30272a85129992962333d3e558077da7f72f14593bcd979a8adabbeaa5874dfb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Size

1.5MB
MD5

6746c63ee2eebbece4804049c7abbcf2
SHA1

a9883f3de4c41aa2b7f3310342a195642153d729
SHA256

30272a85129992962333d3e558077da7f72f14593bcd979a8adabbeaa5874dfb
SHA512

8a476a44e81561d1067a062a1fa013e47cdbdb44cb49bf56be43fabf7c97e51bb87e9b3dd352e17e9239e7b85ff5518734f44fc219070b964b227c94c2e50f99
SSDEEP

24576:J3oH6mhNF4Xx7AmsqjnhMgeiCl7G0nehbGZpbD:5oHRFEBAqDmg27RnWGj

Score

7^/10

persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 22 IoCs

pid	Process
2716	alg.exe
428	elevation_service.exe
2020	elevation_service.exe
1892	maintenanceservice.exe
4552	OSE.EXE
2880	DiagnosticsHub.StandardCollector.Service.exe
3972	fxssvc.exe
1848	msdtc.exe
556	PerceptionSimulationService.exe
4564	perfhost.exe
4860	locator.exe
4864	SensorDataService.exe
2732	snmptrap.exe
3188	spectrum.exe
4664	ssh-agent.exe
3596	TieringEngineService.exe
1656	AgentService.exe
184	vds.exe
4420	vssvc.exe
1900	wbengine.exe
2220	WmiApSrv.exe
1208	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\75ece74d240c1bce.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056298a5504e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8fddf5504e9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab10f35504e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ceaeb5504e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000174fb05504e9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ab2b25504e9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe\""	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014809c000000ac000000140000003000000002001c0001000000110014000400000001010000000000100010000002006c0003000000000014000b000000010100000000000100000000000018000b000000010200000000000f0200000001000000000038000b000000010a00000000000f0300000000040000ce4a9359b9cf0b7575c0f29bb2b4c298d446ddf9027a87ec14651177d6e996550102000000000005200000002002000001020000000000052000000020020000	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
428	elevation_service.exe
428	elevation_service.exe
428	elevation_service.exe
428	elevation_service.exe
428	elevation_service.exe
428	elevation_service.exe
428	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3236	2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
Token: SeDebugPrivilege	2716	alg.exe
Token: SeDebugPrivilege	2716	alg.exe
Token: SeDebugPrivilege	2716	alg.exe
Token: SeTakeOwnershipPrivilege	428	elevation_service.exe
Token: SeAuditPrivilege	3972	fxssvc.exe
Token: SeRestorePrivilege	3596	TieringEngineService.exe
Token: SeManageVolumePrivilege	3596	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1656	AgentService.exe
Token: SeBackupPrivilege	4420	vssvc.exe
Token: SeRestorePrivilege	4420	vssvc.exe
Token: SeAuditPrivilege	4420	vssvc.exe
Token: SeBackupPrivilege	1900	wbengine.exe
Token: SeRestorePrivilege	1900	wbengine.exe
Token: SeSecurityPrivilege	1900	wbengine.exe
Token: 33	1208	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeDebugPrivilege	428	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 4488	1208	SearchIndexer.exe	122
PID 1208 wrote to memory of 4488	1208	SearchIndexer.exe	122
PID 1208 wrote to memory of 1656	1208	SearchIndexer.exe	123
PID 1208 wrote to memory of 1656	1208	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_6746c63ee2eebbece4804049c7abbcf2_ryuk.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1892

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3264,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:8
1⤵
PID:1008

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5084

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1848

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:556

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4864

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3188

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1168

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4488
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
da588ae3e910f30e36af1ef240432ee0

SHA1
ef9a17fe3184a6afb31a740eabca9e533d550ad3

SHA256
134e2c756b1f8ac09f93a3812228ce5c0562394fcada34eea0716ffabdb3a76b

SHA512
4bf43050104071a22150be6f7cd9faca1c780100035d9c27490d2d62d054e63279de5385e026270123da399411ee5c084d1d46584fb6dfeecadf4fb062418cee

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
0566ef3126a10d120ad1e7a2585b11c6

