23dd6a8feb30c157b415669d085f68fdb4bb8086bc34ec5a462fc347378a0868

Analysis

max time kernel
90s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 12:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_7212e7e3c09232830c1766a65a8b0fb5_ryuk.exe
Size

1.6MB
MD5

7212e7e3c09232830c1766a65a8b0fb5
SHA1

f191e13d6580ac6106d987b104d3e40eb37e0400
SHA256

23dd6a8feb30c157b415669d085f68fdb4bb8086bc34ec5a462fc347378a0868
SHA512

34d538da43e35ab4f5b31bdbf6b8de27f546bc5c569953c18dc7b10a6b0493f5e077232f49ff600a11b322e3de2218650f189b4006c99d3212212fc8aca7054a
SSDEEP

24576:0TfnpwJ+RzV49pFT0SLTQYWkK2u4dax8C:8fdzs7YSLTQYWkK2/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
636	alg.exe
1500	elevation_service.exe
2760	elevation_service.exe
3516	maintenanceservice.exe
1964	OSE.EXE
752	DiagnosticsHub.StandardCollector.Service.exe
3548	fxssvc.exe
3856	msdtc.exe
4472	PerceptionSimulationService.exe
3008	perfhost.exe
2336	locator.exe
1424	SensorDataService.exe
3580	snmptrap.exe
312	spectrum.exe
1700	ssh-agent.exe
3136	TieringEngineService.exe
3680	AgentService.exe
4356	vds.exe
844	vssvc.exe
1976	wbengine.exe
8	WmiApSrv.exe
956	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-06_7212e7e3c09232830c1766a65a8b0fb5_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3ca9cca912d07ad8.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3448	2024-04-06_7212e7e3c09232830c1766a65a8b0fb5_ryuk.exe
Token: SeDebugPrivilege	636	alg.exe
Token: SeDebugPrivilege	636	alg.exe
Token: SeDebugPrivilege	636	alg.exe
Token: SeTakeOwnershipPrivilege	1500	elevation_service.exe
Token: SeAuditPrivilege	3548	fxssvc.exe
Token: SeRestorePrivilege	3136	TieringEngineService.exe
Token: SeManageVolumePrivilege	3136	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3680	AgentService.exe
Token: SeBackupPrivilege	844	vssvc.exe
Token: SeRestorePrivilege	844	vssvc.exe
Token: SeAuditPrivilege	844	vssvc.exe
Token: SeBackupPrivilege	1976	wbengine.exe
Token: SeRestorePrivilege	1976	wbengine.exe
Token: SeSecurityPrivilege	1976	wbengine.exe
Token: 33	956	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	956	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 2664	956	SearchIndexer.exe	120
PID 956 wrote to memory of 2664	956	SearchIndexer.exe	120
PID 956 wrote to memory of 3152	956	SearchIndexer.exe	121
PID 956 wrote to memory of 3152	956	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-06_7212e7e3c09232830c1766a65a8b0fb5_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_7212e7e3c09232830c1766a65a8b0fb5_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2760

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3516

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2604

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3856

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2336

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1424

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:312

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4540

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2664
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
664b3ca4732f5a1c83007aebe7503c9a

SHA1
f6717e7cae7a228751814e239a9cd3294654ab6c

SHA256
6137e52a8b1b2c289bdba1ab57b58f363821cc5eb9c23d7dce18423723e30326

SHA512
584ce86ed300c458f13958b91f80ad00717b05e14cf726941ee6aee2925fb1fcce7b23bbcda5f4e61b067fcf07c2bdbd52b31f60aad454c71e7b22931b008e8f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
297d2eaa646275459af585e4e04c4347

SHA1
535a18fd07ce57317f8a13c15a3ffe003e55ad43

SHA256
1556a8fb1a8a94d796805e3d81847c6fc7c47e70065537ba45eb21a3e64fe1ac

SHA512
615f298c0cac359997009e7004ca58feda537dba408a2c49b47d194a97c45eab32bf9b24d3a9cc8d6328ac46c48e018d5446a90306490b46124fead6d0dbcd5a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
eb822dd5d8956f12323bdf8d622eef38

SHA1
afc5f661e027b68d1354bc813d8461c25deac337

SHA256
aa6a6f943f1f7a2675304405672feb73e32d847f5f786bde6c83ae407b4b306b

SHA512
c78ef94bf39ef83fbf701c02cb7776b213b84782402eee143fc2590f254ef131985eea9ea6ff0a89bd3bceabbb98ca292a0c1e36d009fe4a973fa1730de8fbef

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cffb111a7d38fc5fc7f317b12724680f

SHA1
3c09be1648bc6ca49fb39a17ee781edd3079ec7d

SHA256
c6ca5f0c1b5496dd6e4831dd580a4d1fb7087c5de07bad1868c116ff2c7b5534

SHA512
e3576af28b029634a1466245a27ad3c125894b3379198e243213434a9caedc494105a06f8bfa0dd8ac56521998d0e1d8658afee627c141deb31b2ddc4cf47d54

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2b834e84209371cf6bbccbaa55054e0e

SHA1
94c028ed3d03a639057ba68a41ed974c5beda60e

SHA256
bde0edee3e92186d0cedaeb33ccd4e6f80ead39a36316a223d2edc0bb6b387b2

SHA512
94ae6cc200d1351fc2323191f28e55f62ed52367e49704dc25a190c36deb5917acec609949a952f7c316d198636f6d9e83e912dcb60a476684482b85f27b4301

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
5db4bbf1a7a808efcdaca6601e21db24

SHA1
16096febbf2c305245f76f8e1612030c6c8a2653

SHA256
01ab82b58bbb0a7bb4edbe8d85925639083027f426f964dbc57bb66fd7ac7ba7

SHA512
bba22d14b5fc8f2e2cce7bb63445af557ca277a57177500a3b6f619bca08c36c9293b6d6a111e96b085b2efdb24ba1fcffd482e970030a119c927cf46fb19651

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
ac680a94afa43da6bf16b9a78808742e

SHA1
b091f5c45146a2390d08f2851eb7f391eede7830

SHA256
7412580ab6f901beffef88f5d7ad6878873957e67abda46e6eadc0b9464b31b8

SHA512
dfab96eb40f8ef82719bd2c22346005957606582c6aaab17bba83fd6c000a4aee76eb8b2c8db980a8dff6c24944f7aa3094105b7d74659440f6a004ccd61394d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d9d1a81c3ba3dbce4da245375e5e9b2f

SHA1
8aa53b527b99b44677b9f1daa61be835bf8b254e

SHA256
db276cb993eb2d906a79e5c58d27594d965dbb32421397ade9584c02fff77136

SHA512
be10715f4ab19fc39ef12b05c3b918476fa9894d8bdf148bba38c496b43f6e2b844b0e172e8c21fd1e3ff587e5bf16b01205203f69c70580856b299c7d81577d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
41f1c166bd76b96012aee61cb0e13b18

SHA1
1aebe02340eaedbc7ca3c7437dc7c0f32ee24163

SHA256
8b2106861771ef1df11de3a069b3b232e1e79f1b10d4d24792ecda3f375852c7

SHA512
c9b86ee78b6572e777a0293a159c74d2c6aabc6729805005ec3264dfbb87c8518a241e5a4b3c250ca040f46bab2c25db819338ae99b8a6f9adad00ff83de1006

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6c6cbe9c634351f9e8318fa253b7d621

SHA1
900d91c9629baafb3a85c9e08ab6ad926e9a9392

SHA256
71528bc12255145d81a4585dc5584c9390f318a228bf8223f6d38ae325b3ebff

SHA512
b97915497e90597bd90c2483697eb24cd8a8df3a604c9b9291b9ec79c515742612fa5733ec741a8a429c10fa080558d7d63080758a42ccc3ce86aa92c1c7ec96

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fb1df0f3390822dfa1b02b4b13d7ef25

SHA1
f0f15e1b079f1c63f6a6a85d67f864dc3799b10e

SHA256
e3b0c744a94d33a5a68f9330d4dbd5f5e9109d4591d72abe95df603bba2896b3

SHA512
6fca130e098f5d87a95858054e6e88b15d7dbaaff5bbd9aedb71b82cb3d84275d29a51933a1cb9436a774a0f3b812263e5fc0ed34a15e89545a2deb47fac8250

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ea02b88b4a2f848c9aab21c8a298b0e2

SHA1
f6a2e990d519b3b68c9d6b9bdd9cd33e46e0b428

SHA256
44522a432bd1d45d3ab3a29fc8106dced5304c32a328eed9bdf29392e7d98eec

SHA512
f80ea5b810003282aed3a3bbcbc0f26602203a90b232f2444a3cac50ecaec1927b78fa18bbbfec78233a3b9f9a0bcc10d1e4ae6b8355cd3839dc79505ae3e9d1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ab0f8fe75e7f3e14ddea0badad50d696

SHA1
254691b286c802d15d90022fed39240226755ddd

SHA256
e1f73a84964e6168443e29c0378db230eb8e7f76e8467d0e7d6dc7fb39456cbc

SHA512
cb3aeb1c1f131c9d5f20780afbd2ba43a87b5b96d3831946f7d915015dff433ec65bfee65e98ddf995251a643588e26115c821023714d0dd1557ea5798fad3ae

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
9d85ceee90a478fab48bd13d352a8098

SHA1
64f2916b78ef3d2896b679baa6e3fca1e3388943

SHA256
6ea7badd4629e4aae5f357f51cd267c4cec1c5b4913d7ab8b7bab60243850e4b

SHA512
cd7cc4080be7f9a5933760bafaea34c0d82fa84d44153d9d2192c3d2bc06344c2bb5682f83aa744c6091f56374706e1a7b8f7620f3d45f04d95f5f934e9e54b2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
868dc515fc48118535aac2532527c071

SHA1
7c1d7b3744182389d3401698891642ac093f9d67

SHA256
d8a884bc99f0899cf62db8815248a396efc0e7664b4954db6bb8221d314560d2

SHA512
8ac9a716a2a248c12cdd733a40552f370829146428a2e7b14102f6357d025317b7cc081d65df2a6cdd3f7e0a07be79d7bd0c17634c1de3420710e7db68b4d790

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
cd21008698b561dbeb846a622f281ee0

SHA1
c4cba25160d3e3a73632e3dd26de4d43552d9d48

SHA256
4f356cb729c7e8de6eec758dc0be99b64c460bd6e36c434e24bfa9ca01d53b3b

SHA512
f172aac6f434cc047c2b209b7aacbc31d2af6de1a838f06bc9fbbdcca822e15a1e8a3d443ffc2df020dcf264b26b7fd5d7dacdc159a03d20c2bdbcd55725a206

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
5c4d708cf0c2235f1edc3d772c7497ff

SHA1
f13a8dbd2dc214ac571afdfe4f58b61a06e121f8

SHA256
b1363c305ee4c5d83eeda7fd8dc25a428aeea70a6c16ce4682f393283743c5cf

SHA512
cd169d26f70bdb611262ecb977c3ee6c2da4d3d3bc32a5159ef3ea88a4e729eda7b69d2433d3bf80d2044843f82da7ce76194ce3ddd42ccf630aab20b98def85

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3911b9092423f8b892a7c7ef2baf44bd

SHA1
96e930f0bb3a1c3aee05e199024bd8ebf1d49c07

SHA256
5db1d5adc690b289ca0725e1546578a47464383484d97026d2a2c0075acb391d

SHA512
a801ac6caa24b55cdf2b4912a719d1d0f3683d71af9ce3f81bd6a252a948a297f9b813b2d044669a0d1aeeea44725be869a795ab40130fdf9cf9f3161a03b02d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
3bd747c437c8972ab3df4c1de24ac5e9

SHA1
6467242393a3b57b72b8e98e4cda4e5f5c598330

SHA256
ef4d5953c8b5701a4b8dfcb69cc5174d63f2f4369df41618d4ac5efbd5a1b02a

SHA512
b682ccf3188824e66747329bfc4d5bee53c8a3731aa3f81d82911693c92573a107fcfab257000558d509d56e34a2cd8d92d755b4bd673c588afcf8a5b09c40a3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
24622153c99c74ac8868fc69c8cbf7b9

SHA1
34be2115ef42eded24f72e371c70794798c106de

SHA256
bfd6e0713596ffebacb21bfb904dc19fa4d390b5e246657edcc5e65125dcb3ef

SHA512
ac6483ff77222463bd329055d17b1b55d4a6e2456c8aa98ba3e6a4127c4d3c767dce408947fc53aa918cdfb272ad888d83f4e769b29b66eabdf19fa164ccfeb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
0c49a7e7c5d54def6b89222e12e3bec4

SHA1
d64a2b4b3d3798a16135e8cef17fa3023071742e

SHA256
68c243deb2bf474c98fa6d5e363cbefce38fae0da12589fbd8c4aa9b33f71d8e

SHA512
45ac71d3cfdf2790449425f0aa4002ea41f0f04e5f72e3c117bef88f578c7e8c56b8586f87c667e83a052a85617f65009526fab9e1c4719b6f9dff5b1a57bf54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
7549d51fb5c52ced0ea90686e836c3ca

SHA1
46819742c9f8e23335667d34978abf6e8f9ea8f6

SHA256
132d6e4469b6019477a45363cb653ba9b93f2aa802dfedd9d2b81935481e65e7

SHA512
412be190d5429444f13ab916168479e2251abd485bf822517faefed898aa3bb9cd0dcdd8aefc92a221786c3c20f6a1f214f9bf3787ad1eac0ed55ed53f12e25a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f19bb3a0b061f396579d11c2fcb4445b

SHA1
5178d10c7748c76a67616d6690e3b6a99b605612

SHA256
959d09c1609767a1aaf8d576a8c4b27b01aa70f870aab52dc66d44c0193b430f

SHA512
d7f2de81fa9ede6950c6e85d7cbe667dad229ab3c9a38dd568792a679d0994e74e7078646ba2bc0ee064add96d5b5bd1e964c674b88c89460323c6513c290ab1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
1ce80b5e591c7bf74bd5a63a7f2f545f

SHA1
164e2c26787edc772e7d42cf314e375170b21a36

SHA256
1e487dc249e1a337e1b72b9712d9a1bf29fe6a01131e9ec5f9cfb473d97c77a3

SHA512
b88a09a296d157c2b25d9aed9930a5af7593fbf4a8e951daafda46e8669b1938f84a9df8e57d6ee10b9965f0485955018b45207a3350897229cfc8878095dee4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
92b2c53c60678d80a21930cba7614102

SHA1
303d3e8f109474139122346b7a653846eb39b969

SHA256
9f91af79420cd42dbca776a79feb55cf4dce07bd32a765f685185e98428dfa08

SHA512
8ac3902aac962d5846b53a363821d6cda24637e4585031a4be151e004e1013225e69db95f0d0bf4f3b2e4cfd6c8f27e48674de93331b76c7b863460b498c92d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
cd43b4abf13d0a36d59f47721f27ba4b

SHA1
2a72c450c1c7f74b03969061581a40fb1dec5d76

SHA256
42b3fe394afdfdc0429236035be9cadd23bb3fe64411c71514af5ef5cea2b226

SHA512
0600cd9712e4e984e33a82fcefe78cb4dc8bf02d4e5432c9ddc491b2756c2e6ac3646b9e64aabcadb39c6ead243c4f3869a59b09f2bcdce49de577f2817c7b48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
fa19ab48c0abbd46b5475401f7acd8a6

SHA1
fbd6fc37620861bdfc8e0384c80f881ab41bc05a

SHA256
a7f30b498ee4c46d3d83e2e98cfaec01eb5a0b823ad6397206067e9043a42bc3

SHA512
91d650c501f7c99595089e3906b0cd36fe0ccf699bb42ab733a7bf3bee2a83d63e24368cd035846276045a85ea24cd60fae8cc5e80235f6951e4b9d7f6793d27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
d671b80e7710e4f472a9047d2f6a9d6d

SHA1
52e6bfa468362b994ab03128742a8b4e3e80005a

SHA256
6d863e77b27b99f5129ce7ec2bf17b8c19f88c3163c8daaab3b301f5d0c22b58

SHA512
e6d9fb8a767262074a4be6133489c10be7cc5c9fd06bf2986fe1a455bf4cebadf4fc8e6dc8948e143683d82dbb8a778a3d82b6efc91f5752df87cc4871f8b6b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
5f60339f8fbe6400490823852e131070

SHA1
0e872d5b122c8badb446a7b05039c4b581e1681b

SHA256
c16c856d5ef8f06feca9d98f2b6f520b0dacf7ef316a6ebad88c987faab28752

SHA512
9b208e17d4d56b787b8683ba4e7a26a5e2af4e2ddbc528e962b65cf2c7de75c44b6c6155a49f9bed3cc4ef5442414e80b817425a4d83329e3b8929032239d04f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
90e632fd4c4b76138e951cfa92966f78

SHA1
6ef705d0e5b9345f091faad631586619028e4a6e

SHA256
f6e7bd3e6786c99c8bcccaf0764d2119acd90596c78574d6df38d58762887082

SHA512
97fb920c25232e90fd06076b16d7ab1bb6a199e02a9a05dd621be4fda144baff34281e72fe3c3763aef4916a8a45d62b27d7768b81076f1d7647d9a062444cf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
4983643e7f1582f28b8ecc133978ad9a

SHA1
d2dd18827365bd4f3e9ab81d656c9dc96ae2cb40

SHA256
e6e5d638109463c0e4ac746528ea8759c154a4016ab44c7b9b981132cf521352

SHA512
7c207096eb17195814065f71e9cac7e0790a830589928c02894780cf6a7baef54a370bf857f7d81515c370b2531733823611a31e185e1bd6617bbb8d678a91f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
3e8e14db6f0706d3943f2b601aeee742

SHA1
1bfaaf39bafb546a06f34d44c4cd7ffb13b077db

SHA256
45da0d4c346b292f76a0fd104437725bedd9b829d8bbfea663831c026fc8fd5c

SHA512
08455489d63f5dcf7d0f7c77c34476e03ece5b05628b1880e4d170af9942bfac48cfbf44c7048e5ab586d91deef12e901dca8f8ab99586357017cd8b63c3125b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
8230f4db8dba6b8cd4490a8f7e930cae

SHA1
ae7b23f3f24f60e5d712b095bb35468044af1517

SHA256
633a5f3d34e4805e9ac87b6030ec6633a570b6f31ff03b3c663ab23fbf4afb5f

SHA512
9a59f60b47c1c8795794299c28b267df06fc913117ed23c13e0ba38041b03789816a509250230c3e740749c2f4b9fdf00ecb52efb18eaa3eb3bbf2227b075966

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
a427d45b82951d35e8a5fba99540597b

SHA1
37594dba5396cade7f4e7d8befb62d84cda502ac

SHA256
fecca21b83641b2db7dea16ee410a4bc1c6320bad8af40606ed6f0eb637b63ed

SHA512
f8cd1dce80d7633e37a720df54a350cf381c35ee86fca1d4a098d9c41f60588de11b690cf02310c057051e91546eabaf6c76d3ee914c6913be8b321616362182

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
73f8c364d80e10dbeafdf28ae95b5560

SHA1
4cc60cccd14e4034a1f3c68dbe4fc42551a318ee

SHA256
31ba6a4b8761bb7e2520654380815bc49c7ea39cd9b672396db1ef8269a0e38e

SHA512
b9f67b7bca1fc2a7fbd0e4acad44821d91b8135bbe1405677d7a295b751bcf016974d8bc311c8cf765b0b99558071afb96a5ddb2519c39f0240c5cabf29d8220

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
08b2d08a49cb17a8bee5288b27800624

SHA1
5e3bdac04555d57af66fc477caee310cd3265554

SHA256
47036fd2462e3a8eb8b59365c85fbec0d6632f7233bfc0dc51f989bd5e23948e

SHA512
3f8df950192969525d3c6d54e6486994420ef3591b13a32a479ec11f2ffd0865324e4610b75b6977c1bf36e71b0d3a9e00afeb4dde776ae487b97c525bdc99d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
d72df3501c28be682926251621ee3c8a

SHA1
d54841ce7d21ce2bde8d4c99629d573e00421084

SHA256
12ce685f9125058dfc8ed05ef47e2f8ed56cab0c0c566e51be00e3418786afc0

SHA512
3fdfd42487422bd43b1eb51237065cb221cdbe9a9a7daa6e50d0ff5e481e636bc8df3ce58c0bf6d5d382d97acb9e2a0ed12d3cde02e2b1130fbb6f4bccda43aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
f3a8dcef7437bec4310e6c520cc83a76

SHA1
80f1ced3dde92e7437263d74786c628b0b10845e

SHA256
96b2a43dabad0a8b18924a945c49fe47e376a32e4824a700d2d3dd6694fb9c63

SHA512
e21592d21306f0df8513bbb2730c2a1ce98adee2dd45c2e147c22212e1e5d1044442f800408f54c31934344eee7bf25ebaf009277e3327776325ac234e961005

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
633653548dc35bcb89054bc1d0669b6c

SHA1
29fae5bb301bacab380e3ad88cae499019d5ce82

SHA256
abb54bf5757d3640518e695e3dd15b0275218e165c72df5fa216060f8f6fcd47

SHA512
6c0562ab5e613155f64902def64be7f201af9e5f303765c53e696a2495430fb8a77ebb525f1db07bfe495c2809487abb068d85f95278a1f993475f5b5e1e4da9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
802e97dca5a9e4d5479e8be8fb808489

SHA1
8bb90e390b9d6730a4011d160e2ff4d84861ea3f

SHA256
45058bd7293a177abc910f492572e5e00f93a21cfe80f5fb2b1c82ca82e1322e

SHA512
ddf659e254a6fbe58e8a82030daa41418c18f34b6e71439b3090a9e7583d28b13ba3f210b7994c33e2c4a9ec1edc5929ea0b3d2e363b5af808393655c63b0930

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
443e3c09a687568fd29ac11af8180b64

SHA1
a90675c2a4d9103426d366c2e2159cdc0002efe8

SHA256
57ef3ee9387a399925c9dc8faf9ebdc6219751436520af4c8c0a44ad6689594e

SHA512
38d2a9ea86ea8eaba877828e1facfbbbf804ab425c3a40cd3c19b3d7d18ea9bd4dce69854666bc9c73fee65804329041cf53e5351ec4618d984483e02857da69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
2f8f8261ee6ef6d1ced4400984b09ae5

SHA1
123cdaa60fb221ddcde2025623e48e289d161a2a

SHA256
3f4be9280f4dcd194093ca0444d27b089481a5d5d48f3b88bead3a27f79f0171

SHA512
5e8fe80c100cff2b2d0c1521f8fe1a508568b36b34bd47138d2a1875fd0bf38a1e0fa891afbb3d7e07521fdae98785987ddd75f4db4d89b96b9d2f2c24528ecf

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
2175c1b764124b799647329913e39d65

SHA1
22fb27ceebb639cc87f1e94b6e9406a9dc9ac881

SHA256
3367d286a45a7bde86c8cf32317d4d58c2384cc6d003b9bb06609271f8094a5a

SHA512
6776d7fa3c1998d3517d17f40eca0d9709607de4a85a1a38f5b0ed9e7d98c9189e28cd5479e359ed1bad352158801a86f376f75370b61f7d4c1f3105a554dc7f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b42702710174e45ef6af7b2c3b2ce25c

SHA1
2e33b302abc48cd2d5f6c9654815c389ef7c540b

SHA256
0c30cae9d005f33f817df5433a6daf16a4a00736f813597364bcd8e141745eb5

SHA512
ce2ff356dc8072fe4f32e8914ddfb96605dbc58cfd7eaaca73910e9d051bdf366319126c323aaad8bbf2611b07b94ed090efd208f754c3b74d005354da88c098

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
be5fae1d38441b93862a433ec0c3927f

SHA1
99e54c619c269dabd45a6bae82f61ca9aa07ec95

SHA256
899b921738710c5441500779d4de6a24623dbee082d86504ba3064f98e51d3b6

SHA512
46993ce9645d4140e6894aaf128c7af88fc626a30b932095260cd35ccc2ff307a6755952dc1f8e368ba94b2139082097fe3ac902ff4807d2217c40a36116c3d3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
60728abfd5001d30660503ff2579f964

SHA1
0e761e012050fff88a74acbf1b7c45a4304470b9

SHA256
dbc92751f0c881676643b38a0f9175c58ecabb31fc5f5588963b8fa75f89d1d6

SHA512
02924606efd9634d9b9539a96d5626342463762bfcb6366c9116a7fd637adf02845bba85040b5c7edd407fe0cfbd9a5f270ece7adab95a0e9a4486fe76cb63d2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
83594d911974be2aed9006ce452bb2c1

SHA1
a14fe941abe564509dd60c1696eb61fbfc9f2074

SHA256
21516f0d4133a47a054646cbf642568a810554a232283beca4cb4dcf3bb52008

SHA512
19d04ffe66e1b91bced70bab45cb34943d4dcb98a69ad687881ee0be635ebecf3c783f1b51093aa1747f368f9f047702f42be308cfa0ba0b5437c4e1c77e002b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6b4f16717e8844456570e68de209b348

SHA1
cd417fd806cd1d9a8540a4258a7487efb28047a0

SHA256
efac1961d28dc3d9279a6980969b637fabf5b7b980f429593d2d609ca0f4a260

SHA512
f1afb5699c304820891f86359b395aeae205dfd14d4218568e135ff02e5de27c37b679bf9a140ba8f1e6e7f9509969bc9ce64be6697dcc4ff641c07ab73976fd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
80033f151b8f79ba277732b39615d95c

SHA1
7267d2f1db5ff601cc728a2162369a1784683e4e

SHA256
f0ab2684079fb1b77a50ac048befb0ac45dd5cb65f473c2f8d060d90d450b997

SHA512
389a64953daadb9d52b511d775f10ada7a3941f97495f3425f3d84ef2b23819c4c7cb3fe0c624e8fb27f1c77798ced5d9f706201b668f30a145cc1f9c28333eb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
51072e4dab60fb3c8d095d19052c805b

SHA1
aceefb5b8edcb51ad109d539fc1833f4cca5628b

SHA256
e09b523a4039c881cdb2b56650b5f4371b882954339196e2375fe39c2eb12fd1

SHA512
4e18e92222ce19d7a97158c891db7b0c3ad10b20cdd03d500b5561dff853849f938873466bed9e46217795c00fdde573cad58d308bae0a0c9431973d1f4c7e70

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dfa16bcc0c7a91810ee9d443ceee075f

SHA1
fdcd70b08c8b71e6370213b5caf5110ddb86f3ee

SHA256
bb692dcdb5cacdf91922bf7a7185bc7ddec9e73b8bbb340a2740ce86b1c61896

SHA512
e669a036327b036f46ac03f112ac3786fed9b8baea46e9dfbb129e6ea2e115fa7439703f13d0ecc565097ff4df97797e8ae2e919994e9f7ff1dcfcb16cd901db

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3446a2bb2b4e7d9bea06a74db21c7189

SHA1
0f22b3aeab292eec9bbe1bd2d6316aaf39e6d384

SHA256
e7e77d7998249068aa6100c6a64607c908dc02ad698db38faf566ee1afa4ccd7

SHA512
522fcd84c08bdfaac57f20f66ace9cef32f0b900ce3ef62ebb3a5f28d753ae11b9740868d420a43c8dc45396d2c6371938957bfd305936a405a1c0ab5fd2131c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
28eb7e0dd53362a506b43567ecc2b5e6

SHA1
910ec7aae15dbc5a65f3fdc613dcab4896c109ed

SHA256
63941ca489effe2bb863513529dce666f130cfffb569ff63757518fc168f27de

SHA512
70f7a3b7211a749202573d07d1e2d9fd4ef416fed8dca76d5cce962163c5ecbfcbd8ba6c2167477d45cc993f15ec34e42528d3cdb2a30ef06a9787055cf9d07e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
12bc90f03b83e73e1e92d4cd6a507eea

SHA1
09086cf02185c9463b7c0b0b7c65df2c01ac9d09

SHA256
202ee309e6d923a8a2848cadb254493612f62bb80bc9ba22223999f7de0199ad

SHA512
eeae9629f2dda898db00e79daa23371ba32cb1eb1431b50c31d71998a4edff5631933be7f0b44867ae79ec35594f0f73b6b5d2f5600083bd4588d3021ecd678c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9edfccdfc5bfe4e0f14560a100384283

SHA1
be6d777197160799ead554bfe1ad103aeb72f997

SHA256
c7e0ab2c4a122ae8b865a589be0aa2e2661986e6f28f43d06824f9a011915dca

SHA512
673d2b0d38b92db98e73cd954fbce69745e5eaa992ed927311b678757d244094bd05ba4ba0e65ad7546a86b8f434e71ac9b94caa2b4149da94a6744eae121082

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8ef33310ded9fc06d581a239ad0298f6

SHA1
1b50f1b853f91ca315270b62d87f348e90e03028

SHA256
8e0ecba813830c826d264a7ba265963090a1706d5a7d156efbcccd3d485ba6b4

SHA512
c254f215c801d4703f6da401097a8aebfb58680b50cf75e0b7ce4f158818c8918d2d2cf2b0d889244ecde3dc7c8aad16db70b18b958c0633d6c2cab5df516a3d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
058605391d03736c9b04b91a0c556464

SHA1
6295d34e069831807c71edbaf1e3d15e08ef2868

SHA256
d7f1b6960ec38724a855950b657547b2193aff63443ca366191ddcdceb5a26b1

SHA512
b4f56184afa2597b25a147621779f474898ca252fbb8e6fada0ca1eb190f1c063f963a982082db92b61daff08b0f7b7afe040a16caf8c9145eddeb0de6c47283

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fd2a3f584b58b3e64d7736d58219fc0e

SHA1
954712bed85cd8075c42b57c4f0511da53c16824

SHA256
736b9619ab07ed61cac121c4f692d90ae50431264c5d9a1fac8557efbba91cab

SHA512
2027f518bb61cb5a97f88a894d1ac85bb214a0ecaa2107c8da110f71ef54a5c84dbf919f68c5a686f9fafed570f0eeb66f7429f08ed8ac646c27b4dbc55a0304

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b18802f949d07d02683ffa99bea705ca

SHA1
7daaa0215bd66bba659a6bbf71d5b5d0d07e3d6b

SHA256
70dbf51b15b9d60904485a4c1f3a440fc882b9acb91fce38be2475d257ff5aa1

SHA512
ea9999e2bbc386bbae11339b965a7afa61ba06afb935780e7a044914ff87d49a107b4dfb6b3486375f40a99b0dff1e2234a3ec120ff62692a85f5518b0c5336d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2eb15b0d652292f32940664fe778d0c7

SHA1
ad3b0d026a119ce6b35b729bfedabdcb77b33d5c

SHA256
cde994f8dbaf9a44829414024c1b17cf252d4de3fd9fde1b740b037ed45cfe5f

SHA512
3ed2165d0767909f34b4afe2040703f30649c5a15b8cb719ebf08e224afa01dda1739665907bd2beacae18ec248cbedb810b4dfda5c96a11fd8f0c752f040a08

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bde70d190dbe7f3c8769529850c2b2b6

SHA1
8c023ad46884d184bcde59f038aad2db17b58375

SHA256
aedf9e16d6c02862e7d91c6cac31d2753c79097f6c5e4a8b29939612e471a9b9

SHA512
b3e380e1af3c626c5a09b7f2332d004aeff848e7f352ceb1599478837869221bfb1ace449f665195da1773246f8f366f23d99c5354e6a3b5f7e5104d92bf7205

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
25c2b4fa1328f90500c0ce7c3a1d7252

SHA1
12d3ad95670859968ec3030f3e5a48620409221f

SHA256
ca2e20ab7374388ab6c5c292bb84e02110e47b92cfe22269c20d6c63f411087c

SHA512
7266ea33d5bb9e7ad563ebeaaa6f3396280e934c42d3259febcaa808fa28ccc63d763563a0bb751476ab6c6e855f0175659d7e0baa7c7a79cf2cdc6d8a3f35f2

Download Submit
memory/8-449-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/8-456-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/312-352-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/312-359-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/312-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/636-14-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/636-216-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/636-15-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/636-22-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/752-251-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/752-311-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/752-244-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/752-243-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/844-421-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/844-429-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/956-469-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/956-460-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1424-549-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1424-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1424-548-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1424-333-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/1424-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1500-234-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1500-34-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1500-29-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1500-27-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1700-365-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1700-374-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1700-433-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1964-238-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1964-72-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1964-63-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1964-65-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1976-434-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1976-442-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/2336-321-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2336-377-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2336-314-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2760-38-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2760-39-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2760-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2760-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3008-308-0x00000000005F0000-0x0000000000657000-memory.dmp

Filesize
412KB

Download
memory/3008-300-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3008-364-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3136-387-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/3136-379-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3136-446-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3448-1-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/3448-7-0x00000000035B0000-0x0000000003610000-memory.dmp

Filesize
384KB

Download
memory/3448-13-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/3448-10-0x00000000035B0000-0x0000000003610000-memory.dmp

Filesize
384KB

Download
memory/3448-0-0x00000000035B0000-0x0000000003610000-memory.dmp

Filesize
384KB

Download
memory/3516-56-0x0000000001850000-0x00000000018B0000-memory.dmp

Filesize
384KB

Download
memory/3516-49-0x0000000001850000-0x00000000018B0000-memory.dmp

Filesize
384KB

Download
memory/3516-60-0x0000000001850000-0x00000000018B0000-memory.dmp

Filesize
384KB

Download
memory/3516-50-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/3516-64-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/3548-270-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3548-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3548-264-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3548-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3548-256-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3580-345-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3580-416-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3580-406-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3580-340-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3680-404-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3680-402-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3680-391-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3856-338-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/3856-281-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3856-272-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4356-407-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4356-418-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4472-296-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4472-289-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4472-350-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads