fd2b3e62f4495ef8cec9f0bc734e82eaa5b48f381b1501764fcfa3ad394d549c

Analysis

max time kernel
119s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-21_e7c939c9bf25e5ea30d357fce6dafa2f_ryuk.exe
Size

1.9MB
MD5

e7c939c9bf25e5ea30d357fce6dafa2f
SHA1

42cdbc18207dd88a45eb51afe795049a4c51736b
SHA256

fd2b3e62f4495ef8cec9f0bc734e82eaa5b48f381b1501764fcfa3ad394d549c
SHA512

6a4ccb2da0675282d006b22741bdea5f9a309a51228083d3fecc65bcc215355655d822c61bab3347cc02744c73b119893ea873859896781fbdf50743ad3d86f9
SSDEEP

49152:2lOVDTtQY6SoNtaUJ67UnHpclbwbWAaJiwmcTdco8GhaOIh1Dp33PM:ZqSUHxqPFFDIhZt/M

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4104	alg.exe
3172	elevation_service.exe
4992	elevation_service.exe
4628	maintenanceservice.exe
3656	OSE.EXE
2420	DiagnosticsHub.StandardCollector.Service.exe
772	fxssvc.exe
1484	msdtc.exe
3456	PerceptionSimulationService.exe
2432	perfhost.exe
4896	locator.exe
4480	SensorDataService.exe
3016	snmptrap.exe
3200	spectrum.exe
4404	ssh-agent.exe
588	TieringEngineService.exe
4504	AgentService.exe
4308	vds.exe
5084	vssvc.exe
4008	wbengine.exe
1312	WmiApSrv.exe
4528	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-21_e7c939c9bf25e5ea30d357fce6dafa2f_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c8394f13fc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2540	2024-04-21_e7c939c9bf25e5ea30d357fce6dafa2f_ryuk.exe
Token: SeDebugPrivilege	4104	alg.exe
Token: SeDebugPrivilege	4104	alg.exe
Token: SeDebugPrivilege	4104	alg.exe
Token: SeTakeOwnershipPrivilege	3172	elevation_service.exe
Token: SeAuditPrivilege	772	fxssvc.exe
Token: SeRestorePrivilege	588	TieringEngineService.exe
Token: SeManageVolumePrivilege	588	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4504	AgentService.exe
Token: SeBackupPrivilege	5084	vssvc.exe
Token: SeRestorePrivilege	5084	vssvc.exe
Token: SeAuditPrivilege	5084	vssvc.exe
Token: SeBackupPrivilege	4008	wbengine.exe
Token: SeRestorePrivilege	4008	wbengine.exe
Token: SeSecurityPrivilege	4008	wbengine.exe
Token: 33	4528	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 5360	4528	SearchIndexer.exe	134
PID 4528 wrote to memory of 5360	4528	SearchIndexer.exe	134
PID 4528 wrote to memory of 5388	4528	SearchIndexer.exe	135
PID 4528 wrote to memory of 5388	4528	SearchIndexer.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-21_e7c939c9bf25e5ea30d357fce6dafa2f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-21_e7c939c9bf25e5ea30d357fce6dafa2f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4992

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4628

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1888

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1484

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2432

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3016

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3200

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4468

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5360
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  PID:5388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c04b30e30c7c88b57561a75da4c8bc00

SHA1
bc8440465f148ff3d9ea125bbd2c396c3ad2cb17

SHA256
678ebcdc87061d5bd4908533509cd836d77126b730c9ee4cd325247feb4c0143

SHA512
9d733e083877264a49f8800cdba16dea8a6a24c517c6260d8f0f56e395d90c212ec334c4ddd8d5bd46112fad03a3f393f56b91a536af2d7a3514b685de564ec0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
3770feaa9372a0959de02e9eaf7dd3f2

SHA1
6c4e123875951ee06e75ca38d686e7a9a3fed217

SHA256
94ea51bb05134d9787b7c917464162da694949dc35d5bad4cb9bba1c4d83a5a8

SHA512
369d782ba6166648c67dfca1bf08840159398b828d8e61f565df0f25fab4b3e0d1ac95dc21807237cf9d4d4a0a407706d726f8e976ef68e1cba2701cd0e640a7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
9c4ffc82889305190e0168d75119541e