SHA1
7440168063238fe5b0f0f7c65ecd88869901661e

SHA256
96b4178baa3c2743d4a11ec53a4530f9c4cbdd70fd51549a903f722cb99b196c

SHA512
6ecbd47c2d5dbdcbd982e3211a1afa851ab29f1334519b81ec25b198fef80d0a70fea6ab741ede62bf0c6d9f54fe4bb518fab444c809425858c7652f7f16e42e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
e44fee69fc8817d7c3bf87d0bceaffea

SHA1
d7e070dfe59e1fe399c1175570002e5b41b155d3

SHA256
e3cbfb7e565d95e155e476d7aead2d8b7b9897532a1a07e41cf3c44632014822

SHA512
7cda162e5fee573a6b981c0603fde306baebc6e55f203d47c0969ed28d0804a761526ae9d50039d2d17d0f1e608805518cfedc00a25b7ffb87451bad965912c6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
37fc161ba9a1a628b6d4dcdfdddde323

SHA1
cd1da7497345aabd0441bd08fbfd202bb0532644

SHA256
aaac39a2acd44d4b8779fa65fd5f22b072ba38713e41701cb291d80b76da0608

SHA512
3e3eb81546e738ff45cf4fc4eba3de31068d7092deeff2c9964d7fed48e594fd72a47f779eee8e3a44c493bb3f042b0c22c7315e8ffed0ebcef7f2f645d07c16

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f976e4d7eb0eb1a7b2378262b1b41282

SHA1
c357a2c48982d7dfaa4fa6f3dd59b689be41e2b7

SHA256
69397ecd5be814fc02f76a8ad538249e9cf84f2ce19db62d12f164db8f28d6be

SHA512
5bbbae813bafadc81636706b936758db87465b97a8fc4557c6e193afed7dc7ad420a57bad393a0f7a02c34ede4c4ee5f8515dd3840fa130bcd556bb0cb8d9df6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
22253b4b2e25adf9f326bfbfc38038fa

SHA1
16da661b4410bb8c9afa7605f75e56cb662660cf

SHA256
b1e5f8ac047dc8ca4e93dabd4e84519a82c159b46aa6f5c5f4d737e1e1a47955

SHA512
8e86a0e3e3a6444c1e7220592a7876d18bc948b4a58173b2c9116681dbf3464aaca72feb40a58104d3fd5ed007b6460d97fce007d51aaf0a10ee59c457bc56cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
7350b64b4cd4da22a716b8ec582d617b

SHA1
770371d0a50798e7f319d868b9244c72c64dcad9

SHA256
7a90f475d9c01f8a4bf8b7d455192b16e24bb1b0f2c5ee37b91146ee2a573ff5

SHA512
be595c98b80c6947b9fcde5ea6bc215e28210597a89410b7513d2c19f1df86469dda446c7ca06f5a1c63a638f066d41a4bf1934a34552a62538d8ea9825b0feb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
94bd0011ec2e3652cfe5b8ccf79e256a

SHA1
056315ac0a72949d15c4687da7aaa195c7b76327

SHA256
e7adca5fd35b11d349bc4c73d19d83dae1328ce4ed0d07191fd89ba5ae21697f

SHA512
9b44742c2494f3445c811a642655ca37daea7421526bdcf253d22a8d8d06a9760c5acf36acd4ff5b66be3d432ac767fd68233c4900132b68c9713d8ba4df0144

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
38a6fa5b7f35ed042b341b84b81f18ab

SHA1
85aa555456bed5336ba23a15a9a26b756c26420b

SHA256
7072a1b6ebfc4453d6566273afafc0b8bc21aeaa3078ab10aaa2fd1e4c1bd4f3

SHA512
df0e12a50b7fa625e37ad4874413c5f4d8ade78141f08f90845b77708e7df771705626792413f56e732216cb49be891c597bca5d8dd80d2b8d2173d864f24aea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3a8e9ed6cd36ee4be96fd98d27814f03

SHA1
e7b8924a7df173cfc0d0cbe068655118e1f11079

SHA256
d18ec1f4a279df01b36b86dea493fddd82383e666077fe99bca3e51aacdfc826

SHA512
adf9463b0084b1d6d7205c228f9473af0c5de9b2beeb45b38ad6407bcff5351d6174b58691856bd61d2e1ca29c9796593d23f70c028af2ad869aa4f6cd26c183

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ce432759eab784f28657c06eb601679b

SHA1
e7b116e5bac48750cf34784660ed53c41a9fa79f

SHA256
860eb5387c149f2deac252cbdb5ef0e7b7864594c2666526fe90e51c280cba70

SHA512
e92cee1044afdef88a7f3c73b56a2d4c4710cea0aa83172bee54cfdb63a742264a27b339d7431dbe14a7df8817dc86d66eaba113e6c4861a6f437fe561be9335

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
963802c4e30143819aec4c1eef298020

SHA1
65ee387ec94113a68eac2c8431fd958101b823bc

SHA256
4552573921d101657fbfe1418a8a2549628ff152aeb340a9d8f0a5de3067cf32

SHA512
f6c3134e32050b9a0c9c963370032cd23f5512304c80be99c69837fd163936d0aa9fb629065a597c12433c1f9cd4e30fa04d649dd333cb891c3e04726bc7cc80

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
9d7ba795909676b9afab55effdaf1528

SHA1
8633df31aaaa4e03b59a4fe2aa906e37d664092c

SHA256
a5ec1bf929030450bab48edc1f99d33e89ba785d70999e62bb6d8507f6e80aed

SHA512
dad88d7750ce50fcdb4b48cb009728f8ad9878c2ca0c1d229f1994ae00905735de4565c8505cb7fe162b7f41964059a22f7831040841d8d4a8a4ba8137e5e33d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
422f4e21432e0c591fdef09cd6f5302b

SHA1
321483c2d9259ce09669c9262449dd949327347b

SHA256
c948080d30956f38d5ac748010894b8d3762a68fbef576cf57e62a188703d645

SHA512
8d7e8d4877e2cecc67cda2bd7cda1e2689a1854132e157ad9717f1f616367202175835fc95442d926d0fdf566ad110ea72bab0455a0731f03ecf8c44b1d11d11

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
148d0fb296599c3596fd37f69a4db20f

SHA1
9bdbee1800fe090f52f01851e83fc4305137f378

SHA256
56edb9ad22193b8f1239ad0a54cdd471c48cfda4b093cc8807b874ee832b5929

SHA512
a59c5fb804dc13219178427a0e96b9be561eb5b357d1809acfd656307a1851a89adddba6c4a64e92b6971664c9cf007fdbbe7eb3e4d22badbb1bf055fbb43bf8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
bc84e3b53b2b06d712335b9a7042739a

SHA1
091937dab34385ad76d920007e8e2839da87ac71

SHA256
9d8686e20554f7d18c637d15481dab7373466f51b17863d1cdb25ca6b9dd1eda

SHA512
7a63ae5ca26e231e68b70d06b3a80c235d042859c3a0afab79fb6fce262b2e41a2cada366d3400f5c714f6d764329ddcf19a5e459e911b174f85ae2092cc8045

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
416ac26cd3d564cae5a4e84037a2fc1b

SHA1
e465f762e0ea2ff9a1937889540d41cb2f22dc03

SHA256
6bc83ef0ab5ed6a59238f7225c91a48067060087c83db9432dcbd0707949ae91

SHA512
545f039247c2b4a96aa29e11ec2f03a2f1281397b6259dd5483391a42728d65cdc7632e1eaf1f0e45431634b1ccd35abddb7cf3651f29be55e3233793f436bc7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
07e4d088f2d8263f16b63cf4f7f214c4

SHA1
6ba8e6774f1465bdcd6db587bdcbe89e153d13fa

SHA256
efcc1713269c836afcf7720b2eb2d9e5afad9946a45173cdc14b81b4e3e8c417

SHA512
a2f2d30b8e4d5ecfb5c4e677b8bcd8f07442114732d6a0cba5cabd2b1ace0b87fe480e0aa76f4c9f3bb8ef3cf8090dd528b830249e9def981de36a597f4e7219

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
32db9dfbb1193f5ed5c6ad568be172c7

SHA1
c190960ef43d460ccf647ba72656a31cd4356cd3

SHA256
6d737c9d8df8cace56253d5894ad28565ba444ec11a32f6b5ff0ad9e41dc1edf

SHA512
eb66c290ea78c5c74e693ce2b9a6593836ed8fb670fe077430c676cc104fff59e43035ec934d8fcfad4da41b92a3eb35b45888edb0116655023fa885b003cdf3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b7c9576542ed3a6fd6d207409e4101a1

SHA1
4b0460328ab5825f69b61d0b50e54c7e89b26c6d

SHA256
7da692e329f4b5e4bfac223e17709fb2a1f06a97f7809000835896d416f1ab5a

SHA512
0b58c11eb079e0b95965c4ef6941dafd7fe5120821d6e3011b8c71307bee5a085f5b8f5795ee687c9c047479c7f28c9f19a90567dc7e1499f211c6c7b5f567f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
b737bd3bed18b965d03c0b854a039445

SHA1
886d2f64c014186618e0fda5aa73f1be13acdb22

SHA256
0ddb57c71288459635ea292a57ae7a5f363732e71cddb1db1429e1b89de6b526

SHA512
590c054fe61877e4d2645ebd6097bede900d935b681c4b60906f268130eb0106797209f6c5beaae13417f69a91bf694597189b60a7ef58709a4524fd2ab81626

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
c930a2843dff1adee4f7108ca7173bfe

SHA1
ce719c83c9b6fa4994a76e2ab8455c37aa3f4020

SHA256
238c61a5d3607ae2735402103114c5a918bbef078163a3e2f08f5450fc9ba8c2

SHA512
28736c363dec8f10c97694298fed5fc9bdfbe2352e81addb627ae5942b08c7365186fa53ec096a541c0e13b49b50cc1e22d442e26326f2df403a3f2e96ec3171

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
ccd1a639af40c419683ed5782df52531

SHA1
f6b751ce4c09b4ce277e5a3d2024fbd510d88bd6

SHA256
d05795d78f8a580049076288105111c958c9f33646427a5946c7f107fc6fa5d0

SHA512
176f31e695391ad1ee508ca957b73e8baf6492ed55486bad352f4c2a5c84b8d352568cb00c0077fa198a6d62f2040f9a8e8a0e9214290ea39acca2586a4aabbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
3741485a7e6604536666c595ceb9ad55

SHA1
61375e65a43ddb48e44d3b4415f13cb8807817ae

SHA256
1d036446ddf01139768ef815261d40463cb5487076c99a1871375d84024f6ee7

SHA512
156f8b4e80aba94c1dc4046d414a9bccb85662d72a60503004916cde6ec6617c98245a15163ada797c8cc40c96384976c5b903b23499ad16665ee95f5b38d828

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
0a3cd04e54d48b0da6491a3598474397

SHA1
4e9208d00a4ca8a94fea3f3668e6c3c0bacc24c8

SHA256
98276bf2190af3db81c522f6858dbd680e197584eb70e16be9e241f30c1a17d5

SHA512
e055dc3cf7c2bb7c278c6dc7084241130e9e0f4b02785bea9997c61b1007dd5b28e7b96d860e868ff9ebcde860bd7d709082118796d4275a6e9ce87b66a01baa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
2f238db6e691b75e96663b790a90f2b1

SHA1
aca7f9da73bf5dd53780e66ecab0bf29bbe67d0b

SHA256
956aeb3046739088b1149a476e38efd06d81cf0c2bbb7e5a6b45585718ffc27c

SHA512
7f1a41a95dca429391d2de81f8b164f3a7210074940cd33a6a1d54a4bae3714d7c5d19031a6c29d4c57ecbcd6a96307229a562ce29ceb7da5e44533a3b4bf7bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
c061370fc82a4aabbb5ae48993518871

SHA1
0fce87b81cce08fb305eace4893d6dac827b4b9d

SHA256
51d9459271d53a18fc0ec5d27947efac49854adbe35df4446e21472db9772e5c

SHA512
45e583f4e5edcd18015f277e79e0bdbaf2520f589d876b304eef14433f9ed604efdcbd9adda084364f0672ac4a6184ed9729ab9a66e54e0f5d7a8cc86aac6a70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
f7cf22ad3787e33b25d4334610ab7516

SHA1
0bb8d9f7b28e4835ecb22607b8ae95034ec49359

SHA256
97fc94f6080f8c39dec1d6fa63ba5f4ccb64342bab4d35a912329fcd2cee3b1b

SHA512
6b7ffd0a0f1d5fd82110e8b294105666413bf4e5ba4c01eaa4f8c2bc938858e1e121187e4b6ad7f35ae64f6f4d2c0cd04afc9b567eeee84d344618dba864a5c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
b5b117f57107422dc01a5063851c0d41

SHA1
519d07f0370e4ffdc88ca0511bbd5d0932bb899b

SHA256
514330c13930f6a424b2a3ed3a478fd27d06f7872d27b8064f07581fb9a0106c

SHA512
6a4311d267ba10955071aa6eb16bc0221889a7ca23fc8a52cd0baab3c7d653ac679c2e52d2a2021203298a21a73129edc113716ec161967c94bd2d067a6ceabd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
99692b0d08898cd5389c177ceff8f879

SHA1
2ad2d9fbf240eb0dd789c67ec0b95aef4f928f22

SHA256
8a262e4288806d535c72a73a3e2fe2566a03f8217221e30bc7a9a2a5c8368d89

SHA512
772d0cc1668f7876dd1ee45c8c5505ab4a7df1a2bae4cbd7ca02983b8d01689765a3b8bd60301e90fc9ddc5a819c7cd4dff94d1f96fbb7d12508993dc41a9605

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
f366aca436f1d60f67113e1fed4a9706

SHA1
69eddb16885e4c8f3a927cf6f56edbab1f0a2b81

SHA256
7bbc30c63bc328755d910597be5bc4e00f3762997f999f9f7b420cb66e1f2cf8

SHA512
7a408630da8a9c099535df19794ef65b1e5d459e5ef225286f4dedd966b4e8b2c2592463e24418751ee5c9bef3bd02eec69f3dff154d4aa16e3fda0774b5ce02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
a868fb3b4ce942e208475a5d519a4916

SHA1
d0261ccdd108c24c207fe5ac758411317269ffce

SHA256
50fe0e308078114fdb343aa58b8c6b06fe98d878fac5ece7b4eb7523b264a42b

SHA512
65034922d0e6ede512e89c309f5a0da7105ef8f8e9c1bfda19abbf9e0aa942ba082ad5a3179b693ac2823aaafcec463ab0af9a632b4a75c41a1f2480bbf22778

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
233d0e479743dd18b9fce0564141c8bd

SHA1
bac270e0b7c3f804e6a643c8fc2606521ece6bd3

SHA256
23e7ccadbaa95b916b8168f4aa81da63320bca1b207ccd29da1f4de40031bd85

SHA512
3c71321e1e49227a281634f81730bdd4fbf797bb01ffc1cc8f105db0c57bb1893ad23cf8e5dcb998173c614fef6f09e11ee52d8eab33500ea5a4cad82f955f7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
249b233e5afd8e8b6ff887ae96d95660

SHA1
5f562ff0a98c76140a39e38138b7af3cfc55a1ed

SHA256
c53eb1ea01b65a890444598b1b54a2ebb1b8fb46fd333970488be2a33c0d82fe

SHA512
839662532715d28579885a77e194950bc3f3d7d17f84da4f9382fc6dcf43e4288a968b93ea8b4ebdf1f2c4303f7886e18fb6e49338d489a828f1d159be206301

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
143ccb055f6e255a5d193fcafb73aeff

SHA1
ea3d03f6f429bee7c079cb8a6ca0bf6c09ee3559

SHA256
a3e7e45f0f770dace770d33faffe600c9214103e37295ecf534d0d19a02ecf76

SHA512
24c40ce98a5da38b54179aa73029183f7009855dedb15f36ccaddacc4ac52829d2c52f0e4ec2c85d9678217a0080619d834a56fef1edac494f0320ff672c3b09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
2077844a58723e3c3ab2a311d0edad11

SHA1
7013256815f94f6c95fa8398e778990be47be8b6

SHA256
823eed6338ffdb6494d7939bc2920cee892eebd84b7e4a9e53b60213bd260dd6

SHA512
b6ade74272baf98f6037e65dbbdd988f8a016c7f6eb65b07678317f7e9fbfdb465d3f7b17044051024072c68517fd70ef65ab4d74b21a3dbc21574926c3fd685

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
8ac8d2a894b6a6f1bc6f598948d480bf

SHA1
44a795bc7611fc7b110ea097d37a8483319cca91

SHA256
4b07cf26d2803653f714a5fc73d06e773b40a43d3818cabc3f463ec9baa12b65

SHA512
7e0f81d5b57143a38eba9345210fde2a82007a3e221aac6d20b797123a2d6b8f2591fe09372442a8d3d7b1346a3675e298e62b932e7c9bcf82b7518590cee104

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.1MB

MD5
c0bb65a42238033062f7673a7fa90789

SHA1
9caabd305941be0efcef21e23ef5a12c8b5c53dc

SHA256
d11f658728db16edcfda7aece89cb519166827522d901df94d9d27c9f74a95c0

SHA512
18c5207d80da0b564851c1ea3f38230a788f33d0d276cb3cfdcad59c25a1524498ced402952d27d6e2785165dc37535813f0edb7ff89637d822e0429548188b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.1MB

MD5
7a06b16b573b37378ab02a7ab8a40de1

SHA1
d69c3ada27587abd4947136ed914a7abda5d66fe

SHA256
82ce4c845bc236cfd8c80ba7a396a3269cb1deb560225c5b524af841ebb0de94

SHA512
5b24cbcff250965a23a0d52eb66e658ca9cf578d142be110660f695c2d74d619578def4319738a3988d1cbae2104d9a8373ecda246353279f02c539aeeb81e05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.1MB

MD5
f8bdba06039815ae2b3771f666e3677b

SHA1
033fb8256fee6e365d5fe3c5687aacb5a824faf5

SHA256
e07e2fa98db597db835f074354a408ebb1093f7c5cf6fd7402385cc2cb0af690

SHA512
10deefb95f1e8c8cf2cb73f750b4fd430260ce95126e1fe9b9ef0f14f4fb7d6c803162bccf301c1004fe1edc2403f547396cb466b393c47f6f5e13d0a1f32cd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.1MB

MD5
98836119f78ac4bef6b2879eeff35281

SHA1
0d30c986c863e0e4b8d332843ab4766a66d3cc5f

SHA256
0d568c8f46d3c7924a707091adf8c82ea86b1d44a36cfd651f4eef0fffa51964

SHA512
a0360e73ca7125aa64f3f5c40de93417320f59d86d90878118301b1fa835f6604eabd0b7cc009a54f85070787ef4b751716ccbb29ea9bad1da156a55bc11fdca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.1MB

MD5
98d0ca0defbda7d2aa6ff4c895521e10

SHA1
82da3240ac9928f58c4ebbeba41b3b8875294be3

SHA256
7f4d855610ebebb1117101db051b9c04d240c5ce6d9b9c3d932faecd2218d633

SHA512
b696d5831e6e55236fa3a7ac1d3ba7a91463d591b7a330916799ad179ac277e7438e82c94d3b28f86eb9995bc33efd9720fd49bec07fc0bf2a04138434ca9775

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.1MB

MD5
26cb98fc91cae7c00cd39e0d8df3dae4

SHA1
1b4c41a40963062df1327c64ad78820654fcce3c

SHA256
b123d05009c6ddd9181ca439a2f79b251dd0a14bac48456a3bf282be59491978

SHA512
a9578223e184733e819067c84279c38c088a316f5d68992f4faab64ded872822d9624ded69cdf80611a560fcb02aaa8327a5a5ab1fe1b360a7a8f64ce5f09442

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
6273bfbe28805d0e61b46a0d227a13fa

SHA1
4a933d0a24c56bf90a9c712a3b5f9609f7b0c0d7

SHA256
db0c4b7d8b3281a771ed2ceab298867131ed9a6b0ca0b51f64fa76804f2183d8

SHA512
8c27db92e07e3744f5363e2dc71cbb06a719de5afd0c458479f777d718404f86cf39b64033207d3ba9b2ef6dd07fae50b8a00c70b606ce05402bc6c6bf4285da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
f69dd08efeaf5088c5c8a1fe7b138230

SHA1
54d5e95919859e7d23d5c21a4dc206665c87ccbe

SHA256
6762a69cf83ee624f64c336a3902850a98a09b65820fed44fd9aba88e65365f5

SHA512
78f5c68dcf2d4ce074b10824452ef6d394d91b240dfff0a2eb721f490737a5923a55be9ddc064027f16cf9671ebea85bbdc0031ad5a2486e468a26d4a6e125cb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fb8a4bff7665dc4a66f8b0203ea3d183

SHA1
0a479748dbd1d22ac9f366c31da7f6dfb0ea8830

SHA256
229413d6aa86cd48116250300e2ab3e8ca2568131928f62e4ef51e3e5ad095a5

SHA512
6686a312d74399752b0f410ac52a1cbf58ce444a2d1acbc0b5eb81cc836a116f2801a9c0cdf94368300a8385c1ca5402f3247049e0ffaea43426c2da29211438

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
050b0b845015dcccde619df23f231f09

SHA1
5f0b2ab5ef44ddbf28ae84b74cc023ae6fc4f2c8

SHA256
11b984bd0e26f4cbcd9e79480835b1e1598b74acbba6bf6e942125d9e22d990a

SHA512
ce071c8321bb46fd49310afbb8551b08d80c25c75397885ab3ec5a73b6fd86a2fa0e78c23707837adaa9913d0de6f0a95e895c8528544a0658a3ec1155736742

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c6eda6a0729ae8647c447b80b89997e1

SHA1
9ffc42523f0a5ffc5e5370d7a5a7a5dbe9e59762

SHA256
1c6c926b6ea27a473167ffcd4b301c3dc36a7f45d2367625e12e6e2cf6bb96e1

SHA512
e6fa7de221b4acc90c226983587de4b3eba0b3f4308b9290521e8b2fff45901d2ca98ae70b338aec46f793242e1d3c91f4e839a3a9f10c661dc125d16b3d79ab

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
6224747f13be9c839d733b8d23cb3a83

SHA1
e3ed477d4e14a7238b322795cd71c52839a8b06b

SHA256
0baf3cbe9f8a48393ec1fdb7cc868fc60eb080d24c78cbc263cd81db7df531f1

SHA512
d357f482a0bb649cb18f4bbbd58a0d02494db520f5ad75f2986b6f1db07c303e554338fdb6a75f86ab487bcc51530cf5537eebaf80026240d00bfc903f269a23

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
8e869b7727b84f62acfab36edd79c6bf

SHA1
eeeadbbb43ffd2142f3bd808d0275f30e4b05c1d

SHA256
fec62e94862f4921445e73d398d16fa4b7114ce7a6e752b43549c4b3a6fd0dae

SHA512
c56f9057cca6b0fc03f80209b2920b7268e61c613da111dc2ba24f5ed41350c35e7d82c016a500dd7d68a04bdcf1abdc4258b2b956f4aa46e1479de23b49cdfa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
c50930714c082c63e309a41ef19ef5a7

SHA1
bffff62d439629617958cfa85515e84d9a3bc04a

SHA256
979a86c59942587e7fcbfde59da50c7553077a6a40648912eb6a0e360676722e

SHA512
44326766331287c898cfcbc05b70b6638b8c932f130ff1a74ef1ac6a4ac1453b5e000182ca0e2c5eb180820a0d07739745804c30931cb3ab5562b3c9293d0f78

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
db5b9b659ea1fba9d036460ecb4a6e5b

SHA1
0651c95b249e7be0338926524b668375355c43be

SHA256
edc8192e3a6c1614c2b26785db215968509a08b6f6ae0e14fa750a6c52cf697b

SHA512
7351499339c0289d54ad07416af68e7683c4c9cf43e1c0f04db5120de0605af15a10b255ceae40046f85357c4f4ef29f384d44e967b5e2c6a961e83c1ec42214

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e10ee7c60639dc9c5f9f2bee7777bf83

SHA1
8d140693264ba255f3719923048024d84fac81be

SHA256
82eedf38a4a5e613ed2387a99b7beae031fe0fde01fb4c550dcf7363e0ef09d0

SHA512
1032581dbc249e3392ccf2b7674be654b67f6272fe61bffccbfa4542879905189cb43ba7f29e2bed2c555088034ee4d6cb5648bd876fdc34f822a5b8605a070a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
249d53ff0de77c743dbb8acf447fed13

SHA1
5bcbea0613a845d1932e426e96c3a65a0085c8eb

SHA256
48fa8e1fbb507d4080aa97577def384a27304b96ed3077598b86b4e4e923a58b

SHA512
5323843fb1002eab89a719490e951236c11151d1a6ebd28410ebe5b587593ec246a02bd4508ffefe677075cb322e85ed64badac38fba43a3e76f009b1ee415fa

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
193fc767b52bd039f03f2caa2c513d9f

SHA1
859a1009ca71071bb29d4bb1f8efae7578e4cce6

SHA256
95aeae76ad39210b48fa83e779979f3a6624ef74d17db7d105a0ff737d01b3d8

SHA512
7416c5a7d81da0d56993aa8402f4b99880b7763228b4e223430a4ca62d83ed4dd5add981be47a16ba462adf84d71863346d24cc04c7843d2c8cec6a88afa064d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e8d8c9bd7f2aa646b221e50232073bfa

SHA1
d3f242e92af2e0aa622defbe3584ef772a0a337e

SHA256
04ff493e283975ac1111450b6fcc67844cc69c1ce0dd71ad983a6e102dcbef53

SHA512
2ea8525c701a9db6645a4578fb092106d37f5863e90847873c8f898fd44bbdd64d9e1c44f99c0bd90aab3d7089b8d94da55c70c3871cbad9271fc009f7ca7342

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
7f553f9cee0c3365f079eef40a98f620

SHA1
d33a533739f0ea9f947aa3e7867b84d7324edbb9

SHA256
95d7069579532286c72d6f0fe37bb4854fb7d7c072da543f5ba30cbbdefb04dc

SHA512
1e585352baf61b02219f5a409b00175ba5c0aced6c727b7119bce24423a0d0a3366a89c1d40483a5ebab5cf9e98385b88003ada8ffebd5b7c607f9cfcbb2fabc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
743a4bb38f893ddd0a8a55b031e2eb69

SHA1
624a5c70345205e667a4638eee5a0911fecb16aa

SHA256
33ffbb73d1504a1fd9f9554ffce00cbb5564ac958a1613063c4ab9e423158a33

SHA512
3dace71ab60ac78f5d61a39ca0a648a781b83c82664e5c962eb9cb76d82bef32e2529733083da357f72afd8fe6703c61b2688a61ddf57b5d860ac8bc8552d93a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
8309ceb2ea10fa5698b546e289a20f53

SHA1
03d7ddc6f1cf14ab9fc9f859855f0e0335c224fd

SHA256
77ee6381688421959f22f2ccd4110ef8bc2163650267901f443113fad62677a8

SHA512
4ca743f5e7aea0c315241285d77932f6236fa7dc8527fc1d77c213988ff59bda27ec1c2c40f477e78550eb3e791233ca27daf0c86185930c3f2950f674c6925f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5457b1462f879f32d4a3d19db6c403ff

SHA1
8450a88a99a0aaab81e90ba03e83650bdf0128b6

SHA256
5a278a0bafa62fcde1e168460930538e3b22fd411db0a89998c11d77eb1ec948

SHA512
437e29f684d5289e3e1a47c9d321e904df9787dd63d92fd4b000cf08d1e673bba872dff97882f78b8a1b2c31c9a8b15928ed84e5a99efc901e8fcc63331c7dca

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
1d250df09adb40c2b659b0a1a82c7788

SHA1
a4ccb82595ab3ba53895c7687a6ec34491749054

SHA256
4cf360c04361f8b1b271093f24c78acff55338b92e1f23ae9caf15eaf3a25782

SHA512
73613fb744a0b4095b794aae3fa768d3ce5bf3b4be852c7c51b542b300fc0f0d9ece925e52c2602431937b285f05cc9f8e310cc7a6fc089ee9a5b67cdb24164e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3d71360414795ce68bbd2836a59f092b

SHA1
d616129ddfd536ff660a86dc80a78fb897da47a7

SHA256
fab5c273aa2df4db5bda4925147f238c3206cab94c4bc8d52c671f8ca304800f

SHA512
64f12bc6af98da5e98be08f5d646f3e978fdcac65d8943c999eb51ea3047f4b5d18100e5a5dfadc8dbc2613eb343fcfa726d96fe7c7dac630d49933c19aab505

Download Submit
memory/184-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/184-658-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/428-38-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/428-28-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/428-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/428-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/556-391-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/556-279-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-662-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1208-437-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1656-387-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1656-373-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1848-386-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1848-267-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1892-75-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1892-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1892-52-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1892-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1892-62-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1900-404-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1900-660-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2020-48-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/2020-49-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2020-41-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2020-236-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/2220-425-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2220-661-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2716-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2716-232-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2716-16-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2716-25-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2732-519-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2732-319-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2880-353-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2880-248-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2880-241-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2880-242-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3188-587-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3188-330-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3236-0-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3236-9-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3236-8-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/3236-12-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/3236-14-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/3596-655-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3596-362-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3972-252-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3972-253-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3972-265-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4420-392-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4420-659-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4552-72-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4552-70-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4552-64-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4564-403-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4564-293-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4664-654-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4664-342-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4860-296-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4860-424-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4864-315-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4864-538-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4864-428-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download