55eef3e7e92c79c8de2d46c876adf77ef1b6024c2483417e130d8da51639d64d

Analysis

max time kernel
80s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55eef3e7e92c79c8de2d46c876adf77ef1b6024c2483417e130d8da51639d64d.exe
Size

1.1MB
MD5

0ab6eee51de3143addbf78033dc1ef4b
SHA1

65cda619a961e0e19778d1a2d66c9bd980a28084
SHA256

55eef3e7e92c79c8de2d46c876adf77ef1b6024c2483417e130d8da51639d64d
SHA512

c632e9a7ec518664dc1c439c76980a388a50cea7b7be1abf20cadeb1522bc51b6fcb59395bbf9501cdb2da1d48acd913ec0e0c1fc21c51d7e7db0faf3580e8db
SSDEEP

24576:ucv/Dyv8dRolm5NiqodYTsqjnhMgeiCl7G0nehbGZpbD:ukyUdRolm5sqoeDmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1828	alg.exe
772	elevation_service.exe
1124	elevation_service.exe
3008	maintenanceservice.exe
1876	OSE.EXE
2932	DiagnosticsHub.StandardCollector.Service.exe
3172	fxssvc.exe
900	msdtc.exe
4900	PerceptionSimulationService.exe
4428	perfhost.exe
384	locator.exe
4756	SensorDataService.exe
1824	snmptrap.exe
1160	spectrum.exe
2392	ssh-agent.exe
3284	TieringEngineService.exe
2632	AgentService.exe
3712	vds.exe
3564	vssvc.exe
4988	wbengine.exe
4500	WmiApSrv.exe
2980	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	55eef3e7e92c79c8de2d46c876adf77ef1b6024c2483417e130d8da51639d64d.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c5428d6f3e6c0d63.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	384	55eef3e7e92c79c8de2d46c876adf77ef1b6024c2483417e130d8da51639d64d.exe
Token: SeDebugPrivilege	1828	alg.exe
Token: SeDebugPrivilege	1828	alg.exe
Token: SeDebugPrivilege	1828	alg.exe
Token: SeTakeOwnershipPrivilege	772	elevation_service.exe
Token: SeAuditPrivilege	3172	fxssvc.exe
Token: SeRestorePrivilege	3284	TieringEngineService.exe
Token: SeManageVolumePrivilege	3284	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2632	AgentService.exe
Token: SeBackupPrivilege	3564	vssvc.exe
Token: SeRestorePrivilege	3564	vssvc.exe
Token: SeAuditPrivilege	3564	vssvc.exe
Token: SeBackupPrivilege	4988	wbengine.exe
Token: SeRestorePrivilege	4988	wbengine.exe
Token: SeSecurityPrivilege	4988	wbengine.exe
Token: 33	2980	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1400	2980	SearchIndexer.exe	129
PID 2980 wrote to memory of 1400	2980	SearchIndexer.exe	129
PID 2980 wrote to memory of 2072	2980	SearchIndexer.exe	130
PID 2980 wrote to memory of 2072	2980	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\55eef3e7e92c79c8de2d46c876adf77ef1b6024c2483417e130d8da51639d64d.exe
"C:\Users\Admin\AppData\Local\Temp\55eef3e7e92c79c8de2d46c876adf77ef1b6024c2483417e130d8da51639d64d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1124

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1876

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4028

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:900

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:384

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4756

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1160

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5096

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1400
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b61848bc6cf27c360ee963e67df9e919

SHA1
04d7cea68adf0b2787d3d54fe4e3be143a229a46

SHA256
7dc289ac304bf3371477aef8aca2d6f6c9d27da39958006856a8da421c72d3ee

SHA512
afbd63a8d7399d0a30dc0a08289df008654063090a8c678d86f9663a757d3f2307c9907e720ada3771e66f77b5588d8ff04389dd05070447c6d069005ee55d18

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ac35a0b70615df5aed7be40f47f7c3e8

SHA1
d0fa9deab9832b45f9fc45660f1374ac95b576cc

SHA256
25d681ca1ee764d2e041c9907350bdefa631130ad5a23b71dcd1ab514b9481b8

SHA512
ef325a9ee58487b741ed28d9af58cd1b779df90da8f394b50296e97b9fbfcfd3cd0bb78931a8c5553d589a837fb7c47e0cf24e08c0bfc8ba1fa31d7779db9ffc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
71dc6b4e405d03014d36185cbb08a8c4

SHA1
90c0363340e9e7cc451d16907b6a6563eb253ea1

SHA256
47f5b0ab50b342ab67a1c59e17c264add802d87b5c02a560f7ecaeacdf176819

SHA512
23436fe59bd96c55489938ac1b0d69dc261c8b3a024a41b473b96e655b2ad25dfbd296ea0cc37daf712ed3c47569f6d0a000103acee37d43876723297588e0a7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ec863e3989bb34df887e13e09920dca2

SHA1
b5703dbcd85cf1ef4264d4770d7387c2547585e9

SHA256
a0b38567bff11aa0e799b72409d589164a6049e7b41c90d0b86538a41e804305

SHA512
8f0ef8267d9a1d5a89ba7c2ed14f90a791238d385c92bfc53d5157760ef632e05bb308977ef731972fdb12ed8ac9b4cd3d59cdc3fa0099238412def03353a215

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e245810fbb56f95cdea2a4582043c34d

SHA1
2023f91e67bb9ebaedcec96823958982dd7cf5e5

SHA256
699351cef49e8a35dbad7706eca474f5b28be48de391f1dca1660a3d3b5f8d9b

SHA512
4cf5fc6b51fe45d80e5e984cd7502e48bf588a1ea0c4284ef6e9c4bbf06a8d7ca8885737e9b1bb09e72c846430392a9ed915cd620d5125f9b8f55fb046bde638

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4dddf9a0a43d09fe2f318b5da7267d20

SHA1
d198221446eb14d872298e2710fe317244e902d4

SHA256
779bdd9dc7db5c02e465b5fbe311154abb42bec3ba71f4e5926c97eb38df01cd

SHA512
9271ba52abbe9f3bd075d2f54bf02e3bbc5a030a4eb228d81ceca6787141de474e2aea55d317cb515db12db81dc23261ab6317bc9458176ebcf45bd2b8dd4b2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
911943fb41d42e8d7af7a78b11427d59

SHA1
c286c7d1b51f534468d5c16440d2ae9db8d7e1bb

SHA256
6383e6e7d40b9806684713431a42fa8fc7a9e7d3c5b3a28f43030b0b0b3b6470

SHA512
74e6adee849c2a5e94705ea2ff2ac44240f172b56812b1c6c9495002735cb057b09572ea6907c096da74bcbc02a7285a4aeb633776f0b9c3a39f9104c61694a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
dff1aa808484a439c61c49d3a5d583a3

SHA1
d54017f7547d47eaf97926a0eb224088daa7e8d8

SHA256
7f6359b368eeb521a0619881ebe7d013fab85f07a071ce76dfb5b8b1bfd14111

SHA512
fde670b6dfc28ef05d5f21a45dbe87045f456301481cfb8eb4d812de10fd867998a032b78607fe32adbd84a918afbe64625290473f8c96fa52b15fbe175138fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9a5a9a15b6069ed1a4f5b604b7338166

SHA1
4f89994302e731e38a02cb5088e94945087087dd

SHA256
b4ddc01737ac266359a9ceb7381dd9bd03b5166057594f50472af7956cbecdd6

SHA512
f44897edc323597ce0787c30aecbeb7f5c18d741b1c86dc3d49c311804c0ad7f083bf0e486872dfbbbf9781b25f924d9ad8e97b36e1b00b1f909b2f9684094ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
10.4MB

MD5
d954f71579d1acde1959636f431e4c4c

SHA1
504cca27cf1b934d99093422f68bbbf5c449ac76

SHA256
a5bf81aaffd50cdeac0c4668952a2589b8d37ef712746272d3506b1f9d56d953

SHA512
5f4ee96e16d7f94e7252d9bd190cc69ffca23b545c4c97933389c0eea70ab8d2840fa39e39234868c0318276778c3d7927f192ab174db1757cb82e0afb69e174

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f12864124f97fd630e84cf23c50970d4

SHA1
d0928c0ed0f089f3ca34db1f2e2b9027fe7f9639

SHA256
1e49c5cc5f00d6ebe31db3bdb7282939e1f191db099e1ecd75bdf5f3e7375116

SHA512
d473f6e790af97007d1b59dc1aac00b13a1e7c20be2fbb6cb485f551499fe51ba5b310f2e419cd8a1f663a5ac2b369d4164010a722926c306aa26b801ff17e2a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
532556494d50798635d63f161f654fe6

