38ca0cda0d1c3a781bc84b8b3aff122e329ef4aae45ade5eea4a6294b252664f

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Size

1.0MB
MD5

05db338b311bc456fee67e84307baa58
SHA1

489b681805e8e2426a7b288b3e4f9326d432e3ad
SHA256

38ca0cda0d1c3a781bc84b8b3aff122e329ef4aae45ade5eea4a6294b252664f
SHA512

aeaea6099c792f0948e4a5972f98a0e08e219ee4ede4ef4ed740a97bd8d523bf8cd7aeee125daa4d312b89eed8cf220ca2da3be2e1e84af979afde86ec73d981
SSDEEP

24576:9iBEkWqwXeAVmYzsqjnhMgeiCl7G0nehbGZpbD:xz5Xe6X3Dmg27RnWGj

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2920	alg.exe
3772	elevation_service.exe
2124	elevation_service.exe
4572	maintenanceservice.exe
1668	OSE.EXE
5024	DiagnosticsHub.StandardCollector.Service.exe
2020	fxssvc.exe
4544	msdtc.exe
3788	PerceptionSimulationService.exe
2824	perfhost.exe
3556	locator.exe
684	SensorDataService.exe
3384	snmptrap.exe
2204	spectrum.exe
1648	ssh-agent.exe
2752	TieringEngineService.exe
3156	AgentService.exe
3352	vds.exe
936	vssvc.exe
4100	wbengine.exe
3324	WmiApSrv.exe
3672	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe\""	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4c17630c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021d2cf7da0b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c44b2e7fa0b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006be5c37da0b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e692127ea0b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e982c17da0b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000871efd7da0b5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045ba197ea0b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd96d47da0b5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe\""	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014809c000000ac000000140000003000000002001c0001000000110014000400000001010000000000100010000002006c0003000000000014000b000000010100000000000100000000000018000b000000010200000000000f0200000001000000000038000b000000010a00000000000f0300000000040000ce4a9359b9cf0b7575c0f29bb2b4c298d446ddf9027a87ec14651177d6e996550102000000000005200000002002000001020000000000052000000020020000	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3772	elevation_service.exe
3772	elevation_service.exe
3772	elevation_service.exe
3772	elevation_service.exe
3772	elevation_service.exe
3772	elevation_service.exe
3772	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1028	2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
Token: SeDebugPrivilege	2920	alg.exe
Token: SeDebugPrivilege	2920	alg.exe
Token: SeDebugPrivilege	2920	alg.exe
Token: SeTakeOwnershipPrivilege	3772	elevation_service.exe
Token: SeAuditPrivilege	2020	fxssvc.exe
Token: SeRestorePrivilege	2752	TieringEngineService.exe
Token: SeManageVolumePrivilege	2752	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3156	AgentService.exe
Token: SeBackupPrivilege	936	vssvc.exe
Token: SeRestorePrivilege	936	vssvc.exe
Token: SeAuditPrivilege	936	vssvc.exe
Token: SeBackupPrivilege	4100	wbengine.exe
Token: SeRestorePrivilege	4100	wbengine.exe
Token: SeSecurityPrivilege	4100	wbengine.exe
Token: 33	3672	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3672	SearchIndexer.exe
Token: SeDebugPrivilege	3772	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 5456	3672	SearchIndexer.exe	132
PID 3672 wrote to memory of 5456	3672	SearchIndexer.exe	132
PID 3672 wrote to memory of 5480	3672	SearchIndexer.exe	133
PID 3672 wrote to memory of 5480	3672	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_05db338b311bc456fee67e84307baa58_ryuk.exe"
1⤵
- Registers COM server for autorun
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2124

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4572

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
1⤵
PID:2964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2416

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4544

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3788

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:684

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2204

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1588

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3324

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5456
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
d3ff8f930bbddba2fd061bb3927eef04

SHA1
5d7647de879937c2669e7543288e2e7d4afd8a21

SHA256
7e389fe72be35670e879b070b508089223feaeff306eb0ea8ccf7d887f3262eb

SHA512
10939edb35b7c6b2ab20ac007d26cabc35e7a83436630cb42ed88147dfb691a09bfa451e038ed53b777614186aadcd8cbf14962d7dcb03a5c0fa8d07f513cfcd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
f562cba74c5a96fcf9b8657f2aea98a6

SHA1
309693167c995ea6295d93e3f4c813bc4951298a

SHA256
876159efaa0e8721ce5ad1c5f429596c972ba85a56de597c012c6b96e0240f40

SHA512
9da38491d5c37fb5f5c5bf281bbac0aacdc6f460f850717fb142f25957a389de778343b86b3e38de966aa0284096bf4f1636959698411726998587b56a319afc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b249a1cc36e28198ea424fe32e4e3384

SHA1
c011ad80a93b663e33bc1c2b17c8020136d62410

SHA256
8e8507660105b7f1ffd88513cf15672c732dee4aa9b8ea280b95b67fde968353

SHA512
19e6b5be7d5f146dca5ea2325d59b110263839974cd7e3a8d1bf09547f2e6bc536a5107299ca8bbb53c4cfae8998ae0eeeecdc9349af402264eae8e77a45bf11

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fee0f5b3b8a6d3892322829680e64be6

SHA1
7d855f8761196b68b91c4a72e24b537bf836f9cb

SHA256
5593ac2e0117e06e428bc0e5f6f4691eadf04c2af91e886bfbd2e4b0d51efebc

SHA512
06c83574421e5ed18e9b08ca30534a85e8e8fa5ba80dc3dd8edb2b44348070db3b9f52c70497596b1339b50d4d100cc2dc2e28c88ef050e67f5a6a6aa3022be9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1491024879917c35c9c006407ebb373e

SHA1
53902865d3c724de4b558892c3688ba6fb034ccd

SHA256
415e7a9fc646b0b4c968571e41e6a3ee92df051a3489020b440da983924eb61a

SHA512
96f05a21ed0054aef8cb9e379229c2471e246ef73df0aca0abeb21ce7bba23dc600a10caa00a11eb114044e87a76fe4f875768e17e5840523efe00215987d792

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ed2a2f5c72a843396a2ad1a58fba8436

SHA1
c58dc36e8acaf5276b117222105e23d72a21f504

SHA256
4ad700762ac004084cfaed0d97f28921010c6e68f8feb22ce478f9bbfca0e985

SHA512
a73c3362544f94f207bd8156d4e3bb731fe409a0a6d1c403151c73328fe6556c2c7fcda8fa58342f133089d91666b22f54645bd7e082d80c523da6d0f669eb60

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6a735521b6a5ac18acc99fafd6515a24

SHA1
1e69d765e515824075cb13ea955207f9a733e769

SHA256
cfcdfdd6c74bc28bcbbc2bee9fb09221110fba2f9bf44c18c93cdb17c214b385

SHA512
5dd5cce533c8b8644ce526cf436977591093e7eb71434d56c27340e247f64d66c17e6d71741df8646ca37550a32b15b9925ae6701d02c59f43042979d20e9f84

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2b342cd6b654f86365189db3cea15b99

SHA1
2ef8ba7948dad0fe6ff065d0211f0f48535d4009

SHA256
0cdbfa3dfaf624a9482bdb4ea9a86fc41fab820237847f548f5721acb7a3073e

SHA512
3b122d45eb5ce96be3dec505d9f08e6f94c082239c7631412f63d1f196810f05fc60beb1af6308c248ea7e4d10a005a30b743f2382ad90141d5a847f082b9d92

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
640aff92c439daf3a6fd29cd919b9924

SHA1
d78df4e7c13273c031a7859b13714e41333fbd28

SHA256
62ec6e0cd7b837a046dcfa9c869b19cba4657b64785e19a78a4c807995e09efd

SHA512
4fbecd68b3b0323e1307beb2afad7f6ec397238f8b352d36429273837bbc624d28f5217d28c8c7c07ff58b50d56371cf0dbe966ff1fbe69f64e82c17fbaa01d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b76f2bf6921bbb94e1a0f2629c5e57d9

SHA1
07418845b4ed9217a854c6d51192c00369827b72

SHA256
5e9573988e2227cd7af978f82b19d84db9d1b296a2619a0f0a78c843a21bff7d

SHA512
a0aeb3836e5a07d37ec9523da534fbc0e9fd6c0e7ee4bd982338f4dc2d4ef4d8ce73551645d31033d08e61a6e6d6b5ea97996e88cd1e5c76e293de24826ff501

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d89e3ea8216dea3bde4ac3505410a9d0

SHA1
fd463a55efc30c431f14101a0d6b7f3a04de3b8a

SHA256
25c3e1d6a7f474794abdda074cd079e6f17168108a00a086c6fcbdb2a7ae4e70

SHA512
da5e1dd881d23b98daf6d9d5164cf49f13fae5294c7028410ae775738af325bce90b04cca0fa980b5d17226ba5059529e46532b6e446b242ba9fbd749e1275b1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f7d66b8bf6d030fd59677092115c5745

SHA1
a461dbcf031c001886ab8213c576d5bc89fa9433

SHA256
4456850f9b8d3ecbd3fd642c3544ec71c690702142c085c8989c04dc8d6be9cb

SHA512
b0e287c6df611765d98dd07d52de2129784d9dd0f4d967e95425a204bc28ed02029a69950eb3258c20b0afa30faf3717084a9ee33386b984dcf6d2eacccb1571

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
831ce67fdf58c8e96438ba7eaf0f38ef

SHA1
4b3d1a395b0398f3c6b3e1fbe57dccb8a4bb81a9

SHA256
85a239421c64f66ba230dd45e822c239b99acd085d57234b95751c8362b26505

SHA512
fae505a1f76d06d82f3aef4026dd7277977ec36d5221db0969ef6a61ad8915759d28936cfa1ae352d54a5e02ba461518cbdd5f10b5b1362f9a5c36f8af5155d9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1239a1f1340bb923fda97324ae1f8adc

SHA1
c3a6037a115e30e64a8c49a7c8d9abe08d6f6ddf

SHA256
fda39a999c5543c527a4766a072fced0ba5f5aa26292fa2a2f036d47271c9527

SHA512
cd9331f3642c919308be5ed81a835ff6bb413be880d3db015820a0ca13d21e8dd11d76fb62333c3c56cb00faba7dda5f7877dbe363efe61355889d78da697f4a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
fa7ada41e05251eebc1e0c6c94e46363

SHA1
95b16f4644bd1bc09e34180a437f3284b9266bcc

SHA256
cc42eeb271a51345eba412b29e6b2537dccb1fbc94fd0e30533a7b9164c21b2d

SHA512
6b8ab4cddb343c9f74524e026b1a6922f269560583344bd4946234ee70e63fedb52d0a50e8817b980d7baa0807815522623707ea4a36a6c18ef91dbc6534d9e0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b5a65667c07a371eec2325295c4fe849

SHA1
c54ea2a97a82a99260521004620784196119577c

SHA256
806ac02a52f4509eb191018415e7b528ec62e21298aa5b437dda7dadeea98b58

SHA512
b28d782ba7941d6d449eea9b6a5dbc058bfba15ec210a4a6de97557e5773b93d0a6181b627d6085e9f4a8fee6061bc3bbdd95970dd599afce6d9a155a25dae26

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0f25330fe83c67362139bdc5f153490c

SHA1
9b1c7c7ac99735591590c3fb1764e297d7066e34

SHA256
064c9072f383a47293160610c9ff4058d7d7c6a91597647505b10805b7078608

SHA512
e90c3dea328e3060567c38a5290dd33028fa68c27d85224ee8137def5e7502821fa1102dc2dfeaa24ff788dffa1337447afece60d7a7128a2a9646f01f1bfa35

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
64eb5e739fdd857e4e62ae566a2ec676

SHA1
573244be47f8f3f9b136273e763bf091d0c9eec0

SHA256
5963a96065c43109162d45cd06790a44cab78a23fa0e9734c970d4329b153c5d

SHA512
8f4441e3f25080ec9aeb1b24a301044b5eb9605fab7659d1b4319a8e20ecd5436361f0c2b328e69ae9e5e7b833c2f1e823d6aef8d1bd85576c477cf407a57d09

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
2d6995a3e167299d66e32021e9bf875a

SHA1
922b27e8d8d8d1f1984195d4439c35928d9a6d21

SHA256
19b821759bca51a0ceae0d880b7935e7349a0ee92b4263c22be20fcc71dc6f92

SHA512
a5a06f89c9d2af7faaba5160d8eaaf1651481b4df9c9563c3cc018fa44c19fc73a016e016ee4b6f8d3bddcdf7f98afe3b82dcc2eb06b51473809ba258b25681c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d3b2f9eca4e43168eb9764f03e9f6f88

SHA1
862a1710bad1805b8c6b1fc12e8efe25e3161821

SHA256
2a0c5379caa0d0ade33b4496fb30b2290d56e2d96c1bd4e0d4445f252f5a3da0

SHA512
222b48246d02d8d890b6da6ccb69a103e50baa9314a41486e2bdae81a17fd7ff2ed27e951aabe74f9c02ac6a915c30e44a431dff6dc68bd48181a5767e0a9ea2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
0aebaeb01e4e8b03b427da7c6290b10e

SHA1
7b2743aed3c39af564445bcdf3fe07fa7efb63e3

SHA256
afa22240d5e72063606e86e615016fc90b79aeb03e1d0af3afc392cb565facae

SHA512
b26f3abee4c5eaf5cdb4f94688f7bb20d13c0fce1febfd3d9bc8e3e02922ff2e6bd0f898e4b283677f59dc491a8d4dc5bd1ec5188485100e173e7eb9b3c714a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
7218a8c8dc6a07d4337bcf4918a3b50d

SHA1
ae2f10b16b4d9860a11926036c3ccd32bfc418ad

SHA256
a549b17936656e874e8a010c6594c99203b0272da8a5a038af084acbf01a2194

SHA512
d48a01cd3db2d7ae7d866a56982d8e357886d27f8bbdc53612fa7ffc24be0651773483a6dae21f579410d369f651ff948136b96ba5623f06d743db7d0d19f659

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
cb351af9758ae79b1473c5a87367ea32

SHA1
372c6c5935d9a403ba257b20d21e748905f86921

SHA256
9977cc15e556e9266803cc2c85f3bc49299e962a6ed003a585d13c205720f2ce

SHA512
d1c3614c9f6c218ba79f0b046bd87573b5a7cc84057a7ea9e914233cb492da40a31ff473664905c93498b752d947a4decb75b4754db5a9a126c247ca1b7e4849

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4fd0b587930e76976d57ae58342780d2

SHA1
af3ff25b10674be1162251f5b9f9ef0b3bf16415

SHA256
b641f0ec4d3b0106b4c8a90bb27492f3f06023a3a867f107e26ff82ac9b039f8

SHA512
2d5a272ee6e282f943f955048132adf313826475271c756ae79c5d5ea67baf7d8bdc656149a03330ccf266dd7bb21aa16f07c81ab99ca0cafedef364b97d60fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2305b992d1e941040a868e759fc49452

SHA1
19abc36477a612583da2861ef0386f1ff489f89a

SHA256
5622bc05e322d90436c745e40b80b88d20cc03bd630de2ca6bcc217da52d2c5e

SHA512
ac90e034cfc9efce6bf50f587cf544d03e959fd8b3364ef72a8c33b06e7506438512f17c0d1ca166547c9d0b4ceffc42211c3b8e0b3ae89df1799e84cb51704d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
6791ba4943772e2416903b2806e34375

SHA1
e2968f236827497bc6c3208734e91e02986ef79e

SHA256
e1eade19b26c86e00e216210c376f61f9b1e0931bdb3a0797e1a7c186fef5b8d

SHA512
48e59ee074fb880f2762c8d1bbe1ee63f4369b190dee2f298cb1aa0764990f726d0ca44702d7578e7df8d55e2fc03fa725191422af313115bf6af8a4c3f9e846

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2daf959d91c40876e2ad88805ed357e8

SHA1
fb56e47425197c72a1bd0c08e3359662071a0b6d

SHA256
8d7bffab2d2f5710756de897a4fbb93c498178916c71af4551a6852d46c782b4

SHA512
98fcaedead3ddd128974d36d5af15144a06e6396c26b6cf4a18d17c298008824d4bb072cca9935e4703eb97dd0f1ae77bbb6ae559ebdaec2c3fed0b3627b4840

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2e789d4eacb50cc8feee751b4d7ef510

SHA1
ed2e02607921dd51d6d0cf55513c0d54f817dfda

SHA256
849329b78723330f3b756b3bc3822825afde96c57ccfb36ca182e4689b998625

SHA512
6429fc68ff82be35bdbed96377e6c25ac3a5186541435006cdba8ec0c8459d1e3838e042177a40403c30cee4c38b127504081da7c0185fd4f500693204cfaf30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a823bce04bf1ac0b2d7b6595f457d5ba

SHA1
bb83882979e9bc434f29e371afacc1deae588ebb

SHA256
fe107004768386c5f0c93057ed68e1e730ad065a534e67bb71c0d70abdb7556a

SHA512
8cce2dcca1d227fd35d5cfc0eb90662a0abc90e330aab496c900c1d4c9a428e0bf4ac855029e33f31ed2313d2cd4f31857196a5660001ccf3050565d8dbcc876

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
613ae69cc2436e5d6ff2ac68382c5872

SHA1
18e393eefd988fd583cb3b4291e42e1ea79e6f80

SHA256
4dec345a1fd016115f9ebc42418fe4af534d07585f23ff50cbbe7b2fb705ec7b

SHA512
dce26b8683821e976c30710ffbfbc1e67140f68bd764d40bc82e341d2f597e2b9c30f694d0218746657e0997bf278cd7e5f58b797211c34818b0fd075b5254f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ae4266b50fb620eb7a2b8f3d4f4d6f4b

SHA1
b440a873c2fb9a38f26b232edcc07642a32ef80b

SHA256
f0fe366bcd1d0deb1f274db1b98ec6099a660cf369b4a48bd22a100f9cfa8146

SHA512
3dd3ba2f9c11ae610a4fa6f75e1ee9e5fdd1679cbd51813990363ceac764733ca6742b1239a0fcfda720567886f30d1af1868d20d5729b4c9921c0ed8b593b31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
105fa48fefd0ded058298a7953e0198c

SHA1
c2a45227a7d8a997e506ca8e5608343443d92faa

SHA256
8ca8c452129911f902e15e4b896126f45c1ffb2ba607e86d3fe62b6ecd415070

SHA512
05d7a3aa04d542750f8c3d906ea3a2cb9162b8fa6b234f82d2f0afed63c505c1e3abf884e41a572a5f0da199a72d156bf55857aec7d19a94b95eb7f5c0ae80f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
dea455f8c41dd8f2e792589aa6b6866e

SHA1
bb06ee1d1750c5b5849f4de37acaacf46ffe5c06

SHA256
8ebf5ecc140ba574239ed6a1146aa42680addc7c57433056d65d95897d412e34

SHA512
ef6b9e3e1d13eb0074f159bd105656e81e28840005dc4011253f76b9b3620db205be42cdde009744aced57582c3191221d52f4c042a999cf7c22311e5e0b18eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
37a5bcfe0946feea028de3b48563eeab

SHA1
6f34780d9aed3197c94ddf5ae1dfc1cd2c1266c9

SHA256
038f761f080ac8b03bbc996957dc1dd0daf35beeb8c3ac532cd3084f25a56811

SHA512
e54ed24d098e856176893bcc65e14a5e4f4bacc5d89052ce1c15a6a61374e58ead972c2dbe8ea2881c9e65a0245d7abdd969bfc915b2cd31e7e3e6332d76a4ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7e63993076fc9e63204eddd4d2f4df20

SHA1
63c0da72df0d8ce399022c0c0e168ab22a0fdba9

SHA256
e56a3cf703fe429033fb41c7bef2ceb5b05a38c68fdb25dd04a38a986fe8cc17

SHA512
c46fc2606b35df16917a929490b4732e6244b57523be153fe8061f90de79018a8d26180ced6252c6713588f7ad884ea10449e5d5cb1ec02f4dad91ae7453da7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
ba8aaffe2cdac8f7243ee259eedacdb5

SHA1
0386860553de11375341093caa5e1220e05482e0

SHA256
65d5a8b7ff83aabe46e572a4230c5a7af9d5c56efd1f0a6337ae775d563bc6ce

SHA512
aa3a73b5361b9f6ab50f6acb8fd9a5308435912b1bfd6d1792e20dc27aca9de98b5337bd30bccda9ce31ed10128e6c2f342b4965a06cf4d2f9db34829e4b6f83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
55f8e8d877f9c19e6c5405f674b19e2b

SHA1
78870d160c15ebc6da5491dda5df4d7d9aa2a48b

SHA256
82b92c39e8cec4e8906cfb0c855009a05211a5b11e5505759aeec7a9cf8bb1c2

SHA512
ddbe2583ed60adc06f019559d62c242d0785d384942e7891007a9e4db64279db3d28d4f56747973baccd5fc7d824bc60dd538f3339e419bbb633bc541e33d77a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
b7a9c7d75e9ed2e7b6040036fecf5cc4

SHA1
c4d31ba465b3e8bc4a3fb76e79554a7e2f9f57cb

SHA256
277e74a6364c21d317baa9f012a071f71cdaa382660fefdf6546b6547edc2cd2

SHA512
dbc9655dece137ee23a8aeaafe04be5f6d7602fdee60b13b5c9c72bb9c3ec13a59ae3cab1f2fe20accb76ff67aa409bb0c1a41be8fce1712f43ac399cd2147dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
10189103a2cfe03a9e005c6b32797bcb

SHA1
5e2a749b1953593345b524491d90c3c8cf721c27

SHA256
17db73483da01fd987d3dbb01c8d947360cd9e456803786db900bb16663d83b1

SHA512
39ed7f9087c89310c546fc82b1e5956d2aa434f8adfb40b8f1203413cdbb1a5bd5e66603bc6313dc00c9af6af6bb22d701566236692de7e6db514ca6a98cb365

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
a10cac2d2351a79dfa12e2216c7617fe

SHA1
82df51c8dbd5f0a3b69c93ea125d4294af567722

SHA256
b1cfe56bf8d99a13591329a5c0abf69aa6e0f28fcbdb336a512d4d15a5745e6f

SHA512
2b535a83769e4a970f23bdd0ed539f5d2252f251078e5a0eb1544b8acf93819d14ec30756b9246ffdb642babd2f2ad3e0ea03e1b0cd2260e7735d741e2c4db3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
a03c5df189e55ce4a941ffe74f0b7c6f

SHA1
fbd575c15ed9c223afed5b00447277e16e5d5eeb

SHA256
215649977a02da4bf0fc59a0a49de732a3b97faa1e66e085ab49d5892cbb18de

SHA512
e183bd8105e32559fbcced2e104de15cc517e6e9d48be87b3e43fab1300985b3368366ab947197f78f308d5dd9adb8ae5ef16928bd00d443018ec7b77f7a1615

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
f597d0ee0c840cb8f3d5bf5e3b44920e

SHA1
66928bb1d63273360bf9ca6f46f26ebe9e150705

SHA256
6c0d9c6277b248f1e91854d6baeb2392af6ced620dbe023efcee77d1b3832a5d

SHA512
2b890a7aa2734720a10b0a6d7ea7e5002b686094de5025e3c3f3a787802584bade512e3fd147d9025f5525bbae4da801985c03d17a4cc871c7156f7484787d84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
fa9699c25bdc64c84ee5b26ffb0ac94b

SHA1
f9bdb4955a4ab5ec5098ec0791b97c6d160367d1

SHA256
9c35b7b92869716ece9f62588c11ed9fb026a9fe5d40d9bdb3704c6e230e961c

SHA512
8b24f39e17504590acda26533ae4bf911f69156524611916acbcd218ce9164f48a575fbf0161f2a9b96e40f1135063dcac10813ca819f942532c8f9399c48cfe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
3b121592e3db825a1824629b6a4987ec

SHA1
b56f17c5a74cb16d0c1ad5319f20d5525f332002

SHA256
45c1443c1551b042b8fc0f43ea6204e99434a7af0dab05ce427c08dd7774a5fd

SHA512
fe2012748ac417af9a3ab1c76c309c8edaa6b8ba6f26f8f8167bc377c45e39ef4ccda20213b14bd965fa0a97aba0c05709bfc30db012f93a8f36ece72fca135c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
703975e000bfe860135dd509a3b44718

SHA1
8cacd011be06dd21457f5a3c804b5feabf8327ea

SHA256
4ae8f50562048da87495046a40bd8c0ee857929b32708b2fd78f7a654eb036b0

SHA512
bddf5b508ebc7d2b7b5777a833799a347e051560c5064bcfc286fde2c23b088227f992f5c8f95cae2b3b7098ca61b956df31dbcc995acaf6d5140e7c043f09f8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a7438807c89bd87be82bea4384efcdbd

SHA1
ab19ad0186f93adea95cf2a1de3db256229aabb6

SHA256
428f731092fc00c53b205e6ca5298986bb4a2f405c829e98d2a34936b3fa3157

SHA512
802c57ac17771fd6c15c87edf6557ca86dea31cd181ff517376ef480adc023b0acef7933ea0bd808140167ab15da47c5c126109db0156411ca762bda7c7b86e3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
210c8e10298099985b5d724de2a1b7a1

SHA1
a8a73b003c8e95162c6e4b167a95f15861308ca0

SHA256
4c68cb071024cfc0532d98e98bff9da4f30cc16e21971bf799ff26c67cd38fc7

SHA512
f66db86d72fae6f2146712dd56758ca0008ac30d9d895b88b23c2dbc0c76a82b6393b6d75142fe3185a35758982290f1358f0b001606fce4debfb325da8cd791

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
88ec9fa0b4cdd352680d4d30f88280aa

SHA1
78d74444d889a139e9f88ff4415d0c2c9b30a348

SHA256
f51593dfac6caab061cd3bbe0140df21502936ec4da3cde5530e42a9f3c09fb3

SHA512
3d55343b9d71ddec828819c5388bc6103d74f06ae7696ae6cb259ba253309539f798ed24eb8aa20a6ab49c6a11a419b2ab23bbb08e0dc6010dfd05343ff7abe1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
7df2da6bcebfd73d88a39ffc04d0deaf

SHA1
24f3a9df479d11978c362812132c3d28ac3b8bbd

SHA256
f5a7cb8ad582a5ebff16f8ee4ad6a8d09d779073f86488a53e58642bebc41eeb

SHA512
2b9f63171d99e8fe8b001559ecb3c3fd275efc978b8b6eea8a46aa52ea9f4f600db07cf9c57846f4c716796f22fa18a09a9e9342293964c4a65d223a7bbabdfa

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
48b58aa1a7c9ce1be7cffd470e57602e

SHA1
00b774be1768e8f359366d8607f98c49b4f6d6b8

SHA256
54deea664001d52c9aef92554209b82233f1ed9c4d4d1355cd97cec5bf5873e8

SHA512
7bc43e22a5de235f576a0a84c731bd8495d80aaa1768e4561c56695736ffe950f1c9955b85f9fe9942e2e4daf288d1e5bee326278a1b3b2424cafee8c43df523

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9d5bf64834492beda0eebe52bb49c057

SHA1
5fbc4e02d1bdbe78adaf7995f762cdf987a42fec

SHA256
5472d761539783bb011e0f912ba8c5568d69fe763722fb4f2d0c1cad4189af08

SHA512
d2ea0bb52cda0c3630ec0b48f8796b9e39399f3dfd44f8b372d05bf967238b972a4a02ebaf09f77971f482bf1c7b824401e8b758f0369f634ac8397c41543c3a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
28a6c5bad75abe8759bc65e48c0fc3b9

SHA1
38b39b2f1504d117bb4af0b661f1caf79dad37bd

SHA256
75987c9c8d796eb7de4d81271fb06715d48db2d5217eb3b8b389b24393989bce

SHA512
ee24e0a402a1612486b22d4afcce0c3b80b2a0c8db9fcdde6570ab26a8c16a92acf385084d430b0f7b252a75668b494cf7bf678cb4d2168c44efcd039a822919

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e5606f7e42eb266021b0b5bf0946adf2

SHA1
3bc90634603611107e468d852fba44cb4385a074

SHA256
c093b1cc517c58bda064091ea914d593ece47d69dfef0ee3cf85f420f77a24a6

SHA512
32b9341fa3006909d25ad41daf95c6798b9c77d4e86f651d8a7ad84df1dc7e9425254712ea9edbb37d5b7703fc54f410a1ea198d4aade24644ef7d5a28be86d7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
15731e047f07c9b6bd8f7200f9d715f2

SHA1
523f835dbee435d55c9885f507267b813780ae81

SHA256
a57890a8d75ab49f008dd6a31cbc8fdee665bb0272a700d119ae2e2638f07359

SHA512
8f836c5afca5faca63f581266b011dbc7597599395b4be0f1b1732ba879003dfed46c4e8bb0d90130cf76a72c95a4c95d2dd0052bd5ca0616af7b1944554f171

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c89c888fb951061a8fb951f99bfecbd5

SHA1
c9357bb35c6e002feb63e3209a3dff4a87ee25d3

SHA256
783e2398a3f3d464c3a08d01a9c91a9d3e5791273e57427ec9ac42efa935074a

SHA512
a0fb2682dd5a5ae0281e203b5102254ea66cf5f03c58a4cd2ce83185f7536fb5cee853bd806377c755305f3b233725d1d168a1a6627a082cc58504dabeff4421

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2876ca91f22ed6715c925d70ca2117bb

SHA1
48e3d84c4ab4058a27f53de76bce5f11f6a28a1d

SHA256
eee6abeaf8d132f84433841f5780cf62ea25943fdc713a5bbf26d543ba010ec7

SHA512
b3f41881f39b20472436adf929d1b05d1defb6b0aaa2e75a9efc920f8f93c615f1c31f0c3f8b3ca6e2f95934c348957c23a1563217a3e0ed7f71730adc0808ff

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ed7795a84452664035840bb7d6b77925

SHA1
cc33f19ce08a3151ee54cbda7b8403407d931945

SHA256
b321b6b34ad90394a4142f54af33c1d95c91b7c231ff380d793ac49f05980293

SHA512
214f24ff6ada718b5b670a97e72f4d8895364b0e96fe6f8f0d43ea8cc021e24f658ab499f19936187bc01cda179cefe0c477e34a751f321daa905cedd9871b19

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
cc082ec4303bfe55daf7d1f25dd1192e

SHA1
9d7f6172b2a61622efbe55315d19dfb9352f4283

SHA256
fd5413107fc422a4d2764cdb63309594eb62a85eb653ba5788bc9e0ed0d08215

SHA512
f58cc4c8b648ac6f4d97fe24f555f3129653a5a1b65711179c11d2bf2d20cb4232a98578fc9607ad167cea2b16f0b57be5d76c4f5636d1e5d2cd98a757f6f6c4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
c27625ad7cbab4dfaa7aafd73662c92c

SHA1
7e294e637d33b58c73aa5dc368bf0d8575e6aba1

SHA256
f3fe2e7c15beac0aa242d0e199514b9ffdf7d204b64f90595ca76b58b0fe7d64

SHA512
067267ed03aef2863490ea8f1a2e7700c50de691da5b5405f1bc29e3003ef49cb1b2bdcd7f5d223094ee7210854258348e93697808233ee2629b2338d5af65cc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
46abe9575c7a2cf2fd76eee6efb08b43

SHA1
b867d99e082bb3199671bbe554b19a4e67611433

SHA256
85e0a3829491c9c4c358249caafa4d2eeb7e3ddcdffe2025c07a806f75b8b0ff

SHA512
72d591e2d6c93e9d0761269d61aa89b4d268867cbfa082b83ca32fb30b762221d8cb039458af10ec8dbce65f9ba70be395b398992915e1ccbdd7c3523affbfe9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
873120e2b84755038f5a0464ccfe2b78

SHA1
2f874a975ae0c565678290d121504bfdf8f364fd

SHA256
7ebddee2ecc4de803a0dfe1dba7836ea1c438843acf2a0f35ff0f3ebda9df06b

SHA512
5cc429644e7733eb3e7e1132f2c67d675623279b31f31fbbde660357cc5afb082d92ffab80f57886329d746e1fffd6e0abd8f3e5212d4290c53074b442ae7673

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
476933272dbaaa94cea9d8af93f51c55

SHA1
41771d0da86c20f300992f05ecc63f1b01171588

SHA256
d775259d41f9db12fda84f3702080b1157f7efdfc86d90b6cba8063884569672

SHA512
861a6a4e9fe45048a6603973b724b646804fa929fd9bf300d0769120f86eee1ef1654034576ccb85826ecafb22b4222d5e96aeb838b43ce47d8da487dc6bba92

Download Submit
memory/684-317-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/684-446-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/684-578-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/936-584-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/936-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1028-10-0x0000000140000000-0x000000014010C000-memory.dmp

Filesize
1.0MB

Download
memory/1028-13-0x0000000140000000-0x000000014010C000-memory.dmp

Filesize
1.0MB

Download
memory/1028-11-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1028-0-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1028-6-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1648-352-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1648-579-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1668-239-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1668-64-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1668-72-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1668-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2020-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2020-256-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2020-270-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2124-49-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2124-39-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2124-238-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2124-48-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2204-340-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2204-575-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2752-580-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2752-364-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2824-413-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2824-296-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2920-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2920-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2920-234-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2920-23-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3156-375-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3156-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3324-586-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3324-426-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3352-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3352-583-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3384-329-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3384-526-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3556-425-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3556-306-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3672-587-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3672-447-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3772-28-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3772-35-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3772-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3772-29-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3788-401-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3788-282-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4100-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4100-585-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4544-269-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4544-389-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4572-57-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4572-51-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4572-70-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4572-58-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4572-59-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4572-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5024-251-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5024-363-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5024-245-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5024-244-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download