76b7e5391dc684a6ab61260b891fa7eaa40b924f67ee42f307840ceb5e22442e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Size

1.7MB
MD5

a650c119fb5e3c9c5e9a0e07e29eb5d0
SHA1

f2755e2ee53fc04c538b710d3f6390b15e418f89
SHA256

76b7e5391dc684a6ab61260b891fa7eaa40b924f67ee42f307840ceb5e22442e
SHA512

f0a1b576f1824c645fa13746dbcd8dfddc9a19cd25c1c75716c6cd63c9918b6354a6154a6d1b18b9b61b190ee9d4dbce31d26f7aa56ab34f4ad799e8dd639aad
SSDEEP

24576:2iBE0zqwXeAVmYasqjnhMgeiCl7G0nehbGZpbD:Ge5Xe6XuDmg27RnWGj

Score

7^/10

persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 22 IoCs

pid	Process
4456	alg.exe
6080	elevation_service.exe
3932	elevation_service.exe
1040	maintenanceservice.exe
5788	OSE.EXE
1532	DiagnosticsHub.StandardCollector.Service.exe
856	fxssvc.exe
796	msdtc.exe
2860	PerceptionSimulationService.exe
4332	perfhost.exe
5280	locator.exe
1740	SensorDataService.exe
5464	snmptrap.exe
2272	spectrum.exe
4556	ssh-agent.exe
5880	TieringEngineService.exe
5060	AgentService.exe
2640	vds.exe
3812	vssvc.exe
4884	wbengine.exe
3452	WmiApSrv.exe
4816	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7633cd04240c1bce.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002099831f4602db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c9d261f4602db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d74d371f4602db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a23b241f4602db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d519f204602db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000536eba1f4602db01	SearchProtocolHost.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014809c000000ac000000140000003000000002001c0001000000110014000400000001010000000000100010000002006c0003000000000014000b000000010100000000000100000000000018000b000000010200000000000f0200000001000000000038000b000000010a00000000000f0300000000040000ce4a9359b9cf0b7575c0f29bb2b4c298d446ddf9027a87ec14651177d6e996550102000000000005200000002002000001020000000000052000000020020000	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe\""	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class"	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
6080	elevation_service.exe
6080	elevation_service.exe
6080	elevation_service.exe
6080	elevation_service.exe
6080	elevation_service.exe
6080	elevation_service.exe
6080	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3284	2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
Token: SeDebugPrivilege	4456	alg.exe
Token: SeDebugPrivilege	4456	alg.exe
Token: SeDebugPrivilege	4456	alg.exe
Token: SeTakeOwnershipPrivilege	6080	elevation_service.exe
Token: SeAuditPrivilege	856	fxssvc.exe
Token: SeRestorePrivilege	5880	TieringEngineService.exe
Token: SeManageVolumePrivilege	5880	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5060	AgentService.exe
Token: SeBackupPrivilege	3812	vssvc.exe
Token: SeRestorePrivilege	3812	vssvc.exe
Token: SeAuditPrivilege	3812	vssvc.exe
Token: SeBackupPrivilege	4884	wbengine.exe
Token: SeRestorePrivilege	4884	wbengine.exe
Token: SeSecurityPrivilege	4884	wbengine.exe
Token: 33	4816	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4816	SearchIndexer.exe
Token: SeDebugPrivilege	6080	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 5624	4816	SearchIndexer.exe	128
PID 4816 wrote to memory of 5624	4816	SearchIndexer.exe	128
PID 4816 wrote to memory of 5436	4816	SearchIndexer.exe	129
PID 4816 wrote to memory of 5436	4816	SearchIndexer.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_a650c119fb5e3c9c5e9a0e07e29eb5d0_ryuk.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3932

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1040

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=944,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:5740

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1044

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:796

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5280

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1740

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2272

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2584

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5880

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5624
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
411d238478bb0ab5a855872c816f2481

SHA1
fcd2689683ce842639a8d1478f6fecaedfe6c3c0

SHA256
8942ddbac8ea4da801e974e56b7a21514d91c8c0bb91fbad18a7bdfd4ede71db

SHA512
378012c2703806e9c08b060f0dc5444daa0f0a1d08b02148dad1a61b02c8d3501fd23f9c5fd5d4903d98e5f784007133f14eeebe3741f577d8f4f6e81c12db44

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f558cfbed5097dc7c141665defe1d242

SHA1
822307f69a3306fb7f753d295f3631faf4217390

SHA256
71acbb9aecdd87b3a168fe04c8dd5f15493a12014322f2950cc2e59867167a43

SHA512
758606b180536436dc53085454183103e818c774ec223dde267603dba5808aed0de5a7e87883688ef473c3baf45cde7b5aa5addd32e8d4ad41f6bcf052bd71a2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
8cc29d2c19b22f9dee7f2d33bc19ec92

SHA1
d174c9b6de9e745a3e34e81ff7995bc11f3f80ce

SHA256
d0eec8d2c52d6d4c7628d85f8ff9f8717ed6056bd96b204df2ebfb3e5922548d

SHA512
5ebc7bde75a5600e9db40f0991452fc5980dd947612448980069aa24031e7fa2ddbd432478d311155ad17bb3e5fc15c1b6258bac1fbec74a336a913c1a7b8af7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
eefc32414540266f37290af753f88fe0

SHA1
dbfadb8a8e947622f2dc937d7e4ddbd584a0137e

SHA256
a74f74efdf67e10eb11f943e90097baf80b911bdf3688e80822f9031aff220e8

SHA512
c7cc0cd8bddfc6b87a39b20faba1a1172ebcc73fdba32a72f13230f0f6f83f733b17f0da85a7d44bfd0cc615eaced2ee4542b95df2de7c3bbaff976bd585398f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8ab3179e267e893ad1f736cea9312b7b

SHA1
189f282299c656063fb522d4802c2931ce11a50c

SHA256
a0bfd8adbe8799c59dd550f55b01f7f806abc1e10cf4cdb6b83558f71fd0ecb4

SHA512
9eb48453d92f520715eb52127c785e8bd46cbe7a5a49f9c6798bd92f4431992df3b8c079d232d6ca524a273055c11c9ec2aa3688726fe4de37c2aa4b9dcdbf3e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e6915d197b9f1074dc05eb831274b10b

SHA1
c37e4b999c4537763a9775441bb4476149fdc68a

SHA256
a9560549ec08f88a0813a8fa98a940f9f3a73320dfa70eb48a819baf72a242f7

SHA512
40c50c12b91c8c0b86e6d8e99f9ad00ff17cd4f8b200102782168ed628e01c7287abe3455b0aef994f2abbdacea63d57a5f6666369a08d6c51c47ccc1af4c0cf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d15102cc8aa8bb8b291e8a80ff3b815e

SHA1
25e0a6abeee1fabeda94b6774d1fa8364b9fdb05

SHA256
14b26ff27eb58af16028b9d0bec675a9c11e5f68330868f36754b6fa9ba1ddbc

SHA512
d9feb60eac1644dff73f9b9ab715f2c62babbc06d1be1032de2ee84e9e8c99437b803b59789920bcddc50883ff3ec0b6d99b01b6a457c3ace20036b5160384b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b609c0613ca25afbebe586940b7f3f70

SHA1
d7952bfa1da2d629a960f26a9005d7341a082bdd

SHA256
dde819f4ce8dcf1b9aefbed8ed540b2daf77a524b22c87f02cba81fe1965b64c

SHA512
e84f69c5f385dededf371df4d0fd6d256c06c894de46922a7dffda6999e7a3a35b38189d684747ff6f3f47be0b916eade12cc2b65451ce8d72e05f48be26a876

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
a2f8079aef3bcfa06a8bda5cf3fd1fff

SHA1
a7618fb08edc6a0e9a752e323ff2206c1ce7ed1a

SHA256
b39384f947e09f208b44a6cad4c3baa2a150e59a8193b7d6ec55cb6a17c0b41c

SHA512
02ff40d820a56655c81eb9a8e5c8d876794ce1ade276d0930cfe2d2862e9aa7777d73a76aeacd931f35e92bdd790b62c214ea667e68568ad5975334d6d4d6e22

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
90b08b293b5997044d57812c0d1412ce

SHA1
879a5780335a102ae91948d0b483c96fc3d49340

SHA256
a3fef751677505fa502820d360beb1196879a361df6759f7100059a852a4dcc4

SHA512
8bd8b8a52557cb430c06b6bfe5ff017a7dfd42c8f954d6b6f69f96759b15959c55e8634769f47cc212671336aede3802778eebbb9f79fb7fec9026ababcf8a9f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
77208185e5e8ab77e1c3dbcfb5c02ffc

SHA1
a53ac45e9ca3e0191abc3f384723d8915a7a8152

SHA256
937fee816643456edc8b4f7a2e67dbafe52fe27e3dd466d49bb2fc3ad7a91194

SHA512
9748c415d23642521dfbae89449642c81c0f00204c2c2a4bf3592cf77ea8a109f2c4520c66ea52fd88ee2309b65b154be916b651fd49c14688a9bce15da0ec1b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c71563f3d3f6cb355052dce0de64dc41

SHA1
3cd243c64c2ba26fc2c05830e412a05e911b5628

SHA256
113a998a5b24868cdef57721f110d9fe1c4ce3d46ce82ce57ebf8e9f1589b82b

SHA512
71f5c4e760c47b03c80f0fbea26b1861c3ad33161597aa8aa68fcc4ddf49ef2374180c33ee1bd1bb4880c1ecf2dea95947e5e861ba381cd69c5d889870465603

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
678d7b441931aca2ceae06d10b8bb8f0

SHA1
8c4071f086cc0122fe8c50ec8d4dfcdf57154163

SHA256
31edd5648ee87a788bcc734b9b4e1e8a1a52a1c194656e4e839ad5cd95ecf103

SHA512
9e68c83942b198422acd2008c803d691956f6d18ecc744c635d5cbf3cbd4e31ad6c1e309027e2477f72d24649afceb82ab6fdec3c1e3076aa5419f7c0fb7d326

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
2d121b2120cd975c8af50d720e044c86

SHA1
107133acff4f55e2ce242403ac100c202b924382

SHA256
9696e74ef764740c3eaae7fbaf7f600b5f43f47f1a78810ce129c5a8e1573d59

SHA512
444fb9c22aad02b21a7a5aa6ae395cfda8d84b2964555ac5ffffa923967e379b8f29d749be5ec70f6f7606c35e42b60eed326fe907f6eb56d92f90f5f10f23d8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
de929d9d51a1e13f2e5c4e24e69b40ab

SHA1
480e99026ca7b42a41b13aabad92d596cc1e8331

SHA256
81eef5e86a8af132d573cd88adaf2cd5d32b1fc78c19cb832b9449842ee0fe73

SHA512
801e607b2829a9a364c434837d494f28eebc8b4e87bfdf4fd5a616dad42447cc2a4aad6715018d1f8c2622bf6338c1eaae3c9b61006e7c4fa61a8ee3d7cafef9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
5a9f9cd9961e9868b38082ac19f6d21f

SHA1
8cfda5509d908e2761afa057bec0ec787f59717f

SHA256
ec12f0ee3c7db8399333209a848dc902a2fe625060a8122be60e8efd000ee56a

SHA512
a8b122642000ba9a43fcd6d6f30464ceefe6b198ab0a08f81960b9490d6856eb7e864a08d215d9b473f16a056750d6bc20b12d373edae76a1845aaa3975ed452

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
be87c8f639b66dca3755a1803a3c00e9

SHA1
624ba714898f5125d119c1176179c8a7825404dc

SHA256
84fb81ce83f37aaf36bb0d0e9a3ca5045fd7a511a27956c7c498fe275f13bf5c

SHA512
0d37f135fce0fec0966cf4df747b051243eb0efccccc37f51cfb995d5f4ec19ba0509a7706a8f1fe4a98ea49dd413a3ab51eda4b0336dde35d30a79c73be35c2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
6216a9311c6f210071a94586c7667f32

SHA1
b62fa1fb896ef148108226773e93454f6f9b295e

SHA256
7fafcbdf1928f9a1612dc586d384eee008543eef172a111368da003584b8e366

SHA512
98f505a75892f3346ff338ba3ebf0f13435c95b69ee599a63faf785db52cfc80c4e4535a1316d3f56fda5834acbde45b0b0773f44610971eca45c80c4bad8eb1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
42be5ca3344cf575905a2412b1f73cf2

SHA1
06ccee27832c8183ca5b1f7f31146bc003885457

SHA256
ff0f546f59e0b0c51722d987df9b6699aad4083c4e6b662e4035aa3be25b9e8c

SHA512
8d433fc19cf19e837af816c91dcca3f06abd8a1578e9956e8943eccd9e7d8dce066613c6a440f4d38b734326096557d3848a9e839f559b64b225cca56b95e283

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
fd97d4c67a2a74486157ca277ebb01b4

SHA1
036c967843460902b467061730784b99483a08b8

SHA256
9ac80063a7956093053afbc0fd22899515c34a62227ed95103b38e68f5517b43

SHA512
1868ad5647a37676b8b6db1bc7901294e38e61c1c056e026b7b65ad800128ae4cdd063629ada7f0e85ed65ece44337d2595bb685acde8fd16b42024d6b7d6e5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
2d18014e234bf96ff05628289f2180eb

SHA1
6cd00c21c4e17e7d2ca05c3f60e7acf59621808a

SHA256
83e947bc9957ff7a5f1ce5bcfcd4f829358c156cf9856c181131e365ff03081d

SHA512
cde8c9b2ee28c8b48bfbbe45b28154f782d433138bcf8015b2bb165128e1a0daa9b2482dc2d4288f9322d633c763b94f66867e4beca60646707b0785c7f179a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
7da0091a905aaa51abd84afd8e4f1c0a

SHA1
7f532eb83cb5ed3a4f08184cafd3b399f972d9f2

SHA256
91582b37fd341b569d460bebf007a5b0b6ce870a8a8b3bb6a1ff2d00fc7bc7d0

SHA512
089c9bbc96b1333964c5ebb27c49bfc78aabbb1ccfcf11b5948bb1281f84710a9cca676d110022d056ec03170ba0f76561e18fd751b38f4b26a328c09dd08aab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
000dc54c022b2aa3e48e81f92bde1c1d

SHA1
d463b69babc07dd22d26256afc87c1f11c18a2f7

SHA256
2a139b6aea4e1121118da317a56b9446f2143055d75aa9af0745fa517fb399a3

SHA512
e635eecd6233a38860ba61de9a350ae66a1500d9e24a8835a485bcd8fc794d438824bfd2ae84b3e7b7a584cb286bf39a36bab822bc7d28bdc2afd42a1608c144

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
00162bac4b161ef8998f5b853e2387c8

SHA1
faf60da71f95be653a0aa507ad55b83d0d899aff

SHA256
f791b14612fe3f017856e148a6f134a44d9b8f1ef88f956b27065f9074ad8ffd

SHA512
2208afd86f42be2935241e51dab4609d3f885fa531b50f95c1c40924761ddee8fc76917d6e770e1100bc11ded414628fa0decca4cd9fa5d94eca40e3ab62b0a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
504a6f590c4043d7b3b4f2bedda328df

SHA1
010c817f3e6b893e12e3ee9161f26ae0fc58ef31

SHA256
819f6141665007f1c6d49775a93282f6d3c4d3cf61500bba198f097303c38ce7

SHA512
ee7f1370385b93e0f5851ad2e3fc3b07d2397b68747d976ba64c02dd9aa0f01064a29d8462d7802fcf02bc2e545908986eb1da1fdf947bc06ad45a5eba16033c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
39d5f363dc2d8916446930a71ad40f45

SHA1
dc09899ae639fa62cefd31a309e4a2ab9daac423

SHA256
c7d58d34f6f73000414865b371017e9c64bc68aa406f4ea41ef297966530fb05

SHA512
e856cec051e26f43b7db6ee08818c3fc997e316e411c0bb007d4e867464dd7e87e4fc289db359b3d609d1ee3bc4acf48c89ddebf6f8a754c32be527e3465b60c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
4f0ccf4dade48bdc79e2f5ac1718bdc4

SHA1
7260d4044a6e8ecaf8d3a7235e3f74c624d508d4

SHA256
a1e7d8e6a8fc94948b38e75e5824f945f7afed10d24dee1244fd815ddffcc90a

SHA512
36ca9dcc520d8dea27ffc9d84edcda8b1b0b8ee31f50f56849c9e75504fb6de4b91bf340c5681e64fd7de5749260a0e20aee4b7a0eb21fb17542dbbc01b2eebd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
a1443e319f6ec05da64bc9bbb76e571c

SHA1
b772829a56bba0ace46be1819d64d0a8c1b6f9cf

SHA256
57149203539ba7e099dae89e6c21abb6af5a936fd78c51164f26fdb304880373

SHA512
7759e8899dc021149bc3534d39bd61753f45ab4297533ae178d1641764c0a2ef6e36a286ebffc94a271ea3f8e23fd724f182325c4878a06be124bb152f1b2acd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
84ee97d3c725ef2a360e497330e57fa8

SHA1
e78af5059035f9520cf0535df97184f3afa82d55

SHA256
5d7de5ef795d4b6f69a11c31a1bc7ba85f18a6b320716a5b316a20b434f5ada1

SHA512
d701eb9ecd572b32ad37880c0af9bdf4a3fa117eed4f710befc116afdbd3df6078a9082700880eef4bcf772231bbff70f9c712708aed3ea165ab9aa480d9e6f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
4ac5b267221e14768459461ca66c4a7b

SHA1
93eae616b614dcd99e7e9c02f4626a30b798db4a

SHA256
f826db4fc9a4f9903eccea6172083062518a44d0bd58bfa7d8c24b01d60706f1

SHA512
bcbf7f5841caa00578b9ee042159a3edb9c3891a99bce167c1bb74d56a1a519601b98e4ca53b0029537877c42bb65b9feb9d504b98f72e92169bedab8b7b0f61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
b3a3157f1a8fd470576b6b6855581244

SHA1
de4a5f6a032fd288c645387e417a6929ca597368

SHA256
f6885d27b7cb6417c46f7ef651ac812ee9662152f647631455db721b30f48bd9

SHA512
901152da4a81b41bb6cee3ce2b8e5a8812129823d5f77eca3123aaeaf667706bbaa6a69cb8858c7c6e9bffea76e08fbc8607589adc99322c8a97ce44f36b1f2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
0e794b6c87d29885f9e9c715bbaa7f36

SHA1
bdea37253a5ba0e848e62c5fe5ca4e67f599f0af

SHA256
cc16cf19cebf837846dbde68354958c8c024bb791e3d13ffb616dd449df1c98c

SHA512
4824a0d2874141dde86d064cd86d0c49495cffe91e79c0022d4e7215dbfc8991eb441bb82d540b7fae7fd5108a71941b0d7710c81de2a81b8ef58fe2d4fc43ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a0e9efd6cd2260f8326e94a34465bda8

SHA1
13fdece85d2fe9a9cbb24683ef3047053380a104

SHA256
90c244c49b5dc1bb5bdfad8c06e2e4f6647af34f172f0a74bdff5b1d7ead750f

SHA512
79191e434d6e93aa501e32e5abfd6de02621871d0200a5f8808819b8d1b08e73e078485c23b8123cd9e36ed93d14d11936e47fe36a4d884e214e660d9a5b727f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
9863dd296fc46f78da024405d52e7d39

SHA1
6b589439342bfcad91b55734eb811c4bfd46c17c

SHA256
9aad0114f4b2015dbca782bb34858503d089acdcae4b5ec9fe962d4fda2886a8

SHA512
37b7a1e3722010b8dd0926d1a4f3a2aaafb569b1b7cd6d95f5ccc6579516ec8eb572fc2f05723541329648b1f6b9a63d12ff984d76bd5793109ac8aa8042fc75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
37754105e55c21b0fca194ad4fb84f5b

SHA1
cad5dc113030e4c60eb7712daa3c04eeeb834a0a

SHA256
bd56d4e7a5863f355d897237af186e51a22c0bd277953be77bfad8de46932dbd

SHA512
83a98c3b15b55a1f209a2e7d4ddf6100c6a5ac57fdbb56646d5b0328ae4218bd9b804f35408fd06665b10c0fc00083b09499c6af792dadd977ed4b73ca117139

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
e9ab2b93180d158903afcf98e39b3042

SHA1
53a7ee8883d9e62f941bfe0780fec94adc06c417

SHA256
bacc947d4554f544ad6b5512dd41d3017baddc7d949d26eedb9d7e9db790ca01

SHA512
95b9864b9e35b67d6feffca26e81d25d0485e9944a226d937daefc01888bb9d0f0653a854ccaaf7dd3b82b715b93b87054c313b3a4fd6f45f30bf61a6865fcd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f16317c514fbfcba226262dfa07cb623

SHA1
7002975de1114e1a207ddf74f7f55da1c683f6c3

SHA256
d554cd47826175b8fc78177b94824b71974b9e85c00ad4f20030480dcc44d23c

SHA512
11e2301946c8899f41ef1f46ce5c4d2b0d2225e79a79f6959266f2b8dfa3f78c8d7ed7f553d1005b2cc05a1f25f8efda68d6c1f5200572f2fd2a583e736ad7e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
f3929cc0c046ee37842edcb05d101995

SHA1
9026942faae03847e52c089db390c0677e392916

SHA256
05e8ddafcdec811266acaf166e5e51a47c52b747e42536998c48240acd41bfca

SHA512
df1f09b99b267ebd68ec0288b9dc75e7469ed94a6762d9107e223c3bbfe34cd1bee52a734acd1b8e275c388a3fc7fdc736763c12a2dd4ab1c167163171c47ccc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
e20abc6ad584ae3ae5b99e91a5c42b26

SHA1
db83b1011a94b9391c207153a00eed20f3111e42

SHA256
5daf9e3c5743b8746e592ce849e398918249cd413293d7eb5d39728c1d290fa5

SHA512
ef87518d32916e93177d07ca1527bb56e2e41ecbc6507ae1d3b26aa63c16afa372f49ebfa75178e577104b2c81ddbfa012edf847c71756a0208b1c2336560715

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
66ab3ce723427b3ac8451447f186e553

SHA1
829268dedeb834ef2fb32b1ef3925804a1e85938

SHA256
40278d04acb722657a9a6c1460683b4e540afc3bcb21e08e39cb94d96a14e9a0

SHA512
087b857acea8eb9080c17fc989857deed141b253fa87f7b2b829bf2102d82c2f52ead9848b2f6b5ddeec5257db6d9055fa6aa076e6dcccfc3e1cb5c1403d1b9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
32d44fe7abc66e0c0e3289f58f379dd9

SHA1
21b501c07b4f879430d0c4f57b7489aa8fc064d2

SHA256
494050d5075827826adcab581876ecc59f78c4c6331c22b2af7134bd8d94dcc0

SHA512
c2a8f54d959dcf60b219414c94e2dc4966a251b2f04f610b7f584f5b7232d36d9313cf24e0facfee11adb33a5e68bc98a560a009f7efd3918435f7d5b83cccca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
29d2b8f7e7d4d216cf952068d3747d79

SHA1
8936788ca300f18ecb140f18cfa699c2a8c01acf

SHA256
c80eed4d10ab05a0d7d08d9a8a267864d2d905d3628335d80e5a48280db861c7

SHA512
577a5941db77005ea67f0b1e7f19597171d6c2a3706014c6ac02ba97e8e86ceee33b8a0bdb5eb4da4e172d69eb6161568ec089df09d8164bc588649277e2acfb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
8aec28da0cd8ea317a458ef5c966da12

SHA1
7f81bd4310f6468cfb37fe60b956e1e7a2c385a6

SHA256
2976b45a899015859aadc3e3c992ecd4d418b5d6fad904131fccb04859b40709

SHA512
2450fbc72f8880e5484949bb0bc0a568fb5409a75f1d4c00eb0460d246346449bc1350664b7a21926174788674de45d53443448428b708264ae7ce4083535676

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
fe72f12aafafac19b401da8c981584de

SHA1
069ddb8b25fc523582d225551e1b2191b3ec5a6e

SHA256
0e8732d36e56b266cec091c1133846029ae1e51f943acc8fafcf03c13a312b34

SHA512
5266884066f3dc7fe005e548712214bac7351bbca46415bb310abc12320cc3f15e1ed0ce3467e77d46bf540af480b5844836f184e346c89f9bddcd8e28473dc3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f14861cc96230ccf86efc3a27dd372dd

SHA1
12703c3ef17cae9eab4a04e5603491dfe17b72f2

SHA256
5bf7e968525b7ad439db01c04974949a705664f142aca60174a14b21056120b2

SHA512
41a478b9d2fdcc64dbefe58c205975763d1a2f26b489994a3f9ffcd58bcc1abb252d3b02780c7d299acf957734b4ceac362262f8069c48a1082fb898cac6d520

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0a5c7a1f9c860cbfb272ef6ce7d7272c

SHA1
69aa09f63bb81842ce15bde96506ec8b0e4395bd

SHA256
8c20f5b68991f99cf708ba07be58f508cd6de7ae0e76696f17710b20388322dc

SHA512
67ec15fafa2706f5d968ed4c3b1a129856d9353a34be56c85efba8db4505bacdee421f11891fd0b0c4e6874728030b4df66187d94df57371e274671649b051da

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0a0671a43ef1cc82938ab2551a519920

SHA1
c8a22e2e079d7d5d021dda1b396f16766e6bd828

SHA256
bd0e9a8950c6be6a9877e9343bdc6554bf7786390dcef9a1e2ab8a9d842bfc0a

SHA512
48d221416ffe68ceaeb155e224c09928c85a57cce5daf2d191b82796d1ad608ab5d6a04d5da3e09dadaad4f767a4f709fe525833a383541d433d54c2439bee8b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
129656a2ac263ed0556232e191f6c926

SHA1
72260daa3bace1472d92dd9d5909eccefa190291

SHA256
c3f28e73907b85fe1c00627a29c697d346a97b759c675e0ce8b338bb0936f199

SHA512
8f71fe74d8891c69965510086c3bcff3860ea05a7dd4e89fb3621542b5bf99cdb181197444fc22f1dabd54e88d6d1055cc19fd356c1d1a1580dc95be0ad66516

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
51a68b6a27ecf15e45e6800270be7e60

SHA1
9a2c77f3bb4b1d6f0400203f1dcfa91a73d435c5

SHA256
2699846ef88eea433be1d70a6771107cd84162d79718b549e8b10e8b2bd91433

SHA512
3d01721076891d4ed0c756d560e7f164a2821b0e4d523a11a4b2e9be4cc4407b51ad82a0ee0f62b4c1cc5cee6445752e050100605d66bf222a7422843ad3ecd0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
a7cec70d17243199ecb0c862ed8ab334

SHA1
796f52c8d1c63856e7e824c795d965be477d26a8

SHA256
9eb4373762c31e1017d2200b763673d592cf516130ae2bfc0eec94839e25f8fa

SHA512
6491a07aad5fb6c22b3f6ca50c844b0fc21c4105cf0f34ff8810bfa42d7587ee723022995d9bf8acc29d501f0480e63f345eeb2bb3d48105a06234e0d3518cde

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7c66fc120ac6758247715acec8616d17

SHA1
9f2921fb1f6738decb64b5dedfe2eae7272a6dce

SHA256
eff4250c0327b26749ebaa1f8c66fcb794339919d9f43f1694ea4175a9d8c1a4

SHA512
8a5afe3c862832727cabfda2297cad07b1d0b86994596dd16ed3d4ae19fc18b46eeb767d3231ed99e8449533847914e22e9002822284f23a59a64fc2142202da

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e69be30193edbbe6b0c056b1ba4a1501

SHA1
2d9c002254b0804dccd500cbda9441955fc630b8

SHA256
5198956447bc92a96925208c0e6363f9fb903b401a3d2d38bd63880821231f6f

SHA512
8c915e336a4c6c7ec6f560d2512b015a60622d8ce0224512fd59ff569028a27df5ab8d8d2beadcc20655a593970cc656e62e003c74d6ad1601feb94f680f68d6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
56ef1b3cd017f0303f32fbbd41703d81

SHA1
fb14fbf60e67007812233728f20da83b408fbc8e

SHA256
95113a25106d833227029f38278032db2bcf7f1f108b1a6862ea78860c8fe02a

SHA512
cdfb208025a5efbaab461b89f164ee0131df26e6b137f44189828351ec6bda55dbeb60736d19e5ce3e739259eecaeb984d19990b087c05243eca00351a3b77b5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d7d215a85708a5498a5482c1ed916fed

SHA1
1c7a87407db11f3afd44f9f28c61c165513f6c9f

SHA256
e96c5e5baf33e70db3183e0093ec4bf397fa649ca9d00a66bb98c171eaf0125f

SHA512
36cc842800594717f8e1b002ab21758adee0bd755d1bf10b33a46c00bf659303d57104895c9855d03bbd8a4739f8cb66f6f6e56abe0efcab2aca7175ac554306

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c53ed62f88ceec61e9408acb8a83b611

SHA1
c8707e6046072363ac7d017b1c27b9101886b27d

SHA256
0aaee50b5868bd5f449d90280fe8ebbd5f7a3a3a90395261fbce7e0e291b80f0

SHA512
6f8483a19268a515ccf2f3c7d0c2cde8ae674b8c98462b048b627d0535785e81e5f89c085380bc5b3c6a339839b49f1df295eb86b1cc6967d573de6319d8e3cf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4bc3f6cdb832c287bc53d3b6417e7ef2

SHA1
da716c0c7eadb943ce85147f67c70547cf77e42b

SHA256
935e3dded81421a95f4e2418fdefff3fe214b7a50d35bb2137b2348c7bc9407b

SHA512
9c1e8046cfd73aac05ae616b43cd6134213a318f6e2af1d99189e327ef3ada376a43e461a4c8bff3d9a76ab1f75107fb8d370cbf5e0eb8dcc759d51497f16842

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
12d4850a6fb31785bc825355e22148ff

SHA1
205a622b97353822017def3676368c02e86a8766

SHA256
1ebe4f3392527d61aff062bdf8b3addbd6e56dde9ee41c4871992108a0aee9bf

SHA512
6058f856c9d92e22b40bb2767ba28077027387afedb6f064f32812fc2498a012ff3a31294aa6d07c32f252535f34abc77cd49cfd54ce7c34fc32830cb61dd7ab

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4c4dea3fff95e8557cfe5d77cf27af3a

SHA1
8f63f70e3c8c1fd288d376d3270274df96613259

SHA256
8d4a0a038064dda6b9fbc1e54a4dffa7fde44d872c734723bb1cb48efd5012b2

SHA512
d2b18cb6c9a079df42b68d20df1ed87d2b88cbe00f5af2a5b9dc7230359f6030a7a10395783a4203c5cafdaf4648519729c1432feec5065a6340777b07214e55

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d45194e95b9eb2b2755c2c2aac7048fa

SHA1
feb87f24ec25f092ea8f8a3d2dfa8710585663c3

SHA256
7264967de88d8407eb1b8c0cd07119fa777189a9264279d0f9d676dd9b6f8cdd

SHA512
bf9479184827d4e4d42e5fd187192412c7fbdc137e0ce75273b4db978f31a8937c743a34e5e15b66b9093568f4df570b9013a503417f3b04bdd3f4c628111e5a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
62a013945636c8c10b16f9f159664184

SHA1
a51c385a054394ecdf674f7de55a87cecf1af074

SHA256
f5f54f1994a54acbfab0fce1f7bc26c92d79091c496e45ad2bc0bbd1e7e66695

SHA512
4162279078fa6e29ab3dac81218b260d7a26cf6d0a782b5f0edfa79a1890e62f04329317cbd230e106f0c25400727d01690acfcc74ff0f88cda2489e44a0d810

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b423278023fdddfc96f2e6b7d0c61576

SHA1
dd685cac9bb59cf0b8bceb02f5e50efd1ed75b66

SHA256
acf18c53f8e260b772f94ef5bc328bb98be88f53233d472bac1295b27b06b66b

SHA512
b713cff511cb005e15642a06b1ebb499412d16037f2d2925b78bfde38a4ee3097b64c367a56cd67b758158db8c7ab0316efe8ea572483421b154c6e182f4eb92

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9d5806c9b66e37731f459be49d27fb76

SHA1
249821692ab9850fa0f38676f918b3e2724c43cc

SHA256
304646f272d74aa2f3a90fd593e7bb84ff90c3316608bc3976f80550abc4474c

SHA512
d0c6129b7d12b6b1aae408961af6d4c8f3f8cb40cbbd14892b895a9a1106c5ea8d6e60bec671820715bec1cbca392028653c6d40e52d06b8c9323b62aab899ea

Download Submit
memory/796-381-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/796-268-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/856-255-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/856-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/856-269-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1040-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1040-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1040-61-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1040-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1040-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1532-363-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1532-243-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1532-250-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1532-244-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1740-525-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1740-438-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1740-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2272-517-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2272-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2640-672-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2640-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2860-393-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2860-281-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3284-24-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3284-8-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3284-23-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3284-0-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3284-9-0x0000000001FD0000-0x0000000002030000-memory.dmp

Filesize
384KB

Download
memory/3452-680-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3452-426-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3812-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3812-673-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3932-235-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3932-41-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3932-50-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3932-51-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4332-405-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4332-295-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4456-196-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4456-15-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4456-26-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4456-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4556-526-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4556-346-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4816-442-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4816-681-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4884-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4884-676-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5060-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5060-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5280-417-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5280-298-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5464-514-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5464-328-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5788-68-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/5788-77-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5788-236-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5788-74-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/5880-364-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/5880-533-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/6080-38-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/6080-29-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/6080-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/6080-231-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download