SHA1
2254918f7f98af807196a97361c17ade28d35a5f

SHA256
75147dcadc0e3977f785730c210e032b8ade6e62a2f40125765da5a3eb806e3f

SHA512
83f40818c5f8a10cd8bbbd61aebdbb370078f2d41df74278d9c308b86181f408e0571418589c3cd9e9866cc3fb58432f3cec05414a99d0f3e79604c705a24aec

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
485107c9889e1f6e2fdaafbe58356374

SHA1
acbe8da184190198cfbdd5cc0cbe3bb82b5f6872

SHA256
71ea2ee34c68322e89a95d7c2cbcd2866e18abd1c7f24eb9a1a4d5a2cf37b398

SHA512
84d9d5d13d7a184a7307b31191fe99a09ef12dcc8049ffe8f26a9fd1973552a653c8680180a2ad65af87a266cbfa597a1391655018c91b9810778cffd2fc4024

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0c5b52a99252ca669a5ee2939ce75092

SHA1
8ec7d12b3d3c57101e3022ead6437c82b123841d

SHA256
65459f08f2e54d6ec16beaceae240dee3cfe1eb800467dde119a413d6bcb260c

SHA512
3314416dd33683753ede13d876d0b07aea363ddf862ab7ef8e8d7507db3c7869bbff03085be70bd13744a410fa14846b8e9f575e0a3e7eaa41d20dd98544229a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a4cbbfbc98207079d876e15d39134635

SHA1
e98f7a9ef01903613645cb9dde94320b30c03676

SHA256
d14f72427f809cd0dfcf32ae3344adc3b47dd2901d914f26c798e30d830f2a94

SHA512
e1554b63dfcd8ae88f2ef32825dff1069cb9fe23a6080e77b24e8645ab67fd84dc938a49f1f73b24f94b1e42d564c5a0e29128c3d22bfe0a0c7b6d09376a2397

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
a4a2f2ba2951a5837187d9a92bf46d7f

SHA1
9bd01f454a061fbcd6dc018c037209dc2f000b9a

SHA256
0b926f19f3ba9a2075c20009f1840ca9988caf6cdc1fd41cfceeb7116caa5ca1

SHA512
393f62ef738a20d79c228fcdaec34614afea0ab03f25c46f5eda05e70a8ba7271aaa1be301f0e84f471eaccde3af6876f481630ea801437fc4d90f8ac2c80489

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
b1f2bcd51b141d5a6551174c78ee73b4

SHA1
4e1fc26466b397b8d13ac8d3809867384d85fc62

SHA256
e7f93dbf63797cc44d10eec161703f2ff1ebb703ee5db16871c68482272be0d4

SHA512
e869c291ad2d09040855ccb544dab98dc55845ea93933725d1e8865db241cbf9565007c88c98cd8d4a01248a25d22932c92c12b0d4888c243ceda59216e8a89a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
8eb590a3d79f187d2bd6ce9088d79f84

SHA1
6edd588ff34ece5fcda5e77aabddd591f83626e5

SHA256
d73ab51f3475e026796141b9bac7ce7f6b0a35da1be4571c4bbd56ce1bd2a97a

SHA512
4b5b2ebcfe654da27acf81b2169e377607dbe233c62b37dc66f4b3e3fe9d0818ee40e8f787473fe244949b569cfe8cdb36d337104ea02ae93592c15f69bd6f7a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
22f77dfd49932b824f472c21d57fe95a

SHA1
d669f7fc52375c5fb494cd895a2ff9ac99e25c64

SHA256
51c876c5fe7a65ad55bbba821093cc2bd4eceaa553c66600e6d39dcccaabd3af

SHA512
d09af1e1b424b7dca86d07eb5c2989f6e4615c8036bd665dce6d0a6df0c92c5efff02c8c1dae333a7638904138332291283a34646de8a00487faeca414593485

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
bdc37a82e6268cc3d62b5d1135688a14