SHA1
ec2fd1eade6df5105b8b80c2925793d15e3cc989

SHA256
7afbff4f520e4f3fc1879549187633fa93125a3610901a8391cae7463650fd8d

SHA512
dc6a2712042234075b0f333cb7a5a402b91d46baab2c5a681eb16c6f96eb2b4ecb077562283237b13a0f420947c41406d258c541d5a1322801ff37c1b9e3c089

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2ad3408f51565132a23411cf4d9fbee6

SHA1
0a7ed8f69a6b4dea8a295c7ce268674f050cc648

SHA256
b3842112e7ae3173b0a40fa317096f6ec49d44eaf8a3601544c9005d663444c2

SHA512
6718bab4858b92f82034a8bd5c3a152f14be433dd9742bdd3308230ba437aee7f60e9bed97e36d5c0c58eb4280bd3b0bb46f4791a0dcd0f3d92257f3fa3b2bb6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9d75e81b3aab00c9cb5a6d17e40d5b51

SHA1
fa2a626d05b612986be7bbf367eed90a2a5623e5

SHA256
2005451ba54f1f8b678dcac9830d9548adc2ecadd1ec18b0ba3956e033953c45

SHA512
6f85be4f857515aaf7d55bb2d4cf09b17101926218833577962bc7e3d716c7f070d6c3e0f388a34f9be14eeb454060c13650fd540ae1027412a7f5152ce14b8b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
20d961395ca9c7f67d5ea51e6b9a54c1

SHA1
28c8d1322db5f9abf1f7c3b3d63ba1f7e07cc2dd

SHA256
436ce4516ec842d43dc9310ce1b9665a3855aa284e76f4b64b6aea9739a10d49

SHA512
39b1579b719b281cb830590fc22bb8fe30cf79d48783ee885104f74809486e3268f483fad3dab158e7c21506c30f2149ccb5a996136826f2923518ffb929a165

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
6b32804133e67fafc00e8bb9478c7efb

SHA1
5ad59899e64a2b5552075fc275fdf13526747d54

SHA256
505faec63c8b0ab4c3154749db85c8b3d10d25a48049bba3e8db3698697a7c58

SHA512
ea822b8b865fa71b178c59145575733bd79709f5788b76b21ad20c7d71f01d5f7f9fa697d0a3e2e681ad3c559c7663447d43384380dbae3ac84915e453645026

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c58809c17141a628420745a2d19f2b54

SHA1
0387f739e56b4b267025838544b50e82c07d6513

SHA256
3122fab064b51f3e109196732a02dd068df915cc02de082a9c0f1af4374bd1fc

SHA512
4eae8450ac0d24da900a73a8ee84937ea59717ff512f9f4a48f0c46f6b29ff41d4c6e32367449e49ffcd57645a1595aab1d337551856a108fda180fa0cb65445

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
ece4087591d30fdd2bbd007c61422635

SHA1
6f8649f1716461757ab355724b05b7a8b3855af6

SHA256
b9a6fc0eac1d7c1a1b585fad01059aa5a75d43d61d2421af2fb30ee23ac3068b

SHA512
091dcd195aed94b364450f99eeb3d40b796f895c1d3c7196c93adfd4a4e84c719354c955ceff37dc1dc8476d5da03ca74f522994d2274943f347f1da04a7afdb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4fb76bbcb1490fdd877abfda2e8df61d

SHA1
471224b47e0d14d5496d9fa25fcbe9fcd96fe922

SHA256
39660e32aac0c9a61e3b2759ec3b7b2ca8aada277d843e1c392da457a5bcaafe

SHA512
620fb7aa6043813c886f24857adda3f018552325e4e83463d4ac9558ec480215ee9eeff5cc7fc47e35e6c4263c5a92e15f2a86c690da2d5b1ee373da346e0eda

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c821a22436859f359d9273ffb13d71d6

SHA1
2656f22dad6ecaaaeae7011c27e94c8544cdb48e

SHA256
68f77aca609d039274996630dcb2ca02df38d070b0aa6d7e797f7f7cc040b49f

SHA512
7c3a1db6f8d354eab83437286c9df24d410bdbbbe09ef3764954bb0696130285aef80aff2c638d61ccb2b90285bdd1c3cfe47f6b9a98cf0de37cf3c7dc92e099

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c7f8664997e9de33c9910abedc5ac836

SHA1
782dbed77dccfee33a17e436fb2617f9881378e3

SHA256
66e870f156b3682cdf10bae7b8fdb7f8086a8073c6d8935218dd7f8f74c3967d

SHA512
5db5db2007929480531183eed01bfee9d1449fb9ff6b270aaf8775f08c1def2d78f0ef2c2b522617363fa66d0f7bfd5cf0a039e44c4c8e4f859de157d5a88595

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1075fdbb8023851a393ce7e3b65d1401

SHA1
e4a33159655aa6dacf201557a13266ca214a2e68

SHA256
bbc2dea4ade9779da7d20f3b955772cc8760625dbda69b774b863d6ef25e2bf7

SHA512
1d7e3055684fb3e3c1abf68d9f287b45e4ae71b34ad50979ea8da47d4cbdbe7d3072013da4160410cc05505edc9b702e52d46cb4e5d16a028901b1b98c72a948

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
983d6e1575a7e72b00761abbe6086960

SHA1
c2e30e2dfffb656623ff57cb4e9b2bd8cf7a6954

SHA256
71bfd69a13a0a20914c361df6e92cfc3a6a0e6eb212b4981883496a20894155d

SHA512
98c34e28e35e17efc23d93e8068b30be87e88f33df267eef0af80fe4ee8eaf398b2b710f067f59611ebb8b8909e7fcdbe520d5b6ec512eedd11285c76be237d3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bc63a698244c4a9e2b325eb47a7b451c

SHA1
44a00bbf201438f20366500f5680559943c63295

SHA256
70d12f22a0df173dfb922da303d160ab25b158ea466fd7d3965169771a90e057

SHA512
cc8eb0cb56bad466ab63ae508544dfcae14677d35d9fcf60b79b38de016211e599ac51bdc318a08c742db03ab6f42298bb002585d2d8b3496263f9e21f59d2b4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
be643cf487e8dbe7f72fbfe07700884c

SHA1
9a8ce92aad8856d8591172ff2a5669655881adb7

SHA256
833f933a70e48231c496ec251ddc6457acf32fc5ff665af052b7e3780440ecf7

SHA512
bef9415a4023c8ed29ce944d19e53fb28c1b3618ff414712d7ba8fa6185c414f512f5cc5064988ae6a568182eea4f9dceaf0f3ba1d508483b08819b6c4099bcd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
bd7f6f837c36e0b28dcccb6cfa3ab823

SHA1
27b13ab3d51490229e55cb6de5e9ba65c3e90a9e

SHA256
88a2d8fbf16315a6351e9867559f7ac496927bebfc183000e30fc681088d6cc8

SHA512
44bb7b327722c1aecda1b59d50772b5475c8dac4de8593fe4249015da5e60abed30b5df3403b63f6e8be9b4bded1033651f5f045928e26825aa172ecfa003e94

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
beeb821f17e17329597af7439888a2e9

SHA1
ae9d5d173a1256312c85b5f243372938cc463745

SHA256
f153162d403be59bd973491086cfc38df1c825d34c998c28b2927c6a21280a0e

SHA512
39cad6dcd08e97662a2fdac91f4f1d82b98d4009a60194a57a9048a3e9b3aa7871f36f30d1fe9465a2b4454dc49b2bfb02068085bf7fabc4d266552187360624

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6d6821ae375d0858b9f377b12704759d

SHA1
eed7db41204d5a9b9ca67e29a8b9dfd65baac13f

SHA256
ba955a12ad807e805f25e46170cf08ea65446e89370ddb918cbb2e43404fa187

SHA512
9c7564bf1cfde98e079d2cc092eced4b449550b3e96bea1c81164deac5be6f8eb03d5e6faf4e03a64ae6053764f5c31999e1400f5afd0e8340a3aba00ae59cbe

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
cf4a1867cda5912c24cb64e2d96195a2

SHA1
72233029732faff826dbe10a5c35dbde1fd693c5

SHA256
2be83ee10be333a848bba4d321de8c75a79e6eb9ffba6818a79eac4ee884c868

SHA512
16ee80d5dd2c5123a20dfa1447a7040e1f87b59d574c3d9f850c2798bb1895c006112df1fd88d37e6add34ed8335dc6a9e1e42bf9f33500a03f7ca3f12db99bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
913ab8194cebd5225ab5c430b340d9b2

SHA1
24c6bc6768ce981b786e0bf3661c2cd5d9981ad3

SHA256
76e3d5f8589b23a9d89bf29328a68f2a0c122e4f5cac68b395767eda875eabb4

SHA512
113176037a04e2faa8cd169aa7ed7c68229db548009f3b63378f7a9a62013ebaec63f65565cfd3d32f4c002ebf67f73b489afd0d97fb8078b8b13ec50322293d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
92b33aebe0dda1f766180d8044cb10c4

SHA1
8b170e2df6552685593feb369a26f8ae31559b48

SHA256
c0c245b7e1a6233a50ce8bf63509a92ccb5a016ba1018b033747a63e5a959703

SHA512
e73f69f7906c4c3db8bcb28bb8c347edbff0d802a0fa9459705d7eac233babc1def48fdbaebb6ffd28bfdf1535458bfb17fef302ddda588bf51c52e8f7ada41a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
b06536dde6cc3965f73062b75e888c13

SHA1
116ccff9b3266522eb911af9eec74dd82bea3aa3

SHA256
9867ee3ec17770408a9c1f4af8e53e8192941a3238a943aea72e71076a56d283

SHA512
a0201b2701ca44ed6b2776390ffbb1a58e221c714d2f6707f7cee4fb876e8a4bb477b39360484326f319e265d990a970dfab66c86c9b652e31d7d643adfc11bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
5ca299358371dee867967d512e2ba377

SHA1
19f282c1ef55f859b2e5e23a346834f4a6eaf4af

SHA256
721a98677e5699ed564174fa8df777012c37e7132949f724a7a754b8c2af1d54

SHA512
85f192758099d84e124f3f36b68d116c3ac5b897a4baf040fa7f58e8dd317958ec27f5e26775e108c50fc2087a426b1cff3937e1f5a42789a6907259cec1ba56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
3bfa430d6d2e7c7483612835b624026e

SHA1
047a378385bdfe9f96c6d37a3e7c918008d0c1fe

SHA256
05f753a8b1e858fecd5f5814941024c442025a2c36c172b45d0ce68a4b99bd93

SHA512
d8ff7ce4531496178d0252b050b29837af7b59e5158473b0c24bb75fc05eda6b85a8ef70c53c3aa759cc696a7126a0cb1168fb9a04303bce0bdda89ed752c12e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
73667fce8ec3e36b12b0bd58876c06bb

SHA1
1571ea8a373314c6c0f14eee69d175424c2be656

SHA256
8ea46792cdd7bd95e6af93f18bf0f4958b9c5017a2b88d149a44110d175db185

SHA512
b3e00ed76d9007655b576653e853aee5c563de64bc3fab73c1774a6746fc2630bcceab671ea0fb41627d725476a1a2454c6716f25e08054e65209f268d4d3e15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
b7ad82d20f18faf7979256f1699688e8

SHA1
37311e1381a4a4cc7aa975eb4e8f3a72f8376b9a

SHA256
fec62c90e587ce181446221991ba802abd3d05500db359627fecd0f3d38efe71

SHA512
1120715529046fef1bc8841c1a9203e1daf992df34e1aca6043f681d454f5428ee42a28ac1b6400d642dbf7fb61112069685f71e19ea824b5e5feee0e360a569

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
93fe4807adf7b10f5ab4e8b8d2afd66f

SHA1
15f2043764871e5bf7920083430d077d8c440f32

SHA256
934a21e371d40def10d4949e0741c2dedc4f845396f112ecee1961720b66c03a

SHA512
0b191bc04a3d14c502033dbfb4552eda4a2a992fc0776526ee5ac4601adf17a9a44aaebf2a54c2b7d8885a2ffbecb8480fe7e11dea9963a1fe4e9ea9b27baae8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
0c42f4cd383ef5a6c7133323cb40ac71

SHA1
77c13fabdca293d6fdcf0b7b6ac08d4ff57f05a1

SHA256
24def91963d04580ed48c5301678843a458a87e15074a1c5329bcc19d2270c0e

SHA512
9e8d00eca22a01f41f9a9f4005e1733ca221b205d385cd301809022ec0d366c1a6231a6725f955e8bd5677bc9163126f644d3e29ae80683051f242b76e783378

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
3b0bd33e156c02038eb5742d5e01c154

SHA1
4071cd37c4378b2eee62f6435b21e2869438f74f

SHA256
d7370683355212a9d45fc8f1a3ebe598849ea2e6fa2fe42d804cf2b3919151e4

SHA512
fc84c4ee3348779ac14c8340933a2f388716dcb3055cde973098fc7c40a3dc5e02b4fa6ec41ebe5ab3f5725d6975e6efdc4246632a22c7c58fc0157831d16341

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
7762c96888294e6411dca7ff0d736e3c

SHA1
0296da48bbb00828105338700e3b8b4ea582b08f

SHA256
b97dc69ecf2b25a16c2791470695fa4cda03605e397b3f0aae5123fae330a344

SHA512
0afdb4edec75c0677b1a6b243a1b3d05918a32cbf0d973fad6715bba50c8929fbb5423042530d9bb41a2585405b79cf4115b67e90a1b8f212832d4c395abd8e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
0c792b546e0183534d5624777270b1da

SHA1
c205a5b7fe357369a090871e6be62e9259c4204f

SHA256
ce6816361f5ed9340f1769b3958cd08622bfbc914cd2a5422146c003001fb613

SHA512
2126e17502415aaba244a7a542b2175da50c98b1d9402c65603d2137c99b247d7dbe2cb0d33108f57df4484b4e8144d466868835585d1440b96ae6eb24a46e10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
971d79efca5699983a6f2de87f08a002

SHA1
82d7888babf35999fb1d7e72be52a0e26b352d87

SHA256
2faca6bdd1f0ca46a8711cc0d49e881f9182c35c5886f244997680878c7ba1a4

SHA512
4b3df6c36bbec363048b61268f043df824a78509813dd54348887dfd05e75929c4e6941e5934f5208dc9bf8447be568172ac54889e762d9ea909c971c3f69dce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
c76287da7b4e2c148bd1388a2380375a

SHA1
297ae0c5205c57c7456a06ab80bc73879974b166

SHA256
5511bd614d5a9ae29c141e1ff99b852951ac5c28f305e72383a55138c4ebe87b

SHA512
9c26fd07c0a8f18f686f07c1b507988654be59fced2e020384dd28cbd17735f18a1ce4288366fd5d3cf39bae54c4ad9e5acb8d5e20e3449543eea7851d904b66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
a4f1fc9d233782fd1dade50889cbab39

SHA1
75f2a52aeee0d888a7c11c4e34427618300cc567

SHA256
7002e32a4b6467357fcf7dc6cf7aa40908511a3d567b53e7e5a1abc6dc8bfb43

SHA512
2e7514531df723bd2d9e733eaee45d25652a90b711afca98a758e9ebe4aa38d57f89368815798fa699593dfa0a02a499723c62cec4c86b35e630c54f34f18b73

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
a19590305122bba84828cc71984229ef

SHA1
07eca01738895416162fc9818288fa8f712e39cd

SHA256
faaf927188051c865535fd1c2bf1e8e02c5e456baa95c05c97cb71ddee4b0022

SHA512
8504dd4cd7bfe3f84f9c53091e3936fe29249f6ce81fe21db18f5a386655fcad71d5b6904de420e415adad07ec59820edae4be34eefcdd97f76f5229a31b7284

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
76d336a9146aeba7276a0d64e96d8e51

SHA1
157c0836c6ae899496fbc69b9a85d4a274699e36

SHA256
9f35fd8dffeccc091841a613bd199bd50b6980e5f5f84b4c752216ce5febe0cb

SHA512
1f539d4a6712bf204d21c218316b138f05fce5d102eaf8b4b0138be5cef028f0044fb86fe71ded4831457a28b393ba263d71b3220b1c95cfbae6b4acb8c72ee6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
3cbd8e84e0099e79c631ab9ea7cdd772

SHA1
ae5f430b28f753c8b5d41d6e80f6f8e8357efa0e

SHA256
1b7b883a972aad622b7514e610196c9813ad6bd8fe89242b36b269cf4bd579e9

SHA512
834965babad150ccf391b67ff055c4b5eb2ed28d38155810692c4ff85cd1001d51406ce4b35b3035ffe6b023b2dc8e46f7e70decea203dce96b02dafcc431e10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
081b982366917da5d064feeb80cc1c9f

SHA1
33016ff404a958697ea94921349acb9491bc690f

SHA256
1b6c88134012c73f133342a50033935d9fb0d4a3029cb733bfdff06298f18fe2

SHA512
bfceddc30da3b8f9d6662b624a81bc6e4868c61fd81c8f9b7782dfcf8c89352e6799c974b9f430c2ca887ebb602476f1bb6e76f1abd62b2d127d18d92e3783c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
a0a82750e7b33e6e42ce523564e0207e

SHA1
4828e127b373b9500a8efe82827f64a5ac2a96ce

SHA256
8f931b8987dd419d4d2b699c5986444547c43f64f0555091e6b84cf3f03e03ff

SHA512
86807ca7a0b7c0d6a7fdcef79486cb9d251b23560d67bea0920261a04638ef3be27266389acdcc63d5a6a57820d51f5a1f38173916d844e33685a579b0fb2ed2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.4MB

MD5
c96e1255aaccbd02a6177fb9e85af76a

SHA1
663064b78bf792ad97fc915a119ea0a9502e5a98

SHA256
db84facf1ea8995cca87a666ae3ff4fb12dd18085ecfe50ea90a3f66260deee9

SHA512
f89840cff848eebb50d4b6311c29d9667770919c92782e06e4b1ede95c07d105ea2f15ab1408f7abcc8e25c934e527ff56ceafc00a7b93d96cee8d895c5478d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.4MB

MD5
42eeeb65e7b8d21532c655c0a4690ee6

SHA1
558076826488a93b39736e9e750fcf11f01d6d01

SHA256
446622ddf604ff1d5b17cb5ce9faeff39b1feb59c9cfad8f5e2d8c29be3023e3

SHA512
3353d9305f31b81589002c375cbd4d8afc065e0c4a2a595c38507b182d9fb5582c7f3c53754d65ffd1b400101cd17681eb0797e9041ee1a45db0f04b831ea597

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.4MB

MD5
8a5a2524188ee7862ac7c30d0a44488a

SHA1
e1d32c43d43bca30ff9965b93d3a052cd1b02d1b

SHA256
d708123272c228c79e0a037f81d29b531c7ab22f87167ec33333135abe47af51

SHA512
96bda0ac249267edc4239b56b29607e2254362016fe221d5c0ab7289630ad7b308af869c612f4baf9bfa9a1f248d714b3d8e4080c8d408576458191bbb8777f6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
969d8b0745c18fcdc513f3cc3da88c7f

SHA1
44d2dc8800c5b4805d17a049df702275fd7e9e5c

SHA256
31655a8bf336e367ddfc2fdb6c475b03b3c3fb2a38e03f93c4c349f73df05633

SHA512
f03e3bac0a816e2efdf420e63906aba39e67543ced3719fa00fbf23f62439db4fe61449db229a68620e0479485161e8eea07cbfd25f9fc9c8a471e66fabed4cc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
1063305e5a3b6166b529047f509eb751

SHA1
57806f4d52c4386839d226f10bb660dbfe733642

SHA256
2c7d6621e986516232ce48f3be92a4bf2c4659a5507d863565a6e9508b5363ad

SHA512
e4cf1162a035375b41935c8269d976b485fde8ce842c5443d9a5f29d8d49d04337a9cf61dec55e38009f76cca00235a1fa7bae5a92b4b87fb8065ec7819297e5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
eb5d28654b5a141ef8c7674dc7f1d67d

SHA1
133a698ddd798c9fe1b76aa7856d2fd458eb61eb

SHA256
8c0f01829e7c72edbf2e84c7e9b0669fcc0bca5de32ac56517b4620c59e08fbc

SHA512
587764fc5791b062cc127419f4b4e074e86039e6627fadcc571c8b253e76207d792816da61891652be9b025d1ba9b919343e236d26a2402d39280b193dc24648

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
ef6cfe9612cc8e9813579181d47b23a4

SHA1
34d426ef9c3c169fe8da8d8835dac0dffe923807

SHA256
3efd6d08bc8b8b7ac5df6626d7f3fc20176307c7136aa65fe9ff6843e4f5743d

SHA512
de3931fe4c5e0088d2460e28d66b74cf6adb73b2e262f3c70f2fd62caceb24b8bea2fc0010565efd21726b632d963c980e3b5b812fdca596741fab649777a6ab

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
03edbb7d533b3e1839978d2fbcf4559e

SHA1
1a1e1e4c50b348b18f88d50f767383c436d9aa57

SHA256
d1462a7a79f802c061e2cec2cd363a717be2ce4008f3ad989375ada4434722ff

SHA512
96bb712abd45207a08280c4ccebb56b9a692695af8347a46438c9eb3bbfc2a75201a789f4bf9bb54a51782b08e8b253ca9c93dd9b607c0122e44bbbb76b6a36c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
d7e8a8c7c2395ddea210ee86f2ba3248

SHA1
addef970d802e69dc12e3768abb2ced42134c3d3

SHA256
f91350b6c5b27e377c534e7e3b18746b8f85ae93ed347d07da1b1d92536ba5b8

SHA512
f9411e79d0a970ae71cc96a2b235859c07c94652b32e7c4c6e0b722ac79e0de1f55cdb4d406e5bb4c0116d91398b57496d7fe210bff469a87b84762fe50d18b1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
47486ea7667940b1a3a81dc08cdd58c3

SHA1
d782b97e435c7e866ed168bb34717ff19651dede

SHA256
bed9148e80516ffd6ab3967606a64cbcf04727f031590f40564b2f1832ebad72

SHA512
3bb1dc3b1b64e97233bc4cb70670fa9186a888ae344f0efcc46afbf543f636e683ef7db752053038edc1b06dbc32a1af718e9c2ca150f4ea5750ebc4d5ae9261

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
70d97d2c87ec05ae0b4febf7014f6b16

SHA1
1c6a258a230426e6ee8378758f412dd7d4cdb75d

SHA256
e1b8e24a68dd33133bc7d8caec5e0214bd51e424cba8f2294099888ec02baf0b

SHA512
c003ddada276dfad009401f8609b4c66d115b6aa410459e8b8bde38fe89f3a01556bd3e39eeca55c1ec4d0af246a09acaa6464968e07a73043abc334c3bec87f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e4b90ed427da79d376ab137945e70357

SHA1
b21dc06c3f5d798646dbb6f8a5026a9b2c8f127e

SHA256
5e672fdff2041480e7a46daa6dddf7efd9a8b2a1da8ec2469df5ed8da606ad9b

SHA512
3bcaa5ee02da40ae14a3f0c335b30b49ae19ae3a4b0be796f7d5f2b6ea9df23a3451411f34d4e00163c20c45567268513d28149fda1dfd5c30a02ae5d5398610

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
aa85a7f9a0eb81b791c44c56d44322eb

SHA1
dd577332ab29d17425bc01119fadd567879cc4c3

SHA256
fd497278ca67831644863b6cf928cd0ba8fa1241ec5f14dc9451f065b474f3d4

SHA512
363c5d599f3bdb95493399e0e5ff0bfd9aeb9540920a595961dbda24721ce2f7d004395299848af54acf6dd0b4f4c16d3a0b137fe69174cb266fa874587184e2

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bcbf16e1d28dcad02047eb2cc0845cac

SHA1
f117825639ea3e19b0616ff13b13124a0eced57a

SHA256
357504a791bba961dbea5cbcf5df9944d74b1ad4f27438111b45bbe9f56b8f1b

SHA512
4c9c6e4a3bde8a3f4afed5cd0f4f0b629527763e9c3135824dc6690fda948df21d74f8c00e151d78828c3b1c012f4b7b3611d8ab49639324a76f8601787d036b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
601f72129d783614a1a7d5761c945df8

SHA1
6db8808cee0ede3d8365ec8af68f0b8cb4671e65

SHA256
bbac3fbe29f683a047b6d20bfaa4a613ee59f785bce5d92e4418518f15505884

SHA512
cff4bc20d40ab48b83102e1858af05aca44b10eed4023fe0a25378df7e62d9ef2716b8913f0356322fe117e4cc0f0b5b6718f9351846deeae25629ad92ebe901

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7580eae5efce41f48498c9fedfefcbb2

SHA1
11223cc57b2e92ea961afc8b54f1af1d4a6bbdab

SHA256
bd954ce43b8ac01fcd37cc401762a62dda9e81fff6b5ca08c765a8896b5b1195

SHA512
326e17387d9d4fadb98df7feb7f8abf8deb084ff38046c8799cb030d67ddd722638637fc0d9e888ec06b29ab843f41bff0ae735d45a2e82d9d24de6e421e6dee

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
e6fdff21bd2fa56fdd133a3f629d5001

SHA1
d01a7f3d19269096e0d2281115eac059e971bb16

SHA256
6abc498cd18267f0595737db9623bd466a708a5caf6cbcff02cde48d0d4b2cce

SHA512
75c7acbeffde137dbcbb12bf39357eb3d41b21f0f7d9260c8e6393c079f876a49743a5171abd4327c3d5e1608f3f2ac083c16b259afaa9091d742ca42780d29c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
4c23553909f09be032a769e880a25fd9

SHA1
99ec52feff9ff724b005d62ac627a858d504bbbb

SHA256
f0ae03f783a12c59b3ce9a24518d862e79812e1e2b4a63b1fd6e6437370aeb9f

SHA512
344ca64a89320a231e5a59f74a87c28b0adb1d665a82e0e9d83828e9699b4439cbdfc2a7ffac4b7d614082fd16fd6611b42b7603c2dd10532672dae2459c349b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
22c2ef7b5a4025fa6a9ead29d9d2155a

SHA1
de474db00d6faa179ca849b435c44abeaf6a7316

SHA256
91eadda59794c0fdab0f43a8de187ed049469c2cc6f0283513e66ac7ff43bd4d

SHA512
bd39c6abcbfa6f3b7b71870d245e572490f29129ac71f844141e3736133a7a508bea1c2613ddd1a40c4125be7c0bf4b32fd40b72e29c750fd492be365252086b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6279e0870b82c61493779f1c14b471fd

SHA1
19e0916c40ac992d0a349338f72fa64c5ddeae08

SHA256
361843856eab682d4efa5d5d530513d232ef3cd5889b0596af5b0fe480dba073

SHA512
5a093a5d7ae64b9980b6c7ae4183694139abdb75063032542131f27affde1ba4d339a290d18b13c3e09fe556c12a4993af8016885b6dc92d6e4d27f881b8439f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
4173b9c248d09e375e20b3cf49dc98a6

SHA1
10c63054fe8cbd50856c47d86083cd0ec23d1429

SHA256
f08fb932c6759d37845824fcac9279e37b1422050c71dc08165f8b4be359eef0

SHA512
eaefd9dab3396071af7d869a1548b7dac9c28560e159ebb261ab813a26f71c57e8497edfb21c96d704ed5fe82aaca7ef558e85dccebbb7137cb00dc0aa036bd6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4ec1149e76378545a861b717e03d9ec6

SHA1
199f74a9620c4728218d998b817a5679cb7f472e

SHA256
1b0362f982c83147bb3be6d61afc92b94df710286ba9b1f33376a264cf0882e7

SHA512
756f0d1695a6c604ebd5a0736d9ad8265eae4210d3c0a855f0c468ba03b9ba3e6304ea9d8468b48ef4338f475c75636fe1fcde2c3b733b89af93ddd767c57019

Download Submit
memory/588-372-0x0000000140000000-0x00000001402A3000-memory.dmp

Filesize
2.6MB

Download
memory/588-380-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/588-440-0x0000000140000000-0x00000001402A3000-memory.dmp

Filesize
2.6MB

Download
memory/772-274-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/772-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/772-256-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/772-265-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/772-272-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1312-449-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1312-442-0x0000000140000000-0x0000000140287000-memory.dmp

Filesize
2.5MB

Download
memory/1484-280-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1484-271-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/1484-293-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/2420-251-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2420-243-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2420-292-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2420-244-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/2432-296-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/2432-303-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/2432-358-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/2540-12-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/2540-0-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/2540-17-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2540-2-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2540-7-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/2540-8-0x0000000002110000-0x0000000002170000-memory.dmp

Filesize
384KB

Download
memory/3016-341-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/3016-332-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download
memory/3016-400-0x0000000140000000-0x0000000140257000-memory.dmp

Filesize
2.3MB

Download
memory/3172-35-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3172-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3172-29-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3172-28-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3200-413-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3200-345-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3200-353-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3456-286-0x0000000140000000-0x000000014026C000-memory.dmp

Filesize
2.4MB

Download
memory/3656-68-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/3656-238-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/3656-73-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3656-65-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4008-428-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4008-436-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4104-23-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4104-15-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4104-16-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/4104-223-0x0000000140000000-0x000000014026B000-memory.dmp

Filesize
2.4MB

Download
memory/4308-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4308-410-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4308-401-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4404-426-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/4404-367-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4404-359-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/4480-320-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4480-384-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4480-327-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4504-385-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4504-393-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4504-397-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4504-398-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4528-454-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4528-462-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4628-52-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4628-51-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/4628-66-0x0000000140000000-0x0000000140290000-memory.dmp

Filesize
2.6MB

Download
memory/4628-62-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4628-58-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/4896-371-0x0000000140000000-0x0000000140256000-memory.dmp

Filesize
2.3MB

Download
memory/4896-308-0x0000000140000000-0x0000000140256000-memory.dmp

Filesize
2.3MB

Download
memory/4896-316-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4992-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4992-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4992-40-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4992-39-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5084-414-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5084-423-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/5388-550-0x000001D68C480000-0x000001D68C490000-memory.dmp

Filesize
64KB

Download
memory/5388-549-0x000001D68C1F0000-0x000001D68C200000-memory.dmp

Filesize
64KB

Download
memory/5388-548-0x000001D68C1E0000-0x000001D68C1F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads