4d82516e069aa54565be4178f241b4c1528073f7af922292b261fa33e7745229

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Size

2.8MB
MD5

be9fa24ec303ab4f038984cb93033f6a
SHA1

8ecb9191aeabb4d2d823f2957582771912f49e01
SHA256

4d82516e069aa54565be4178f241b4c1528073f7af922292b261fa33e7745229
SHA512

0b9efe5895510dcb996db6ad7135ba3c9fc7d1106c50e265cba38618b66fcd1acc343025112b232bfeda722346fd465bd10ab2010125d1b189500f488e9c1741
SSDEEP

49152:OyRTHtTUoHyfJWRhcUWIzfTRVgzth5YNj/u+q554C/zNjteyUHBdH3Zv2fhMZaom:OaTNyNjX+0/Nte9BpJufhMZXbyV1

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3108	alg.exe
3580	DiagnosticsHub.StandardCollector.Service.exe
3660	fxssvc.exe
452	elevation_service.exe
1680	elevation_service.exe
3360	maintenanceservice.exe
4900	msdtc.exe
1456	OSE.EXE
2936	PerceptionSimulationService.exe
4420	perfhost.exe
4188	locator.exe
2880	SensorDataService.exe
4308	snmptrap.exe
2124	spectrum.exe
1548	ssh-agent.exe
1860	TieringEngineService.exe
2044	AgentService.exe
2428	vds.exe
1800	vssvc.exe
1820	wbengine.exe
4356	WmiApSrv.exe
2100	SearchIndexer.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c09cf558b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3dc54a649b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049c4eaa149b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025fb50a549b2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c44551a249b2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000197582a349b2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,1"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3580	DiagnosticsHub.StandardCollector.Service.exe
3580	DiagnosticsHub.StandardCollector.Service.exe
3580	DiagnosticsHub.StandardCollector.Service.exe
3580	DiagnosticsHub.StandardCollector.Service.exe
3580	DiagnosticsHub.StandardCollector.Service.exe
3580	DiagnosticsHub.StandardCollector.Service.exe
3580	DiagnosticsHub.StandardCollector.Service.exe
452	elevation_service.exe
452	elevation_service.exe
452	elevation_service.exe
452	elevation_service.exe
452	elevation_service.exe
452	elevation_service.exe
452	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4836	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
Token: SeAuditPrivilege	3660	fxssvc.exe
Token: SeRestorePrivilege	1860	TieringEngineService.exe
Token: SeManageVolumePrivilege	1860	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2044	AgentService.exe
Token: SeDebugPrivilege	3580	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	452	elevation_service.exe
Token: SeBackupPrivilege	1800	vssvc.exe
Token: SeRestorePrivilege	1800	vssvc.exe
Token: SeAuditPrivilege	1800	vssvc.exe
Token: SeBackupPrivilege	1820	wbengine.exe
Token: SeRestorePrivilege	1820	wbengine.exe
Token: SeSecurityPrivilege	1820	wbengine.exe
Token: 33	2100	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2100	SearchIndexer.exe
Token: SeDebugPrivilege	452	elevation_service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4836	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
4836	2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 3832	2100	SearchIndexer.exe	127
PID 2100 wrote to memory of 3832	2100	SearchIndexer.exe	127
PID 2100 wrote to memory of 4396	2100	SearchIndexer.exe	128
PID 2100 wrote to memory of 4396	2100	SearchIndexer.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_be9fa24ec303ab4f038984cb93033f6a_ryuk.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4216

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1680

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4900

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2880

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2124

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2556

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2604

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3832
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
d04f612b5a482b41ea48e454b9c0bcfa

SHA1
5691ce07261d79efaf7f6d1bb46d5c52247ea1d5

SHA256
813eeb3f172653e25e6168288f01f953fbf1b6b58135ab9167a0c93fd2d32e57

SHA512
863530ee411243fd7f7de53ce41cb18b4c97ca0c898edd905185b0c539dded72fa8eed6cefc5410111d0f10e10a02fba2fbe18a2b865865555e65b315c9e88eb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ccdd0ac08347eb85342346a8caa2d2d7

SHA1
ded0f7094d54be0b708274b53395525441836fb3

SHA256
0f434447d62c49333778f0b0e13069691785d37141dbc5f2930339239c96fb76

SHA512
5fbb20a771c5faa056a89aed3b386d046fe2c27b628444c410f251974925de7097df1389cac79c0c994c6a4239750bc158499cc8a2cffc6318547537d93abfa1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2900f0dc140699398e4d7a54eec22e98

SHA1
d8025b9c609eef504014c9891f5621e9d2dae7d4

SHA256
ddd3419a2c0d6eade847dde4fd35524f1c3f3f9b62d62848fc69a6002a3d965f

SHA512
127221c9d9b1f0bff504fcd66817df56a806a6840e066a61bed8ab16676ae144d42b21fdc7014519eab57610cabe6b7e33d45ae71e7bd0f610ef9a9ca5201764

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
202df66ebd014975c59f9922ffdc6f5a

SHA1
906c7bf2337e9461b763080b60eb4f85059cb54f

SHA256
c3b9cfb67bc1b3fc46e284c2cbf968a65eaadfbd5db918b809cceab5b732b529

SHA512
c761b9ddff0158f77009ef43d20b545b61544aa4386befe6fa29a596ee2a76f2670795539f94b24e915320c5dc3dcfc2ee1c49f0a45d876db0907de70f4905a1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e05c157c0940af9108ed6cb93665b109

SHA1
66b7e824d8986831e0ec2b010247fa3fcd66f00e

SHA256
766f8e9c78f2cf499732c13f22fa77ed335cbfac47b6ef186b778f42bad17b56

SHA512
214f70915f233de336aaa7f2925885283dc2603116ab0910956195b814e792c4f2d7ac89e5d5cfa40e0c6a2a174dec9dd32481258a80a713312dcfa389ad612f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
2eb95419838eba83ab8d8142140adbe9

SHA1
ea5a58ca88d77ba09b98e078731cf138ccc4c632

SHA256
a8684990599486468fa287f1c79d88af4cc335acdbc377ba2e00b087a1b05424

SHA512
22ff9e58f4be05c0348a19e86367a544d565a2e8518dfa223fd0a3020570c865251977639419ad390f728d5e572bf3edb9f4efdf0e59d80d314a6e39f53e99ff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
889bbd7199fa640cd845317cab86c8e9

SHA1
8cf3597ef50dd3ae21e140c075a23a4685903f79

SHA256
7fde9091b4be26fdd46c3b842dc59794ad9f6d052a0453acea55ff39b9eda1e6

SHA512
4c8a0ef8c6d99b39833c239acc14036d8a4630d86b516a701ee459914101563ed1aba18857a7e7f7159d08fdf0c042e2925469078ba070c38c0e85d14ac538d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
95dd4815124a300067cbaa02b93449d0

SHA1
939034be87d47af0aeb61367203728a22f6d40b7

SHA256
c35720c0ec05c390a82519a1c9a4d52ef043695476fefe8f9cade9643741096b

SHA512
63def4d23f09f644fe526071cf78e338467dfd82521644a8139b62078b63324f4b3bd150f1dab08419143a756a800d0f639bc989470db4b593670dabab4e634b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
75595586d695fc20bf4da2919cc573df

SHA1
2fe0eefd0c5ed3e80a953cac62c1e9998ea6ce44

SHA256
1e5e90b2116fd2c910effb4926fbf28d5401d5083a97814d4c2dce36a0f6099d

SHA512
f42ac505b90f82d379492d7556209cd8f2acbde8b7939e7708fa40cb7258bb75ac3e31289b183e7ebe8563a3a8d43948f4934a420b36b6e2d395ebf37aa55064

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
43cfe69008b92ccd26ea46889a1f5917

SHA1
d78aea015b12b27199e1c5b12b7ba4069f978a37

SHA256
1d961c78051bc9e373afd6425a40594ad8d8d60c4d8af7756ba3902f2d0f936d

SHA512
59c400afa7c210184d126ed468c875cea6219c3eaf7adc16e27d448dea080b4c25513ac26b969f9a9a43d6c2836be261e2fb617441131d80af7b381251795569

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cca35280bea11019211575695a61d818

SHA1
4fd5256543bb03647752fdece183c2c66f3eb06d

SHA256
fe0793fee08802d8a77bb2be69f1c1e36c3b8ee71a968c76e644a7b03ed7a497

SHA512
eeacaf82bb61d246dfa7f196fc2cc7e4ee3fa36a102da869228880a9ac3aead72055ce02e78006cfc9e1af99565097cc43bff54b956704cc5b4436ef3f83d0ed

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bfa6733aa659599881fd002a1290a56f

SHA1
7b7df9c6c92d3588ecb964161c310a38bc90ff77

SHA256
b096a4f80f65f5d335dba4bf26660041d42c9d72f52083d264bfad27c3f2ad25

SHA512
e9f24e9f622db3fc2428942bd94d03aad24c70be3dd7f087b79a3edb94399a032f895eac7af2b0a675f30c08eccf02e080f242432b794777b453e0b8886cbd26

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
457ac4274b8731458f650433b4dc252c

SHA1
b3578d89b10636035f5eeff79c99b3ef0951cfa3

SHA256
6c7777da0c7fefa275031320e13c9c696c774fd2e89c98a3a0293b09c8d45ade

SHA512
dcb13504074b6bc65f381118c1fca74fc6558fb297defb6d32804a339defcfc3b2fed2352f0f9a5cbc1b3e7a9cd6a61c63eae3b8b7ccb5f298be90af35e52508

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
3f4255526e5ec8d7167aaf8f896b5755

SHA1
d840bad3d95b363d7ae8190cfedd17e1f0c122cb

SHA256
e40a2c69cb1b495e872127afad466b146231970443346cf7423cb8e8abf87e7e

SHA512
cbd87bcce753ea2f77495fcc0f181ed6c1fa22c5bc6f53926ead80e8c62f93192fb3cbd0db42c2f7084d912ddd9433e939b05bf7b466f99ddcd8fa65b098991d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
e208afff4a642e9b92be603deabce8a7

SHA1
5bfe2abb9b0e84d21cdc14bf5c21410f9fe3531c

SHA256
7997ebdac29073ec9e317074646d72478934786953d3c79d0c6094ebe9553a68

SHA512
a77b42e5d0cd06ff8c257bebbba3ce2e358dfc81dae837b925fb23eec0c020aeb720225a15039379d16e2582830975e2044db34e179ffcc0865ac65b1fd3723e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
1a36f8e5965133f7730c6d4b23871d5b

SHA1
822bf37453378ca88cc5a7d39e42386e2743537b

SHA256
3b8f06102434a59c58c24e4857f5ccf259b90310c2d06292668922e96c3d43af

SHA512
0b658ef82584d864dafc9397f7bb0e3fd396ee70e024d7c688167eb34b1ed052715269d42e2ecbd8a90d705a8dd5cfd042ca34238af115532592d51d19bac0bc

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
48978d509bf61705fb212bc237d13957

SHA1
fda19bbc70d9bb77032fcdced2cfdd1cd21beafd

SHA256
4d84f7c82af481b3ec6dfade5746e65617b7823202c567b11babb2cea1b1c29f

SHA512
991309f106468bec70342141a0ed18acc104302bfc045356c80dc6ca60a74b4d4766909370cfdc0b65c2cd3e2037f81e9ec43f323c6faad1a743cd2d863f78ca

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a97fa02c53901d22b0c0abd965a4e451

SHA1
943487af13db4692c41200b2afcf76be6c5304e3

SHA256
332cb78c00e641a243172f476ac369ce89cde48383ed6ddc9a351e4016b67a7d

SHA512
6f6453510af8df96adde0d9f0aa472e62e141914c52d27f5e06c359507dd16ee2bc34be8195812e82a9223b9361da5c9b96fd55717b131d95ec7873f2356c2db

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
63e3c015bef72fffc3c48e26d371a408

SHA1
83329804481749df42478150a1c71df13ca2baf5

SHA256
0fffd0d8446d590162453cf95291e27946ebabb6d31dbf32b07f816986111150

SHA512
502efc56c51a56823be60fa2606b6357703aa78baa846898daaf653ef450d92ce3961bcfac5045de8acf6702813d68c926eaf61f6b1bbf75b7e6dfa3220934db

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
6541a96aa0e3d3ca12750439eeb2531d

SHA1
d4cb840ab3217c3d617e2b792f3b8bcbe81412af

SHA256
1d806e2c981771b43294c5dbe339d6689abf358f44231daf4ff28c87d2e85f7d

SHA512
7bd0c190711824c65d9185082b235c960aefe596f5d8609b8fdb6a916f34e40dfbdc3b143c4abed59c0aed4b46c02d69b355579f35092ba6699d5ea19341d38e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c33a29dbc9892e343c5ba9025e4b9b6f

SHA1
3468ad795461fadc4ab04e4890617ebdbbb9ca04

SHA256
947eb4951aa667ade38324d45997adebf8575564131aec0107f458ab92a349bb

SHA512
a1b09bcf261dcb28e7576ee88a7eaf73e61d17f684408575bd91d9231816a14f03c3e7ba147140c7f74042b14f37116aa87ecfec941d1af7d4e61ca4381a6f8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a27d5a036ee1dd6493c5a8860041bbeb

SHA1
f19ad3bb173ff8e46da32912532dff62cf42c247

SHA256
a55c86cda00919bfe43457a108ac95b4a7957119a2f36fff2e011a15b82a3bf6

SHA512
a4ccc9ca352c654fc28ee40f58ef3df9983ea21329334f8be0c5a9a6b31986d1736e9c5a3406a360c73df87103bd54b26cf431ad0c5babd59a28a5864bf6a485

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
8ea3c0cbadb051f93415fbca86129d9d

SHA1
abe731add95f69ff9822ae49cce47d4a1dc48b7d

SHA256
86de6a40c20ba591723470d89ff7f09933c209189535ae9293d484353fa85f86

SHA512
5d7df0dbe7311ed873d2572066ec1d60d89fb2d6900415bbe39c85665e365e5beef69796a13519d4ed53ccda503a02652d59fcbc96dcfed095c9a9f210fda202

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
f7d62f559d97147c7d22a9df79835071

SHA1
d2d4b07dcab7193bda22caf13c5415eda61999fc

SHA256
384aa4e422a73fd6fbfd4422bf6e384b69f84ce8a3676988fc71300ee082a9ec

SHA512
8ac43ac7e71ffaaa179d0a7e2008bfa1f99caa5b01a78a5accdc4633891d63f1ab55ca7ae852e71b9c5deeb2581ac98456abe0043e3fd9fa8cc521e9b0b85100

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d4ba381ccd66a92f6d7dc06569c6a825

SHA1
250bb84c3e6cf341755dc5342e701f57914e3744

SHA256
2f1841b7e3fc16bf247057f5b3cf249ccf0ca443896ddc67a9498f4b58646255

SHA512
306e7774e465778e7da01f4e5e13efd22057cbf537f82bce63e339fe9ba58d3a0dce9599514efe79fc08614a386584f15c8b95d6c7c7f1cbdaeead51dc2b28a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
3157cd256385f3de021ca4839e7e6704

SHA1
4f484aeb714f106abce17a150388da0c832785f3

SHA256
38e4aa1375f75d373568c39d3002b9cac7d1f24b8157929490d45e9537dc75b7

SHA512
7a59d83422428c03b59d61d348c184b23131290c41cb79fa6bb71b1632ac4cf93f7e4ac82ce1a284e2a874eea21c46730e08b8b93f3b852a44f6f2788f5c2bfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
c993033f8ceefc2f7be87e0f883f94ef

SHA1
0785551495cbd4a4be4f23a81eb45823f07b8df8

SHA256
3556150250aa8eacd73c8a6bee176148df665ad3993faf2055348d828b5b9f99

SHA512
17f76c60578902a74225116763b1e78e2d0db7b2503cac5243f3af21b1f5eec0009f02b24cf74ea6abcf7a049d6d41670e79d2e3c1242d1b8fdab4800af31bc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
8bdec231dbc15732ac17680974b776da

SHA1
867e5f541f5514bbb95063d0f9f05f04ca724859

SHA256
bfbe023c4d62685182947979d736f84809e35ac9c2041a1485e5d6ca999c8418

SHA512
dbff6a1274d34e4813a4cc9148c09fd5dfe9c80796a9cee786c7e7b16c70db48ee8ea2ac7178876212f51901e91e0af536eb734a3e3e7f75e5456ba889a6f77a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f3b81deb1e42fc8d857b27b2f119817b

SHA1
ab9b9ac8eb3766f55981742d4b52bd165b691e29

SHA256
f65b4b3b7131edaae1f42b62c5c9419ca0436725ed91dcbeb65fec6a08c6c7a4

SHA512
9a8f0b38d4b69479e4b379d7d006db784a81f0e445dd3ef28e8d63f90fa318a9097dc717b7a7b5a02d7a26ea8e3d583d5102a7262068a8eea2e150afa55cd059

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
762a6b68cb556401edfdb4d5c27279f7

SHA1
e71bb4215d0b4120ce59cdf6684611f244762d92

SHA256
eaa2f53611846bf0676dca3e7d8a3e37edd5c141d5dc980a6c0481252d43d388

SHA512
f6e8589d402143ab2bfb34fed0916bb51b768756dc080fe1302e20b14c3aeb69a1edd905e07dcc2e2db46af9a7ddf34667cc4bf1555038793bb818dec4d899a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
915f2126ce246b6e4d3a118b7c356223

SHA1
6afc7c8f6b0c70ede813783a68158fd9e5a1327d

SHA256
646b51f2fe7d47b51aa8a71d9f58156d23a6f5a54786712453b441b49c4af4ea

SHA512
842c7caee5446e6b6380c9991eee36a8e850890c4c1780295e660f6838ac91ea7a7e22f88fe9699b539173cd6a332f663347f111a1de1132e5b6f7b0ba02b2b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
9d7c6f3ba23d7a52e52511b4898a7ab2

SHA1
f05944d652ba58a5194b41b69fa89595b0c5a33d

SHA256
a9dccb43d4bad7ba706d24b557bf44cde237a74ff9a39cd4140370bcb18dd200

SHA512
f30b28578adb11f441ce0b2ca328f1987984ca7a484ae20b7a94f116836f1938587e65b5e94e266c586454213ca94412d8b0360ffbae25e63dff2d80b8b44582

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
cf77e834137cc7fae14e2c2721392564

SHA1
626e4749e6ff6ba95bb667c5c61b0d20e25cd61c

SHA256
ae65700d78489268cdd79d93111f65deae26a767e31313d5f8a473899b190cbd

SHA512
f5852a079dbb5840253539b76cd8538512ac407a21d65ec28404e5c1e87e520a9a2d94c29c0bc37756e63b67a04627004353aad45e960b42a2c800c773b5aa3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
16e7a066f4f041bd153de0c3872d3ada

SHA1
c48b4f370e7a44a2a8eb61d11932e24ecff5cd32

SHA256
e3722e3bfab8a17cb5815f128ba856a2829751560cdb10d061998b4d806fdc6c

SHA512
6747e50f98fe6d3b2d37f5b4277508c509ac4b5453b2e50aed46cbae7ef0feba2abc6a7306e66be7ec83ba0362e296b9d1099657914183b26f47fea28e47c2d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
0422fab3c78e6d5921fa643059035e05

SHA1
df26e79efc031c717f66bf47d383fd72ef57b045

SHA256
aeb0fdb74674392ca17333569322d1f5577a64a1f559526e3d62177d6348488a

SHA512
91948a5b800644079ed069fff5190ee886a9e3c6215677b86e307d298154af5fb5cc862648c59329f22540e31a0ba631e2da27b823a2c25f4631eae38e17a309

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
64ee0128de9bb1704f070f1406e1374b

SHA1
49ff14365e7b685cfabe038b471401f15b0247e0

SHA256
96d10862109a26e7a51da1a1ffdb483b7619a06c2668b5dd9c2502794f22a237

SHA512
ad928f6fefb050123a8f833f85262b10c35e22a7fe3f19c9b512c4dff03117ad737c82143f1048f2ce0cd273d606751301d0bdd51454cc87e7a845043c926bf0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c09c76b1e0e8774740fb47e5a1307ef4

SHA1
7f10a8e7e80dd2e24916840fca376e0f05933f19

SHA256
096a57a99cb58833d616e5cc421e604beff130936fa521c7d8aecfd038d019e7

SHA512
50fb342ce8929a1b7f82b33e1ae4c581fe8b3abf2280186f5ed70877af48b33e37038c4eb2eb05959b5c76424b8c6f54713ed79edc60237d878df97660661566

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5cc8a8f900549dd6ca93ca960cf61505

SHA1
9d1d6985434d23fcf9370fd6a04510bebfd1e676

SHA256
2a2372830cbcfe4d4b0dee8fee9400e2c4c3028517cb095adc1b77a6e66a23cb

SHA512
b56fbc16e4c5c9736c74d03c23a5b240798d6b5ad546101ba5c7efe60ee0a4a134519f071693dae1e0bd4ff107a586f3bf2a89faa1c9944f16b085e77c60d7a5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ae49666722f22fd51bf686d73cc75f33

SHA1
9423ec7dea9b7316b9d9871d201425ad4a933e75

SHA256
9f9f40a6036b871444a94bb3145b5cef86fa2b8940460d09e70360ebb215298d

SHA512
c7a49280b0202c205abb2251300e43d77e6264e6e9cb3380117abedb8b8385a89e45d709513f06fa30536e7c3a2d5c7e343b561374a20b7cc15ea7b4f4b18530

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b68d4a786e140e7172014a48ca49f276

SHA1
a657c882630268a371ead405ff91bcfb6213cb29

SHA256
8418ca17ec71bbf31942a6dce3f251b6330c7efe2b6b54ae915a24f61e5a7205

SHA512
bf903cadd92e262287767b2492677093a266e1112ea68cb6935961e0e352197c4eb339f4f8bab7ac34f51c080266ce402f98bb9f689c338b6ceb790a1c6fe9e1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4c2457f9329300e34ed28c2c0e4541df

SHA1
153e9ad35faccf0e00c3417e4a0b6c62a47ac7de

SHA256
c8ed74d1e61f0c1047ccf53b121bb1e38264a726c907d880920bd523d98dccf2

SHA512
924a38fccc924885f8c91a7b38ced9b8bb6747d8176ace90e7393ef5baa29a38ff8fbbc2cdce838b40bd1dd403368d9b15a0420a916865042148cea7c72c518a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
809a5fae20e966d4f9943fd59192f5b1

SHA1
8a62ea8e30037a2c912a13f71f4f566ae698fe62

SHA256
ec4cee2a5098d1c9e413e373bf2f5612ab7e51d36c35f63b4b99a80382bdd274

SHA512
1cd42743ebde91f2692b5e82102c35146a193d916f6b6da77fd1685ec6cdf23d283ecf2632780bd63609dfc1b8701a6c9c7b952a6939fce7a8387d0ab081bd48

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
f32623b849e943fade4d0d561c8afa20

SHA1
aaa618292e21e11af1061d8d0b1565cda1ecf961

SHA256
848ddf021e8a860b3ad01a9769412d433020d2051ff6aed1df508fb9c578cdfe

SHA512
46163d491046e9f1ccc0cab8218f3bb7eb0b1feb445245e8fe0cf7029e0a73675c9d49491185a66e71a4f1a75bbae10f1ea57d8ee4fd9cc0cd537927484f52ea

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
efcc8729d02d65887cfa71e3733ef770

SHA1
0fabfb1a27c2d9cd08c05614a6a25f3aaae54a36

SHA256
d82efd4887b5b944ad3841aac7f563243ed8cb0f216e639658328063345bd0cb

SHA512
3ecac60f5697636b7dc31a4157011aafad897185c3466ebfe039c199a419d928d13e57dfe1063e2f366bf5e2f4d2a84f612fbabe3d2649ef3bffec5f3d23a0c4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c737be925c3d4be359b23e1bb8706358

SHA1
395edf1a4ae2a7dddcc941190111dcb97936dce8

SHA256
235cd2792246d7a3551ecb712686889428d6b9f86ffc421a9e111bcc5f09025a

SHA512
f94b5b32c25e34769f69e017c5946839a3ee07afc66e880b0d70ba1da84a027075ca37cdbef55ec3b00abee682118f92db41ae0f4913f40d295f354f8db5544b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a249dc5a8ea261a71d8d12091e32c61d

SHA1
3a584f32f06097a8fa90082a8f4147a0abc04a21

SHA256
acac059f8904c47f775e4c16ac0b185d279b70357368b3eaf337c44e66d06bbb

SHA512
2a36818e71f1c804d9469a9f413388a358d3f6e60a22d694783a8d70b4477cffe32801e52445dc741a0f71f5583a2f9c7b0d780bb248960c984e6cadaa82a118

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
62e9d541a9e7a9ba47bd1afb36c7526b

SHA1
914de0d239296608b017887a7a6b6890ec3ed22e

SHA256
8febcc372b4a5f25350599c1862ae0687da7a4fe1c4bc916be2c70ccfb344fe5

SHA512
3bc92e4bd2102d37fab3cadde118aa60fb8ca30ea7c5f95fa070b344f9f7d315c6e34c772aa4ad4f1dba53598901fc2bf08719ee4b714c0294ed0262fea1779e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7d6b4cd462b10f8d7c51f8bb1eb784e2

SHA1
5990980c7848152af04987a13e4df428bc4ac4de

SHA256
0304cb353dd38f7766712ecdc2a582105e9914054507361e67e5cb1d47b85454

SHA512
f2e5a00c693a13edac43718293d0dd188d145b916a3eb725617574c86847329167f5ea8562c4803a0d1f188dc140c7cade3bb73afc323e54e71add28154c2f85

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e75f0a6eab56a92f5d57f32b514a885f

SHA1
0d471d4c4f6c7d3f79929a035924b75644c6d6b8

SHA256
c1bfe3818b77060bdadf0920ed4b588d152179c00571ce3eac7ec743b8e19a1a

SHA512
f576a7672dfa930552ca68717d7f8c4ffe521878912fbd3236e7eaceaca876d23dabb9f81fcbfba21e50dfc846fb26651fbe042e6a69460c62ef898725848ff7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
75b579b3b1a3baaad317034a9b2a8193

SHA1
92a78ac363688a65f735c60317d98dff205eb93c

SHA256
30c1432c94707d758353cc46c9490b82a938407d3b5ce8c743649410116a79fc

SHA512
0a2c9cc564843d49acbc18dbba6bf6cd90909efaa92ee51b410d578748271c3c19e9200fa0a3a3dc78a851fbeaf73dd7ecb7e5b8e044edd59eb093e2a15aec26

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
bff92f0e020184f9f23c6d900211efc3

SHA1
9652a1112767e7c959b2e98eaa77e8b4a28570b6

SHA256
a60b50f93016c4d1963eb6efffac53f273179ae296619ae88575145887f8c126

SHA512
b84e7baff436e3f71d1b161fb2a9bc90182d6acb5297b2aa539f6b92df987f5e809553d9c03e9ae546150556accd32aa99bd2894665035999279b6177081cdb0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bb728ac3f785b56f08d812f43d25ee5b

SHA1
8690db28c9a2615d5618972ace28f2ce378f52fa

SHA256
027338275bae2476ddec2e31dedb2c9bd3a151222eaa40f9c6f58ff3983d66b5

SHA512
413bb7fc75e02cc9a8c954885324fc0a3dc8bd59f0861ab74d672897d3dd235c83baa9669f18f6ddf44bfa07d59796f0f92888c7e12ff4ff08c99eec75f37c1b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c08daeabcaed2efca1217f81d447f802

SHA1
39afc9e31b251bfdb7e612244d39c4b6396cd7f7

SHA256
38dc8c2110b99b1687345f91e9489079b5e259687475cae8145b664f67c22632

SHA512
4742af7172751284dc71e8455cdb84bfddae1c16020f8e7c6fed35a500419c6d9b120cbda274a2d74898752ac16bef1d4ffd85f094ac9a66b50bad2999828795

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7ab9e9c7dc6df8ac6fb406979c5a2bc7

SHA1
e356ffbf511c5ec7c158c9ee42fd4aab4afeb5ab

SHA256
b65e34fcdb1700d5297755e99455bded8d36c0fec115f6ea607fb4a777a2a1a3

SHA512
f27c5c14c497faf47e0ef7b34679a752e66f3b04adeac061a4563277071fbc18cf5cb66685fa88e3d8c6f65761c254c98492c1b65791de7bf234b184f9ca1e88

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
71131f1ca65a7a44a2ba897d30d502d1

SHA1
424e195e85dc67a3cef6fd2e083f8c56ea96df96

SHA256
f6b85f9f3a2ae9ba971c2653985eba1eef058d160313df27dc28cc93415c9695

SHA512
48d44663bdc37e2c86721a609805d01219d1806de98db71d9ce39650af02f010a640bb9ad09e84fadd3f07b2d360c72c3a4ca7ed6f96d090acbb99ea91d158bd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
c22aa0a4757f706e379d236a26898fff

SHA1
13646f08351c0c79d5def92dc42490ceddf4fa13

SHA256
370792d4cba55e81e2cd188a6a358ad1808f3e5b892e467da8feabd31950a203

SHA512
267d25db14cfd26450a267a0ea6617166e1e5b5a7908456cfa793ea9fd342ff13366ba535a9a3f70439e82758efe0897d8488a5fc91d07ac32afd8d5c45eb8e0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
98f962cab50066f8c95b4e2a2a233ac1

SHA1
cd9f8a0b354cf1125430e6d29b3849dd42e563fb

SHA256
a8cf99c8d6a4647cf3d8918de6ba98024d4b3bd5bd5090e2323b0bfd81ad0e2f

SHA512
1290b25f771fe0a92906390c6bd5cdd23c8a3dd07b6857548a44c1ab4c9fe905bcb19a329f9158e561d645fa03e65c5b32e32c66eab27413293032129f154ec2

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
af01ebba9b70024269edbe4906f75beb

SHA1
da11541dbe7dd8acb90a982a216d4d90de669ce8

SHA256
15a416ecc81e418500b55381999dba33a2a8b4d60d0eda74bd63908021f080a9

SHA512
6a9b69922e5a177552371d5990858daf2384370d5e2b193c74827b600285065529bbb1de31b62eaba0a0582e9f2fa3b67e49004bbb543a140cd3fc4261d67fb5

Download Submit
memory/452-40-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/452-34-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/452-135-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/452-33-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1456-81-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1456-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1456-75-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1548-344-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1548-162-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1680-45-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1680-144-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1680-51-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1680-53-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1800-362-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1820-365-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1860-345-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1860-171-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2044-175-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2044-176-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2100-372-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2124-324-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2124-136-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2428-359-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2428-444-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2880-119-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2880-203-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2936-93-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2936-195-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2936-87-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2936-96-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3108-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3108-101-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3360-65-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3360-56-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3360-62-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3360-67-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3360-69-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3580-25-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3580-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3580-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3580-102-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3660-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3660-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4188-113-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4308-309-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4308-124-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4356-368-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4420-104-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/4420-103-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4420-109-0x00000000008D0000-0x0000000000937000-memory.dmp

Filesize
412KB

Download
memory/4420-218-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4836-180-0x0000000140000000-0x000000014037A000-memory.dmp

Filesize
3.5MB

Download
memory/4836-0-0x0000000140000000-0x000000014037A000-memory.dmp

Filesize
3.5MB

Download
memory/4836-83-0x0000000140000000-0x000000014037A000-memory.dmp

Filesize
3.5MB

Download
memory/4836-1-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/4836-7-0x0000000002100000-0x0000000002160000-memory.dmp

Filesize
384KB

Download
memory/4900-174-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4900-71-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download