SHA1
3e847c10d17039338d943253b92d61b9e2ace806

SHA256
40c4004cc163af67ead7979a80716124f9242850f70357dead4c85edc33f7979

SHA512
94d55687c5360b491a375cec8c18f2458dc4cb8b92842c9a5964713f1c1e2abf0dbd8d476bec66207823269657860abe476b84559c0bfb74d5ac7f24aed30d93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
fdcc20d4a4616a405af830d8835ebef5

SHA1
39fa7236cc3c60eba308b62e89639df7f0c61e3e

SHA256
74d70d7b74372cee104912cf7c1588b25275d192b3591148c91830d7c531e1da

SHA512
471a1cfa1936b9ad8de3125a5c81f5e65f9435b46df0283ef761825ac166ad7dec09d3e12c6651eed6c09f6b5d7d7c5eb911c1879844ffc6660b8aad1c15dd79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
345ac21f292d8f76a05f08be8c10c0c5

SHA1
d4c529840ca7e667134a22b34bde69860f4b0703

SHA256
2519d30b0db0cfd1fe59a11dbef707ec7d5a75667699e4476fffbb17449f5c96

SHA512
1f5139ca6f0d4718c128b2968cf384166dc7dc80282fd19ff44180f6a0f1515904f4bd8c59bec7da27e35de291fd839d2ae51e8ae35b01495e60f87a98233e3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
b309e228c4889a55c83e6ec7d41c1981

SHA1
8810cfcb039ba799d2b5590b1ff97213653008ef

SHA256
2636589652385e0eb72927bcaccb222c2fe2799e7c2fd13426cad4c815696561

SHA512
487ab74ba87dacd0ff03c4ddf37d97a5da1d4fa6f10fa19619aa713c455cb4671e742839f50b9eaebd78b4b1cf2005b15531473e28b233e3d195b2ea86a37035

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
932b24d61c0a1b68f9938bc94879d2a7

SHA1
3d7dfa486ff25a4670af223b8a535f2ac789c2c2

SHA256
68a7a55ddb0895e3eadf4fc36c99f9a42dd298e6233acd3947cbebf78cbd897c

SHA512
2ed4120ff7238932e38561abea8fbc6bae7a6ff7cd68614948b1485b3275589e182a0561539ef78110149246d93170faf37a4355d7bf33df49105031491ef0c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
80bfe4cfe5c380fffdd1a7afe1557171

SHA1
06b25182a2cf8aeecb235cc59220088523578ed9

SHA256
94aa5c260571264d8f04c3e059c5d9c71ae5356ced0dcf4c09463977f7adc139

SHA512
800827165a2e56004e668465a909654a81717230fd11595614fc188a8c9a5cbbaf735abf27426bbf1a82ddf2ed7eb3a60cb908f189208615f28f411216ff584f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
dde33d14c402dc976b0df4580001c72e

SHA1
151a5900ad20e4f7c1c069e18cee04549057a6f8

SHA256
b9fbfdb9736b0aa18f5edd6a0bd8ba515b48990df7ab330a5f755ba8b5afc542

SHA512
0bc3c16445f584374e9e75e9862dba66cc3b1d60c54dd5b5fd9269a9f2f1c7458df26bca21ab83fc5cb206d69fbb9a14f36afa6f3b1c7ff1261d6acee24e4611

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f758de1b60b8a10bfb0e96cbb2543909

SHA1
a5102ca64a7e904e70198d0d407f3c2471b8e9f5

SHA256
cea2d71e3a7620dc770ec156737ed2fb79fc1beb4e28abc6f8aca4e2fb05ecf5

SHA512
9156f22a9b97641a83432b6b26bd90430aeed02b1e86475fda9fd296ae7b167952b309d0f8615ee48aef81f5c62bbde5a17075f8060e6441c0f54d2942dcd6b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
c8e3466a36686dedd8456607b6ef8b98

SHA1
a487de84ee28a417be4723402da304c8e2ef9a2a

SHA256
a70e819f28840df8c72e4208ecb605c7331bbcbedab4adf15fefbef11421e2f3

SHA512
bf76449daf000ce8bf0cb03f5a877a07e769c282fb1d3f87ecd294e390d22b370e32870f1cea12c073110c23ececfd98e156c683b3eb7d2a1b6284a317b32049

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
cde7a32f215edd75ae5cff1d2b40ec89

SHA1
e6f6935e3afa31c1a2d0b70542b56222343abc82

SHA256
1218021c7ea141d9f6ae2817be5f2f8eab6b3f47982b4cdb7edee3cd71d9f0db

SHA512
b3c2a8819535b05e017ef7936e9604a082237accc01d771421e1e93a8d82e4b86f821e60c1e3e1562f40508ce34fefc1ca7a06f239759ebb78b54d3df298dc3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
9ca820d12d563c351293fea7591d6673

SHA1
7de0f4d3cfcf04e3ffef1db435a3210ed52f77a7

SHA256
93ee7454634a9998315c2f68316e3c71b85ab912339b94d8780117612dea888b

SHA512
ad3405e7bb0cb3119057a81b1698b91e0f81705284cee73bad289b410c61d23af8f6107111ad2c5a6a4e687bd3a643caa8058c28e8039b815d436d0eec80728a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
bf8cc2fa0773030906879fcbffe34828

SHA1
fb86db92a24c2c4d823995199f0074e8f40eb7f8

SHA256
ab151b71a61ea989f174bf81006f9e9f5ec8b70e5e2a10c222896334812a37b5

SHA512
c5d6171a10da72e84b650c11a5952d1be8ff2e2cda738fc20c6a6822d078efa8b676f215b9d258ef1e7bd8ff4f5d4eb74f52ad10e345c91a80eb39826586d4bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
035d65483721b931c54615c64b077db1

SHA1
5c63eeb840001af1d9abb1123b47227e50479d75

SHA256
4c9942a777bf3c41ea3089930ddc3ecb1a435bc9b7788df1114ce7976fe7daff

SHA512
1aa0c3ef5bb491fe6ef38515f6fc4384d49328f806bf5244ba25237ec8f77d1a78e3589a61151d88db18c65ddb5c865bbc06539753bfa4d38614b799507bf208

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
0f5c8a6b1c87b3fc8081216c5b351c95

SHA1
05d900c3a4b1a8e776b558ecd913222d315edfd2

SHA256
0b16a502d0bb6db256d137a70f34a71f3e0bfaadddac08219efa6ce468c5a5f7

SHA512
a4408c8fb448d9994fc3ae61a137ddfa9577bc8fa737b1f56584e82e75d257d91fb97227393e3f314aaa0127bfc6079dab4c8c6e3448a6664bdb5521cda0999c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
65c8e4926b2cc9b56c8444700e9d5595

SHA1
dd68465d42da6abfc30bc02ae8b7e2ac3e45d00c

SHA256
5ae3bda5f1297ed2625e12df9c7ee5e1893a0e9f5b0c2fd807ab50480f5fdd91

SHA512
77f07512f0b0b06ea324864f2fd4f77f35057ea2a003c01ce79b818036be88bb1c2c978669670ae95228ebbd9ac172433262a0188acfc8bbe51cb343b4da5132

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
c463fe8672859c157400a96584b2b71d

SHA1
f32a4332e655a0c988d4f6f3fa9bc6e0fa6215f9

SHA256
531c155ac2b6be0cb50f6103057b6810a2117a198c65a5205a0780058382a4fa

SHA512
da0e6f14af694ca806bd757f83a114f3cd6cfe55c7db2dc50a30eb894db4906520080d06e8c5b1c256a013666fd233fa1b748d24ec7fcd63cc58cfbe9d43f42e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
803dca5b5c7095944c8e50eb4412589b

SHA1
28ec4289384e3339caa66248312a2c511afed059

SHA256
336146a0b11dd3375fbf71b8cf3e187c30e65855e3e1e5df8edafb6e9a04c337

SHA512
a5c5013fe680f81effae5c56ff15e167ab1a0bfd13dfb7d6c0268d0b452c338b4bb9cadfbd5ae6fb27968c72b3aeb05cf1750ed16786780fd2b203bf3762ada8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
b6c422bb15aa1c2c268efae08dc40db3

SHA1
bb31bdb280ad920341b01fb5e7c720014c8b0b76

SHA256
27bf6aca910a639cfd1ff646b3b64d4e6fbedf811e6fbd4b4dddc85a51ec147e

SHA512
b0df27ed070715e75d2c5503fb7eb92204d0463ca252cbd7cadfbb5175faa3213f85d0d5e8ef7e1b323fe26aa5217f7bafd2b558174d71832f9172f8c6f82720

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
672b98d4a44f3bcd62caccf60b4c35d6

SHA1
df889310c445355b1af9047e61b994e5af79c6b3

SHA256
8b5a897dc79d3a4ae980b69057e269f2525f98c382ac0c1ac8a5545fb52eb2d7

SHA512
cd25d1c5fabc335a9a32ab34b8ce0b604086ab99f03b98ea6e7c8eccf9a645d031f45417a2cb79abb233975de81bdf9e3638d14f5cdde3852713ae06f535e072

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
35b69692381243a13b7b0eef02fd30c9

SHA1
43c17bd6ea2199313f43bf30e7b6d22379c59e45

SHA256
a73164f7dd72b94cd30a16567de2e1cd6bc838ffa1f323091a9e151df978ad7f

SHA512
8784a65c3ad40c74c6101b356d2add970cd730bd6345d9ee0aef4e2ad7f0dafb0d52a50f027e785e36432220c0294dbdd01c804e370207cc638f64921acfd174

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
3351deb76ff1d20d4eeb8379704ffd9b

SHA1
16557fa385d0de04921f53a7a5ea4459624d2281

SHA256
393ec747d829f0c55fdf04c05c1f87334f5bf27f46130c824fa42d9b9bf1bf41

SHA512
2bea087d8215dbd7eff9cd2080ee31c5b201cd2857fc60a260419542d937cd5e83624167b8c8109e7556c2e0ea501173be8c78ff55d0e89e38bf022301d80ac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
943a34dda99177f838cb04d9d96ab674

SHA1
81adee413afd874bd7f3815dc2bcefe04c2ade85

SHA256
ed22971be2cfc424b41b1d96bd53cf3a66bc554f6f583f6f99d0d4191de0e762

SHA512
06c8516faf102ca6a11701423d81b98634deb17db91a5901e51200534885979b21165859ab5cb751135909ba3d92ebb5c3bdf0bb0b496930a3840a6b34877d92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
b1f296732789aa5366fc4e181ea7d02f

SHA1
b8bbb2eb3e5dac86e9a2f3fb39c475ead344aecf

SHA256
cc9da8b28e33065f35fd511cc2d1a7a2fe9011ce7d3dbdeb32b89f036b894710

SHA512
847fcfef4cf47817a109c5c046fba168fc65c25c9d12c123c256949172018e901e636d9a3585acb4fe150250a9ad0869d690c469f6d6022ad85e31edccd43317

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
d868b772f88d8b805af9da9f5af395ae

SHA1
195079fda3bae5543fde1e0c6ea245212940520d

SHA256
28895d0fe8fc36148020dfc5dd7d7bcca6886261a31c249999b9223a1b441eb5

SHA512
aa6fb2a5782af45cd28f2b51c221639a0f2b4ee6dad65aedff780d52871dc25fdf77928c19e387bf44e65c1e68e219e0bfff7e85f459492d40765209faa018fe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9e9ec2efe1d4246f6fafe31c0dbc6856

SHA1
e7d5adbd174b458759e8bda276f42d9984f3c731

SHA256
dd56bebabe160febade2bbeb859861a21cfd099f660da59192818665f15d0252

SHA512
14cf620215401340a537b17b8d2f563ae1941f172ec1cf9abf616ce7214f5a0d6f29cdbb3140667b6d304cf47f2f298d841ce82805f27a3ccd6a7f6ea5e67ca6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f7806bc05b176e06122df9018298b1f3

SHA1
4944861b153948a92e89673caa5cdc7917aefa19

SHA256
731d59034dd89d6d3b89221522ef884c3faf4e73a52ddb862288dc0a38262bf5

SHA512
46148f02a5cbac338201e336a552d28e94f1b2669778f82c74cab76852b82ec3f93e04bd5e00d29ea8a0a6bbf45e33c51fbfd68d3b4b7418f1b4b4a4efa04d2e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8eaf61225c3e05281de903e0049c8d8e

SHA1
c98ead73f810b8240437b9e7b38d75d44f2e3148

SHA256
d137c523572ac0b87c49a169f5920437f05afffec814ae54329f9d5c40225728

SHA512
d89bd1b3d4deab6424a1b81ed4b24d32e9b92590c5e0d4af92551c08b23a8c187cfff5f7d59785cf04d0a1c82c4d24f2404fa1a6eddb803df66e183572a112c8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d5fc76d273265f272e60844fa72b3dbe

SHA1
e5aae0c82dbeab8c9c23592e1d113d89c15f0ed9

SHA256
e82b733069a0c61623f2c41bc9160f518ac4c97c865e5b346b003b19113911b9

SHA512
c76ef741a96cb14d0bf42aa5dec8aeee37fb95c91561aeb2bbe61581f0fb95f569ce0f2a5fb1140a39413cac6c4a778ca35c89e5ebb884d0acd6842f9b525566

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
52d3235b6c433e277d5c285ccc0b91cb

SHA1
e7beed389fe4cc38765dc50e0d8dd9234ef2e134

SHA256
4dd681d90bfe04244368bb1426eb3dd21cc7d1d14b6c596b9bae9759eec0e3f6

SHA512
0e74b0701eb75e8b205a447b2699cfb82c6961cb3657389adf9553a5d959936e01290c4b4d0ab3bb2f53f41b11e7c1ec1d2badf0b6fb3654466dcbaeb3a59597

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
48290a126c44c44d0f4f2a8fdceff690

SHA1
acad947e9b761c3b83c8d359ac3b7afc69862ae9

SHA256
eb345c567d514507edc61fe4d4807d067513b1f4e3107ffddf7c1a7bc0c2c502

SHA512
bd0565e993a43245a8e415e3f36c530a2d0d4b3cd064b21fd0ec2d854f9d0bfeddef7af71e938674cb58b18d80b6bdfdfb9bf63d1a43afc8ffc4c4965d363639

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b4307e2426ca4b4cf0b8cd10424aed63

SHA1
95a84ddbfcdf0e918168e5a173c3ac8f490c8536

SHA256
03cdb6c0b26dcf95997b1d56d1547d29a7b299e1b88cd481ed2873edbe9a9911

SHA512
7aaf0befcc22554657f5778cc912a91632816ce85696fd7e159cb76785a067314acc00ba2260c8ec46e6e406e4ea8584e0d226fa8d11cccbf2e973d1d619dc72

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b232098990a13a4abe935375a213ad85

SHA1
2700e429b8d10c75d596dad1aab801179f080ff0

SHA256
c5356641cb912be85d3d65119060d457a9e361d2698afdc374c192cc08d47d08

SHA512
67c978aa0544316cf8bbd68f4860a67a1072de88778dd8e2af77cde469e766a3224431221b98f053e200d9822c669d2b7b183996b559ab9c8c5b566773c55e1b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ba7d8f9c3979ce3b30c1d0fcd4dbf3c4

SHA1
16c5a7396896369d6e87b2be4e31fbded079cd9a

SHA256
19153deb20d16fda0d550f4b872792ef83845e8323a0e51731d61a20980fd39f

SHA512
5ddce0bdf06e0edfe685b607d49d11e40aa5f5d59b4660251691f1c853c928ac11695699ad33d22c5eb09f5f75a9373e3500c745f2ff56aac25d213ab3f1c417

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b680bb08eae6d589fef0ae8ed4942286

SHA1
7e110e4770658115ff3dc6a1fce82b01c285ab04

SHA256
cb077c82db2d2069525a3a6c7dc94b8e556a0a5207d71bd38518179fd6c693e7

SHA512
f6b02f2fc9f4aeabfe462e9971145ecbaf41500260a8787e5becd09049a9080ca03faf6790bef6dc2ffba14ef8e955d27b5c3295b87794e8dd0d5a39601b2a0a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6cf7bc1524935375915fbfb24fa17d4f

SHA1
a69c0ac363cbe7066b308c1d619c194561012822

SHA256
9e27c7459021f9a6ef1287afbfd07aadbbe81ec9f2e39899c6b1713a526cb7c7

SHA512
fb3cc02ade7c4d645be7b07627492dcbbdaf3aa6c511fdc06315aa724e3070a884548c8d6815ffd985ce960f3c03e8be38a729511aefc41aa0362b82ab199979

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8fb75eb24d204413f5f7b01c1bd3813a

SHA1
5612980f05e52121823209d626fa444dcd0eee24

SHA256
b24a7f01e72ba79b032989012474416009c712fbc61af849344d530c18a69c5a

SHA512
c5c3bd0ef304be2aad31864be847de8909f668b30953a52950dc187f6de6335c8d60f0a73151bc430e11b3edaf942d800e0f3ca56726f752e357a8588da6550d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
abe8d285469db9eda63024ea465ee061

SHA1
de30c85f309e909718bd287f530d9e591a209ae2

SHA256
bb3f0ed0e0271827c9c910c017432e82493f619632a1462881c0f815a357e61f

SHA512
16af749606fdb087bb183954a31a95913d5b9c53f254964aad0cd1259aeab3a3ade6f055682f4d8aad4ec1c8ce5f01b6d05d79cfbad3ba65dfe1bdad32c1c98d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
74fbbb8ad39983d18be69ef148253d94

SHA1
e4f3492e6928e61e8b8a62b76167add0b73d0806

SHA256
0ba967d6b605f042f4f4301d044d78f4cad66e913f26cb185bacae356d486e04

SHA512
fd60fcba94b938ba1da3957dae231c577038ae2bd65083b3562789811e318280b64a90c562f5fcb8f55d399f76f63dee83403bb67fdd291c382655ae3cf53028

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
25b8765f804032bf41c3fb68640f9653

SHA1
417334826e5558e2eaf6eef9182838a6bd6d50d0

SHA256
2c8751198b480698277ba011493b1a57d1f0837a1d4ab1199084660fd3dddf33

SHA512
defa179c2f4496077c0fa8bd9c8a5a4abdae4d2f6e014c42171094ca523311aeb4576dda480391c61474df15711826ed1083a57d083177c148809247bf1e2f68

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c1af8db56e7092470e7e35a8ef45605f

SHA1
a2b30edea49581868ee6c7b1a2d7d44d2634232c

SHA256
2d18702e4cf79783ebbf53947202dc565cedf7c1640c09ea705bbfb5d68d563a

SHA512
5170851810d522a3f5ae60bc189af2e91c3cc82d9b56bac7755df46c2991aa3b97ad27b585597d4dd15f7a49f921163379d7d48d7c9e479c3b605ca472c78a4c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
fd014fd2f61517f163c01d50e60904c4

SHA1
a7f235b3c0dc395cba5922e919ca806566d494e4

SHA256
fefb98cffb48460eb38f15562fb13acbd7f7bea72e8ffb10f42f8f69187374cd

SHA512
f9d8ad25922d7b57225584e22facc7cfc187d048098a4caf2e2cfb92d934c61a9133b4443e970705512c98f3ec2bc5ae0e64a01247025de64f39cbb3a73b170d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
7725a215e2470d9df67e5bb7694169d5

SHA1
4ab0fe72c39ec004a9fced8d0de43ae37b87b209

SHA256
df39eb910b059800bd1b6daaa89e56f012337d65d3680d120802a5e932979615

SHA512
e8b8dfd05307d4c4b5eb02f9fe8d6d83f5730a239f3c778998c63aab32cabd772fe3733441b1f8ba4122ad2b787158c45b2e7b30ecd146b8c37994e0e07393b1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ae896ba82a3fb0530fef7312ddc6aefd

SHA1
a6f55e571793a0a5b9397e3b2bceb2057a04c13e

SHA256
7ae9d3c320ee028141d214a197f9d2201abf6bcdc1159587f93c5b8aca2fa9a4

SHA512
1071ba8cd232ba2c1e016897d3c827c8d144f5615ff78a6760fb7fe1f556730a4cd40e472e4dab0ee558d7b8e2e02308ec852cd74d9aea3f21eaa67c9edfa6e1

Download Submit
memory/384-1-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/384-0-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/384-7-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/384-418-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/384-16-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/384-305-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/384-14-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/772-39-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/772-235-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/772-40-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/900-382-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/900-270-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1124-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1124-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1124-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1124-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1160-534-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1160-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1824-330-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1824-517-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1828-212-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1828-26-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1828-27-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1828-18-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1876-78-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1876-76-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1876-237-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1876-70-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2392-583-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2392-345-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2632-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2632-376-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2932-244-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2932-250-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2932-252-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2932-362-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2980-597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2980-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3008-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3008-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3008-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3008-63-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3008-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3172-256-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/3172-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3172-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3284-365-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3284-584-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3564-395-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3564-591-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3712-391-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3712-585-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4428-406-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4428-296-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4500-427-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4500-593-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4756-310-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4756-596-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4756-431-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4900-288-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4900-394-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4988-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4988-592-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads