c7e292cee13c1d1be42b4972bdeff8f37e50eaa032474a42b023d63bcd8775ea

SHA512
0b3786eebcc7667ad6daa75a5e1c164dd6cc45c7965a7bff44afb2945cebec8de8859b5bebfff457d2cb6752130d6a6a8dd73247635c7353953607fdb9712f99

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f2e85265c2280b164b39a43266e64f3e

SHA1
169f22b4d86c2da51e3cc92ee8a2f3c960ef4b8e

SHA256
49b336abbc05e8f901b9eee2288869e9563a89eb2ad35bff24a5df27ab1afb41

SHA512
e61c523681db7c5b85bf4799f40f43a0726bf893513ab3ba16ed4cb9a6dca681e466e17c17cdd1683f43010bd7c8785a789842c97f0a080ffc9331d145d406e6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1024KB

MD5
ad86f38609d66d2c760db9cb9822f26d

SHA1
d44a0ce78b30660444bbc5a783fc69f7160330ea

SHA256
6bc37a346ac253a82ed01dc4c17d494dffbb73458bf2f18684e5e6c19474e01f

SHA512
7084f138937852b2203368bf2e5412d4c3b84bb92fc92a637512604d52ff6c64fc4dd696fb886bb85474d22c3b4217d1bcc2e6ab31e5f7f76d85542d7eb5ba9b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
050f811f580e7f87fa2c27ec57b74664

SHA1
b982c61ead12ea73ffb4459c7a03bb55f97d4686

SHA256
641b158150c1942f21248489e21e2649d470cc566188296558e23f7139557256

SHA512
fd301e202ac7ca4dac5f4e953b8c47294b5ddd646db64b7bb0af517cb03485380996a4b3b7d609f717ef3a726e400a6a79ae9c0a1a91c5af097598530008d821

Download Submit
C:\Windows\System32\alg.exe

Filesize
128KB

MD5
ad8930608faee6c44440c1188c0859c2

SHA1
efc131a64c51147787c8db7bdd80101c83ba65d7

SHA256
915e76559cb99a12544995f6fbab8601deec7c6a3833d2b7b9445f4d15b10844

SHA512
4071a56477f263cebd1aa80f0a477412d5fa628b1cb4faa0d60cd9c0cfba47cbde1bba406b44b3976879ab870ea9459846c923456c8d5377a5f32e6ad08de655

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
6369cc529de88c5a0fb5c282744921af

SHA1
8a25e0eba92648d6b80b3fd58dc0017ce517fcad

SHA256
52003312a16ccdcceacc4abf84964d5e510b06f6ab7f1f66f163ca2119f43e26

SHA512
91c31fa8c0be7d1f02925732ea7985b371eee2c4d7a8b0dcde27052de72fe58877d9b56ec336bd90553f8fa4b3fe37b5f7f43c2ae1417d5d278cd486437d0d35

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
8a367622bec90f453f0c6879a759844c

SHA1
b42889d1109fbc3977fda6c3bff8331b81b92c88

SHA256
1bb7d6b7d0636a5e7cdd9a22b7bd76800e0d9d59d0f19b2e2b51efa17d74ee51

SHA512
4dbf8148f536ac5e6fcd0658f9b0a85ef80b26f32e00823fefc59c54533038fd30110bf4016cf2ca89ddf514cda3562858ff8ed85a34d3035eb04ccab03868b1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b82bbdd79866da92837b9fe52ff34739

SHA1
45216b004a6c53bf9e3fc6600aa9669c0d85b79e

SHA256
e8fc642551c094b1f3301c39c705ff6293ea3865a201006e9d0d5f9ee3f9a6a8

SHA512
8125e9154e3003fd08148036ddc85aa350633f40d7fdcc80960f557b6a865f006ff0cac004c8ba3591b83d8adc55edec71fedb9297013ab36a7aa2d514c633b1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
231b0a7db67193875dc1347e04ba695c

SHA1
2937ddcd2b59ada9565c37b0ff09989b3f0faa6c

SHA256
04634a31eb38d06f1b8c5740bab1393c9188c0957cd2c2283f1f2a13afea3917

SHA512
e396e89d764a5d06d3182fccacbd7957131370291353a63e1dedc4d4d2fd3323139614c1f2e37b4b3ba652fec2423f3c5000beb1a7059c2dd19e3f2cf4a1df42

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9c2e88395cff81afe3f8f10529ae51d3

SHA1
bbf6ea5a05c46c50fdbdc8517b3fe5cfae674b90

SHA256
9ed032e467d93252a872acb9c2f4034f6060a73ba1b881092dd745766798dab7

SHA512
3c6a50b1dddf90ab1563a135fbbc6af146680686be9f685f560c56290f4523c002b82604f54ce214d6a15984ec48051922251582a2ce804e8762e2d0abbf6124

Download Submit
C:\odt\office2016setup.exe

Filesize
1.3MB

MD5
a1655263c584969f72a5d20f06682e9d

SHA1
81fb8da860176a19e045bf63e94c45a8900d232f

SHA256
ddcb09d8f0a891462350d07f380d333b6f3888090aeed9423c1991a2548b13c1

SHA512
e2f0dac15196755585849901ace8707f530f41115ac244e7adddc9d34fb2b677fb1ca6117d299f723920fb94c5f4a602cce0e2fecbaf99d1e39270570b293a28

Download Submit
memory/464-338-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/464-282-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/464-271-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1100-448-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1100-389-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1100-382-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1200-334-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1200-325-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1200-392-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1276-37-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/1276-0-0x0000000000400000-0x0000000000595000-memory.dmp

Filesize
1.6MB

Download
memory/1276-7-0x0000000000C60000-0x0000000000CC7000-memory.dmp

Filesize
412KB

Download
memory/1276-6-0x0000000000C60000-0x0000000000CC7000-memory.dmp

Filesize
412KB

Download
memory/1276-1-0x0000000000C60000-0x0000000000CC7000-memory.dmp

Filesize
412KB

Download
memory/1416-470-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1416-462-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1668-360-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/1668-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1668-422-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1684-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1684-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1684-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1684-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1768-273-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1768-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1768-257-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1768-265-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1768-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1960-445-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1960-436-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2284-449-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2284-458-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2492-406-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2492-405-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2492-402-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2492-393-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3056-432-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3056-424-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3172-409-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3172-341-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3172-347-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3440-66-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3440-212-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3440-67-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3440-73-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3628-51-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3628-63-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3628-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3628-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3628-52-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/3748-84-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3748-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3748-13-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3748-22-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4308-35-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4308-27-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4308-28-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4308-148-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4328-321-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4328-313-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4328-379-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4428-376-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4428-435-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4428-366-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4580-286-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4580-297-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4580-351-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4788-419-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4788-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4792-307-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/4792-301-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4792-365-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4792-375-0x00000000007F0000-0x0000000000857000-memory.dmp

Filesize
412KB

Download
memory/4840-312-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4840-251-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4840-252-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4840-245-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4840-244-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads