1aadbbe42e115dc5c79ed09a022b9fee9c10fa46b77211c0ac77b710ec26d188

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Size

1.7MB
MD5

c141dbb704c9c3e3554bf151db7dcc84
SHA1

af2e6cca4db4e1f008fb743e948f5bcb0cd49f68
SHA256

1aadbbe42e115dc5c79ed09a022b9fee9c10fa46b77211c0ac77b710ec26d188
SHA512

a57e61e833edac42b662eaa82d1f4220abac24203e21ee7af91d2df97fdf2cfe50d2084bb3fe690773a6ddd0f9484353fe585f8fd02bdba0c54fbc4da050781c
SSDEEP

24576:piBE08qwXeAVmYbERIk1k7c+vDqGJAAg:lB5Xe6XgIk8x77AA

Score

7^/10

persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 22 IoCs

pid	Process
2128	alg.exe
1984	elevation_service.exe
2408	elevation_service.exe
5036	maintenanceservice.exe
688	OSE.EXE
4744	DiagnosticsHub.StandardCollector.Service.exe
1224	fxssvc.exe
4512	msdtc.exe
808	PerceptionSimulationService.exe
220	perfhost.exe
3592	locator.exe
4220	SensorDataService.exe
924	snmptrap.exe
4888	spectrum.exe
4200	ssh-agent.exe
4316	TieringEngineService.exe
2044	AgentService.exe
1748	vds.exe
4992	vssvc.exe
964	wbengine.exe
4680	WmiApSrv.exe
2580	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3dff9bc489816891.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86062\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86062\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86062\javaws.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000977eb61719f4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d657af1719f4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002893aa1719f4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000130a81719f4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eedfd71719f4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd1e951719f4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ccea51719f4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe\""	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014809c000000ac000000140000003000000002001c0001000000110014000400000001010000000000100010000002006c0003000000000014000b000000010100000000000100000000000018000b000000010200000000000f0200000001000000000038000b000000010a00000000000f0300000000040000ce4a9359b9cf0b7575c0f29bb2b4c298d446ddf9027a87ec14651177d6e996550102000000000005200000002002000001020000000000052000000020020000	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class"	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1984	elevation_service.exe
1984	elevation_service.exe
1984	elevation_service.exe
1984	elevation_service.exe
1984	elevation_service.exe
1984	elevation_service.exe
1984	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1988	2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
Token: SeDebugPrivilege	2128	alg.exe
Token: SeDebugPrivilege	2128	alg.exe
Token: SeDebugPrivilege	2128	alg.exe
Token: SeTakeOwnershipPrivilege	1984	elevation_service.exe
Token: SeAuditPrivilege	1224	fxssvc.exe
Token: SeRestorePrivilege	4316	TieringEngineService.exe
Token: SeManageVolumePrivilege	4316	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2044	AgentService.exe
Token: SeBackupPrivilege	4992	vssvc.exe
Token: SeRestorePrivilege	4992	vssvc.exe
Token: SeAuditPrivilege	4992	vssvc.exe
Token: SeBackupPrivilege	964	wbengine.exe
Token: SeRestorePrivilege	964	wbengine.exe
Token: SeSecurityPrivilege	964	wbengine.exe
Token: 33	2580	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeDebugPrivilege	1984	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 4360	2580	SearchIndexer.exe	124
PID 2580 wrote to memory of 4360	2580	SearchIndexer.exe	124
PID 2580 wrote to memory of 1832	2580	SearchIndexer.exe	125
PID 2580 wrote to memory of 1832	2580	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-21_c141dbb704c9c3e3554bf151db7dcc84_ryuk.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2408

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4948

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4512

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:220

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4220

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:924

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4888

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3268

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4360
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
db79969a1e3ef90f48fe122d33bd2d75

SHA1
f27080e473e3eaa5c0ee9fb58eaf80ffb9db1bd8

SHA256
8f0c191e0f5ca5455c00f764a1444ee935b5a2c37f97e7daaf143d51bbaaad03

SHA512
03211add1c86a950ec44ae5a303fc1b2e9c043bf8d7d921c07733d1569fcc1d8bb8aa771da87d14e5ec13c3374bca7ef19f4d46fa90cf71e48f28a12bb30c592

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
2c417db1649447f345e68223c457de1e

SHA1
6c780d92401c4237bb6a18bea22197ea122f0996

SHA256
68c38dcd0289f04c747fa802fbbfd4ac88e4ad3cea4a406b33902110f5e6813c

SHA512
3746a4c00df7ebf7062c0a6bd4251da6d977e5e809483ce26113254181085de025be0e06240632f695971be832e2b3ec4d14649dc9dfc79321a91503d1cd932a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c652137243c291d184636949ecefc22f

SHA1
5106adf808bff671e13e88fea9810ec803db0313

SHA256
ea088e22f193c5567644665c866d385d28f5f83145eaab4951fe174e599bc58c

SHA512
0eae8239cdb6839e08ee7011d4829062f6425c64355dd0a9da966c704c4db215d17908a9db75b6916221306ceec607d5835d915b363598e62bc187f205eb122c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b4738ebd867be8ed84e0bc7dec52e5e1

SHA1
ba55d4f514e85e1ae545bc22951a4ee38f147277

SHA256
16bbe3e3a84e541692807843a8cb8d5036d4d93d8220549dcb477c180730a077

SHA512
03384141a2a6e01b382b3a61d62c32e670e373e2bee3d0bbc08ca77f4e15adf82f8e5189dd486f46a3106c478d5a5cf33dc64d5ce788ef987d15afda3696c67d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0bc253635b9c0d575f88e38654d92a33

SHA1
2fc5453cab9983d95156a2c0cde20d8049f411fa

SHA256
5597748ec9d18a05ab9e93d0167bcb2268f96684f98497943912cad0500fc226

SHA512
d60bc932677f360cee2464141007f957a4114645ee3132e43fc4dd92f3e761a80f3d7083e51758b64982bf8fbb237e512a4b9479193b6484398083d23a47a875

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4df94899f319691009702a82151aaa36

SHA1
87cf0f8832364308d6264c75921e01dd34acc555

SHA256
7a9944da4da4f244e83719b9ed151f6d234b911d78b1b7df1726a742ff486a17

SHA512
062caecf14baea902b8a16a3b6c3df866b1daacdbc97a5bf70bd409d1e5531971395d3538468dcb37415f4698550f98dcac48f79bacb9dbcd74ec3fd6fa0daea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
151a284b3f0c7e5637beb02a45420781

SHA1
f781b06c5e9a163d5315b95a61eb810208eebc51

SHA256
28a60d2dd350749c03bc2a07e2c259f781a4ab3a6b8e5d1b30a54cae3a2d4d9a

SHA512
89f920bbf9cb5d8dd530fc795ff4bf9977894884af669c7b21755c2c6820a59dfe50180eab79e32223f699967765677ae02b4d498b357344e9fc5d0e33337be2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f54c9ac2e4f807414877e8bf57cf7c80

SHA1
6e3af0c4de5deed6e30aedb87f5891c434308ced

SHA256
4eacfda829caa24c6b92d1e4898415f93fc35d2250cf2f78959f3ec9db1217d4

SHA512
876fe1acc946b10861a3a0c0f57cbddae794484438e21b8a174eeb82e7049987904203c132f7496aa1e33b369f54cbb870c968e27882657a6fdbc791de311620

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7ba165173e49275a4c09c5ecca520314

SHA1
a63bf5086a0627d4346eea206fb5156bbe769a1a

SHA256
e1f2d43541df4074e3238946ec7715e5684d10a31a36a833d1b24803e18ab0df

SHA512
683e8398ffaa8f6c86cc4dced28e21360812ce0eaf5eb2ea3875505bb29983ecccd9ad632753b2f6ea0f23578cd34e8b4d477aea7e596daf55664e1f4df7673f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bc03d41c22dd9155857c596a3678cb06

SHA1
1757c5b3464e31548920c7619742214fdba1b24a

SHA256
50167752113476aa509a8e65a9d24fead60cf7d5fa4e94ebb439fdf4f989bb1d

SHA512
51b5fad1a5b2d256cf29ec4feac93245a8c28e57ae12bfd681d9c6698f101fc8b242839bfa077b386ea2a569579b7720362c01dea0ce9e00943aca58b32480be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
441d01eb410ee6be945186e7e3323e95

SHA1
d380c1c6295d990b3aec710c65638652ceaef117

SHA256
cb417f1fb639662611278b09d6d708eb530a594f9530393da34ae12e752b8c6e

SHA512
97966c4a7e2f31e9162ce8e549b4d2946a36aac20c049709bd09b6c9062b97bacc55777e331c081e0eb54bc8d37e3d551a0560f72b7df07757b0515954080e48

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0d9d40e0f48b2922d75320ca5e3f20d6

SHA1
cd4f7696e5706b2faaeb4293ec63acda758b93f5

SHA256
f0bc5159fd7a2179a4837d5a7e5cd7af78aba9ef6d00113e182747e4d4fe02b8

SHA512
2a0b326232f3408b86ddbcf4106929a04bfea8e01bb785d0806781925e523040b36395051c654e0020e1139a8ce471b9f1182b6b1bbb360596f2fd757ba67347

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
a44de2e2a86afb21b71d81359597d3dd

SHA1
88fbf4d333579e39b320e37ca757a4064a1a2649

SHA256
62c9b16dcaa461447c0d3da9dc39ee1b641d9de81ff8fdb3e5b525b4a6e3bd39

SHA512
550abd60737b6c31d5221efc54fd1b3068e052ef1330776be64aa627b1058924eb0be1b2bcd715302f5ca1e48d16418bb5518c43e69d70163067f5431da77ebc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
23a95ed25fc550fa8c59ff99f7146216

SHA1
7755476eb27b8a40a3cde676586dfac6f47ca325

SHA256
c371bd1030b9cdb65ecd156cb681c1852d6d5bf312182a3e24b3a64d92c02ba6

SHA512
14179cb4fcb11598bc83aa8c1ffd4da537a069f9c7fef5eebc4475bd224c9470534a2ffbd9f692a526e74e8facdc18e81ad3429ef717f63544c485967d58daa0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
03ea3701d62cbe0df7c5a838cadda9d2

SHA1
23edcbb032ceff0348200c798967d2307cfa6644

SHA256
c24efe164d0376089ef77b37177372ecfd322afb7234b4b4dc4470b54b39b7f9

SHA512
8e99d7c3450ada0624c635ab3696d07626bf4390e7c86e6c20ab5430b69e2cb911cca6b683c9b08f98ad3cccb7733d0c7d1e26b3df432cd686279d20f9b888dd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
e5ca0a9fdc996ed340676e2751ebb27b

SHA1
8c8c07ccb9dc7ba0903e2d6ece6f771b19839ef6

SHA256
52824db734babfd5ece0489beb59e19c99263b28eeebbb90e3b90a0854ae822f

SHA512
fcf84402cce4caa67a548304cd58e39a75ed51ea66f516c34ef4b1e1b0ee31fada32c4fb0c53faf9dc669761719c327997ebc99d68af7b8136744b1a1f92b12c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
991af84cf2ca44fb1f0d89a86a54743b

SHA1
ba6cb6176a21496d7f610da799a8bc26ed5f94c0

SHA256
4c4cd7c94dfc4077df717e9faff5db41e5950aab2edc511026428f384013593b

SHA512
5f6224e5bad8dc7fafaa361b8a65e73efd08b2ab3f8c64034fcb5d4c8e3238e3f530284417aa10b539e9ed0094bb8ab7a97d170f43d09ecb032f4d3f3427afbf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
c3b3edf9395baa31613b599ca9c490e7

SHA1
6f8c44bcc4fa96e5671f97e5f03d07603374db5c

SHA256
22fdafa117225ec8255ae0c32c8a65e6853aa5055fd07dcb44bc3c43bcdb8897

SHA512
497382d828517c5185ec76a759d8ce8f6080eaf84336cf5294be5deec7e5d669b5be658e04700b3cf426ef34d6e1f5fe6e957bcc9be7b122a05fa0f3d6f6afd3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
fa2f919fe23c499b03711b411dde2753

SHA1
a5e87ee52865be5a7c20658119dcce2e95058494

SHA256
6a546d6f0b96ea219fff542fd5a1e56a54d3ef0af85fe967868720d55fa50795

SHA512
6fd9993624b6e883baeeb02f35860998e36cf850e451c620d0bbd9d9d669b5114f9429283b3bfcbb00e20960df5c0bc74fdf88c7274c663925283e603fe69b6c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4158b07dfe086340a3547d7c68500be8

SHA1
c1475af6e329cd532a87f54bedb095954a5fb04e

SHA256
df01e524c07c98298a002c112674cef7178b655c590f45b1c073b229881d5130

SHA512
0923e9b2df1dc70ec32f39794ffe3d99d715d750169ae997183915d9c3e991dd1bdb7206d00b843d6084e3c402204edfb94b57976922eaddcb0c3e4878f409ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
e7ba6ee27d895d961cacb28bed69d2f4

SHA1
1f685ed92cce721a73a0e818778bd0a61849b542

SHA256
a2a0d17cae82eb68e41ec165e04867d6766fb127e6ba81f72f310ab3cb0f2824

SHA512
8ddf054d1b6f0525f503b76f0528ddc0f3de5c466aa4fcbc59689a38445a88c0e9797707c1170974d65728934326037b07523d0a6ea0a5f7f2d7c32c31333658

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
de5b971197802d1a09383aa6db885903

SHA1
8f6db739df3d1440c37014f459aa700d6c703722

SHA256
a7cd0efe9d3cb789fefd06a117275bc0337fe93e2c8bab5ef8bb8e0f025f4d9f

SHA512
ba0531f1e485e59a8e45efd19b1572959fff0541b91621dc1d51777c721102930aeb09027957ffb9e958e295ea1c99ce628dae065d7e6599c9293261afa0ddcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
0e0aa10d81c5eac4156b972b7f21c045

SHA1
ff6a048a2a20426b8c74f92608ecc00184bba721

SHA256
27b38d7c0269e17652acf0abeffcb2c133ccc43a99d8c3494bf398e821f57d9c

SHA512
648b21f91967a39bf51f4031d0a4811fea676f4a27cfe9088f1ed4f38da23c5886c488bb9da8dbacc75a530e6e0e2d4723da46f89a3d1545b0b79826ebc46182

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
710725cc364480bd7611d53aa5b9e98c

SHA1
4895c28dab00a587ed7847e421580f14133cbcb4

SHA256
3c9b97fc60f71532976aacbbb04122e0fc56181c159f934b7250d368a2b9a3f3

SHA512
fc335c6380704b513f243129440852992aaee11b7af0f955976b3f43f2ded7b5420ce10516cfcfe744684c53fa262511f57db0fac3b0b366f2f647ca76d77526

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
18a93a4074d6e572e1a6fc6b9dabb120

SHA1
2be65dad07e49b0ddb96b4a5cafabaaad8e88360

SHA256
e584b9b3d3f24937b5c731775db82216247b538a6314eee918fcac7dd8963301

SHA512
6ab9d793046efc78d32585acd9c96de1d4539b74fdc00b26bb7f433e0fa1dfa7ec2ef9fdc123e7e1d1ad7a9d6f60d1040f70aabfb71ef7544dbd050320527aa9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c05f6e2826382c1824ab5ce93943c3b2

SHA1
dc03c848dad9ab2bd9fd9992ab8a0e2805fe3c05

SHA256
ce34131c4c507a39a302d694797bcf53eb68416cbcaafa059bc86f8a86eb8146

SHA512
bdc157d96930d69317b635eb0fe6d0defc0cf0319b8b4d438f6a1e2971504a0790847caeb1a5a24f198399e083ef5f4ce7daf77ee8b2699968467e70174aa72d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
318fb845ae6893fc08c4df2ebe04014f

SHA1
d7321d068e605d81676a5ccc2e21a1ff3bcc0cfa

SHA256
cf4c845c7f56b049907aa6cd5453635f3e2c978187226ed80023b2862d249836

SHA512
1fc73612f74948171ef74ec26bb2393914db2472cc7cef6035c0b644657a965dac913f6b5085be575b1000d9c8c9250671c4b8035a9deda7e2c16862abd8879e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
54a6491da3b85efb1da9080bad0e0915

SHA1
c2cf92b15e8d2a6833e07d773b79c02d038f9881

SHA256
0bf39eea3a6de2a09331090ec33c847dd7f30d43a80358cf8da795d9b4dfe6f2

SHA512
af6de9250afc8c71bf88e9e63c065315f98b4ee2098bcd5ab0867e5af217d0deebc1a710ea9eb148032d557d4259da3f81f0d1c84ec59a33a1b63327b9bcc529

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
94d21f954c485895b48c2de6e7cf67f1

SHA1
a0d0399ff860140d0d33f1892629dec05d800984

SHA256
3222cba96be705703707ca54412196945a8cf025725b08ba50b89974b7e6e0b2

SHA512
872d2bd8fe5a4db39f7c2ff9ebf6fd88fc7e82cc84f15d97e30d42f188646568b628491b436fe2f525cbda6feeb40fd6a87afd352446cd9d5d0d51580605ac63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
6d3f28e3dcf0a878da02c16651dab05c

SHA1
ce65d4d5fc7ea1f04f14d0ee574ab6407bb17271

SHA256
14a038b8d217021f1fce623c3fdc188c753cec792afa5813599a3d84dd9a530a

SHA512
ee04285d042cbf60b1a3e7bac5d61e52d0aac0daf72e119ef08367b371f31260368a33f2616aee9e5d6b549664e0a69dc6ff41a909ae596a6ceb71ca05e6fd1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
fcaaeb521d9bc9d89529d8fb1cfafffb

SHA1
15f50facac16bb7da684b9901e8ff6c6eaec5aaa

SHA256
334f259db4c54bd6826d3576385514eb0d0913c0660d761238761e91dfc4fe58

SHA512
f73c276fa7401e5c30434556856a8110d1c3271d484753dd0127b6f31a62c025896f4efb3210129dd5aad6fe519dcdabde8bcc2fd7a08275485331745b2ccf25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a92eceb2f447eb0ab18d63f41f658f78

SHA1
a125b4fc3414da567ec1623ed0d24b20a9282596

SHA256
1a9cdc92f8d5672d9a7d369d4a952de55bd14836d98856d1928666b7f29b35b9

SHA512
5a4b9585b426fe4f4cbd4160b9091777ad0d1955f085a421d2ddf09de4f76b890e30150b2cdcc17c310e832d928fe76d97a68a68d6c041b0311e9e21ff927708

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
5dfb96030862d13ae1fd88e4d04fcd2a

SHA1
35a2a10164383c6c26711f1dd120cf1b24d1d59e

SHA256
c1fc306cea22d609f99e81f62108c3af08bd6630cd516f4976035ab7c6a392eb

SHA512
0eb60b7216f61c23519c4bdb4d195cb090191ff232ef9efdaedb9d474edf94fb3731ad7ace9f28773c6cd1e8dd00144e7dd2c2b11cad7e31a6d1ecfc20f39420

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
6ea34e29fda3a3b4d7a97370fc4938bd

SHA1
10b2044f232217d33986eef75d5fa3b112e48008

SHA256
117def1e83cba4f21e4d394fc13eeec49032a887c997294e618959faf475cec6

SHA512
364835cb743c03b862e30c9fb1d5463f793bcffba61f471200a148cc32b50bfc3d47e23f744aa5870eeeb4d9fffafe17d73de01a1db2448cd73c895abb493e6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
d80d2f86a421c733a52a0ca4b06459dc

SHA1
50da94798da0103766df0ea28279d82bace77de2

SHA256
f163c01b1cdfaf9ff2f905fc7b868041c82c29eeebbb8530f64a562f4f622166

SHA512
82a0282b3da4db1bf9738fea13d3833ebbe91a2224056b39119fc212a5b66f12560095455626a9c3c1fe39a52e3577dbcbf8939e94eedac47c44a68e6ac15c84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f433d88b46291d0479ed27cf09e1d939

SHA1
c754a2ba1775829162b4f09eedf0f37d0772a24e

SHA256
bc0ad652b8e9e08673e393a1861188175e9507c16dcda74bf7dc48019b0dc30d

SHA512
bfbce89caf91901ff547c4d43c0d0e03046d5727125e727f891badc551fe97ccc566e6e8adaa906c365566ad1e2d710e28dea2b2b4c5b2b43773eac2f56ba8ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
b26141d9bd42cb1ab64a15602af27da5

SHA1
28921ad01907342c0303811018ec921449cf5bc1

SHA256
fc2b233386ee64a89ba383ddfbea327841224ea06a607ad8f3088e0e2159fb7a

SHA512
00a50fe9d2eb54376a49eeee6e372ca9b3cea9f112764032f6c1aad631e1cd39f9e5ab88952dc54c86df594c107b429d50f25d256261f5f07b462e362f0df28c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
a92616591cb681d3ac984d94f16fe641

SHA1
111ef94f4c02364392453b3ecbf02ac34f419728

SHA256
1cce052559514eb51f77f39c61afb192b623779c3c334f2286ff393ff62b5b42

SHA512
8364c82a6709cb1d18691b9b56380d1b53b2d734f54ca46838d583116bc0126a6b2d77ce90c637f11ce33ffb451850b4f27d5a8068b43b94527c02d2821ecb9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
edd4e1d6536cf3496e77e8fbead8c75e

SHA1
c54c4e12faceb631d74f45a3d4d9addc0d959208

SHA256
05c81b0143bf9ab0be2d9c5eeeb5bd9a7f28ace84596f804ba32aa1e513151a8

SHA512
31914930172e65fa1ba7bb0119f6b39c58acee6d1654df94a3f52347e988279e8c09118a81e933e133764cb84fc1f4d316e224dfe3c8a3222ac5de010b263433

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
1ba46185959b1c8a2d045b9e49811ca5

SHA1
07ae83149c7b441e80dcc0546c0ecd9bc8f9dcae

SHA256
439fe18f4d89f70811c4828114d7047e36b5395c0cd9465d996f8906c0aace12

SHA512
b852f2edac330fa6912a6cca2c94a4bea7d02b1152386e083c5d7e02deb1be13ce61a80d80adc4fb816d8c722c28d6b3905a5396ece07eb7171a08a2e1544100

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
45539d2617901f1e6ef4fe335ba1efd3

SHA1
9a01180232dcd1615398276bbe756a92cd0a31d0

SHA256
fb981f74dd8b60dfe260f7e7689f89c1cd9bb4a2823f084a5bf3f62142016fd6

SHA512
cfda056086f5f7b60a07f6d151120e24c40a8e5dc02a44ab79eb7e6abb059191fad39084743202f79c14f07fc0b443ea538642cf7250ba33b4b6cb2ec3260216

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
b01ef04ee19820d616c8ce2725b4def0

SHA1
bb8d7f391bbabce560c0f3112a6f89b362b4911b

SHA256
a1aee50a888d518feb15ae457084c3b526cc82dd813cee35738f7e36444630de

SHA512
238f6d535d0e811ae25691b73beabf964ab36e9d1f9f6c1d5dcb40274a0a339673ad92e7c221b42cc6f5f78611e446bf3316e5d88753fa8c2786dc7c76c42130

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
b0a6a4b46d3040768783225610415186

SHA1
60de02a263292fd276431d9c15bcc66125cfbd12

SHA256
851a5285e7753c907004a5d7988b5c3c6445667c517a265ab707355ea06cad85

SHA512
ce73a3ee7147a44f9e571ef71a3e65977e46f8daa1406b96115835661082834ce18d99d40e6512288ccd8cfeaa35aa8ab201614e2bdb42e9c3243e56ad79e2e3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
82d37bd7d6c3f825ef97fee190153a5c

SHA1
ce68aca61f688fb56a10beab9a96bcd10fc5aaa0

SHA256
57684e04ea8343e9ec3682d5e2d494f22d48be185d0a5a1fd5b86bd3d9859816

SHA512
66b5ee6762acf09c35d4c0fbb80d370f23b6afe560b516487586afddbc3ccbf15f49990532531de5eb547f725adee9966bfed415357dca3ff56669ad498e5872

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bb2be74e41a3618226763a9067a2faf2

SHA1
83bee709037db673d35025d38d179e31802dd215

SHA256
a8c9bd7671b0746962410a60ce9613f6883fdc83812b550a54b4fa4125b5e3ca

SHA512
37d955cc129face1f2ba279674f90055761b51992549411176136624d3beda07555fbd1eeb6f3db0bb6a54ab5f1beb770ad084f1650a6d6da875f31f355f4019

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
2add064adb5ec17e295235ded9e3318a

SHA1
566932dd060dd33a879646ca9ae595c9911f5bb5

SHA256
ac140cbe9e9074192c5e7d5543ad1c49da7da96ab45638ae2ccab85194cbf797

SHA512
3aa384978cb226347cf9f606f612842a9046e6e6b7b5b3d79b1ebce15cbe1c40cb7c8bd225ffad8973d82c878d169838d6ae8daf439672661415887dfdb94043

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
644eeb4e9a6bb7597018f6195295250e

SHA1
55b28e7b54bba67915762bf96c1d5982a3e566fb

SHA256
eb3bf2b8feeb79b6fbedcbd08c63111dd1fc6d0099854a262b56f3f2465a44ab

SHA512
1f5bd6fca849a09e54bca364a997eb2956e28e7821e0446989f7b3971ba8d1184f360fbf6323654c03cd538c6444d36b5e5b1793ac93763cf55ae81432850a29

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
81c974105ae51e668e2200ea2e57b8b6

SHA1
269313a50bd62b807da3be6da329d695e9bdae8a

SHA256
a53203ab20b4d84a69e8e7d2a8aa127cff3c14379edf80fc6b716fc0a87289c2

SHA512
3b7533b7cea7fda185ff6539c83f21fe96800fe0b51bfb4ef58a292c46fc09a45b3f20363044f18e48966d988b2fc2cf71126fc8cf43f35786263bc5f65d2041

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e64d516fb67e38bbda5ad1ced731259e

SHA1
95956df79a0ed736340e72d23b4a6c7d2497d5ed

SHA256
cb0f953848a54e9d06a6da076a9ae291b7de8fd7fae74b08729a0a4598be675b

SHA512
936534ea58340ab2386ff609ead417358bf61eb1ae91f7d98b4256acf35055fa7e851175175a7210a018b9942c91d0f68130809d50282a52b38a977cc36ad6a4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
04cf750c8d6053cb3033c9020adf96ff

SHA1
0ac3e3aefe066ddb99f578d050c62a95861849f0

SHA256
8d8727e80626051273c835b33c45cc7a8c4543cc89b943c5480ec5826e7cbeaf

SHA512
0d10c59c1846daf1eb934c1d4edc826c3a5c1997bb53e7aee68349bfca7cefbe7ba4fa1226e8bfc411ccdd042aa5f4ad288695110e443617747a8510b46f43d1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7db8d48f82d42d0821f57e808185774d

SHA1
fce57d125e3705f3a5a305150e5a7df9431658d4

SHA256
c8d49846ca07c05d2d90de9cbbfd6042eb3b08cc3482cb0a4e9171ff80742fa8

SHA512
608e097a8332309a7c1bdbe1d5b36a2697d8a48830d79c77033e70a0098174da15afb2ff80bed0fe55685fb340204d6e5ebea0117fe678ea62c3ae22652d18e9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5c324ce1b02724bdd1c87b1e0c776fde

SHA1
89f123bf58ab924d0228f3eb44a113364270bb1b

SHA256
e41866575d9b6f17ef97bb21beab8ed39c02aaf6f016753cb2e194e2cf94baad

SHA512
27eb07ae43e7435521570bf5009f9f930883a70dcf28869d9f2adacfd803585416acaea4092b05a965b3c27d156335171e964e147b7cf1cec0ff4d65dd5d470b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
089c0e574a28dfa13a191be13b0fbd12

SHA1
c8989f64c1da95cb9568a9eaa10742d293c03f63

SHA256
d7a31adac374541ab8f146dfa654ed58a2da1041407a7daa0b9553b6409b41d1

SHA512
b2f72f1c7fb30ba5137a3f18d71775e5b58a01e9482fc95bc5380f154b73ed8708d6acea4b2f7584af822062e40bc95d73b5eaa9d740c7c2428d07fd08e8a73e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b185515ceabfece201169e08bd2c3133

SHA1
62eb61a5a500397edb687350216586d677f79936

SHA256
664a368eaf9009e33f8f95873804823300974d3c5be476a6567c501b1efdf9f4

SHA512
55b5dc0293e7e2e115533284f7bb6fb950922531152779cc82f7b9b44a2b9bb9c89f291120e3ec37077cb8679b682519d28b1309b75781c64d7b6af91150fd91

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f1dc1153d84e6a200ec66a08416f4c5d

SHA1
5ea7826471cc1b2c835e76cc22af4caf60adadcd

SHA256
b0c0ecb5fc8b3683058010d6a75ed12627e310e8159343c9adedde313f81055f

SHA512
9ec4fc20023714111ee7b9a5ee64c9faaaa2bd9fc7ca845f2583bed1d11123f53d0a4e909b621e196e61d0abcfba70775509f4340736a031af7898bbcd76ac1b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0b9c778800b9e6e9af4d6fc7dc8981e6

SHA1
7cfcade0e1a177373b3f86802d29eb3e6ff67eb1

SHA256
eedd57f0dd9b277e7115e69e078619d3eb2252e61aff88de1c7be109a2d5e505

SHA512
aa37cfbf8120fc63f6a72470524c4f36d4ec273a9a4af0326f9088bcec2d8529d2798bcee3e6b2acf7a5a72618e9724ce329d7f4e6b215f6286e5e7f83af0a80

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d5691644d41bb8156ba5b8a0775260b6

SHA1
6d5b695383a9beda3cf6420c48e9858e044383d5

SHA256
1689625edc194f067c45bfab0c1a1c4922bdd9295f1525b5b97ac80a45ae5ba9

SHA512
cc156dd8728c997230e2f5b55e77735cc5ed4b3f4cbfd9a70f7af51505dfb20c3249a02fc5a674ed8e18590af8b2807d75df30beb9512c5f038452765432ff1c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
559632db91b16c7d6f4e4968847cd7e4

SHA1
1a24c2d4a23869fbb2560b56d0c37f79c3c31542

SHA256
668f9840115fb98ef4141c04066a45d8ee691299c0a5c6839c159ddf80aaecf3

SHA512
175119099b9b661123dfc5644c4221891dbd924022b824bf783299dc7966760efe7f1f50ebc1b3b44a72bd69679b3ba0353caa212f92f625deb2dbc802989a43

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ef30fe6f0f03314226098ac47b927c16

SHA1
337760802c12c1a46e6061dad197a7810b4d8543

SHA256
0d443670ed9173e6bc5ab118879ae53aa42cdb158aea08ce3fadeff2804b4122

SHA512
936a43b6aff474acfd8fa685b4adf19406d33de06437b77c0a17c47be1abf5aa012af3bc77cee9aff2832c1f534403697ee4b4ebb4d6b2edf7c38add35e5178a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d1b30e367839ee7b0b8853e0494aa879

SHA1
3cc9034280a73a9db2bf287d0ca8ad261900553e

SHA256
ec097c17f31ea96dd4d86645393555bb2d3e6c475b657a15e6330d86a4ca4c89

SHA512
8a1d91a0e239b5a57404c71ec20ac57b40cad6b5b8017716a2c75b5461ca1c882303a906fe08d5ec00172c90bff361c0bb72c483addc94937b765ae7ce83df55

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c4fe463e2975180edb5cc5ef56671980

SHA1
a6ba52202082ead464a79080735120f818902b4c

SHA256
dc513052f431c20c293d1fca3175c76b8bdc002a066a8b2754c1d2d2010df057

SHA512
8bd4de143ab8b77dcede0bce60e5f2e8580bbe142aac44b6682c6befe1176582c48475b2151742f299718d6818a260d1e634bffe471051130348242b31912bc9

Download Submit
memory/220-296-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/220-406-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/688-237-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/688-70-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/688-76-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/688-78-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/808-394-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/808-285-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/924-328-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/924-515-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/964-608-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/964-415-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1224-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1224-256-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1224-268-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1748-383-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1748-601-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1984-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1984-38-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1984-29-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1984-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1988-14-0x0000000140000000-0x00000001401AC000-memory.dmp

Filesize
1.7MB

Download
memory/1988-12-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/1988-6-0x0000000140000000-0x00000001401AC000-memory.dmp

Filesize
1.7MB

Download
memory/1988-7-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/1988-0-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/1988-8-0x0000000001F80000-0x0000000001FE0000-memory.dmp

Filesize
384KB

Download
memory/2044-368-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2044-380-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2128-25-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2128-157-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2128-24-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2128-16-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/2408-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2408-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2408-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2408-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2580-440-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2580-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3592-299-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3592-418-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4200-583-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4200-345-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/4220-604-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4220-310-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4220-439-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4316-600-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4316-359-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/4512-382-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4512-270-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/4680-427-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4680-609-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4744-356-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4744-244-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4744-250-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4744-252-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4888-333-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4888-518-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4992-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4992-395-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5036-68-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5036-67-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/5036-63-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5036-54-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5036-53-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download