475dc5a17496e8ef31853d080902fcee92fde5d5c8df93c8f95fbb8d82460249

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Size

1.5MB
MD5

b2a2929ff16a5f07d021f3cec3f1ec09
SHA1

3bd04f0ef6618bed71cb4ba757c7ed5f7503794c
SHA256

475dc5a17496e8ef31853d080902fcee92fde5d5c8df93c8f95fbb8d82460249
SHA512

c1d7f8faab7750bc49dbc4b8b9ba772c3608e1d81464f536900c007648fa054f0ac49aa5254321210469992ae0e044f656b1554833217f18f0a54cb1ce534d72
SSDEEP

24576:I3oH6mhNF4Xx7AMsqjnhMgeiCl7G0nehbGZpbD:KoHRFEBA4Dmg27RnWGj

Score

7^/10

persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 22 IoCs

pid	Process
3744	alg.exe
2428	elevation_service.exe
3208	elevation_service.exe
552	maintenanceservice.exe
4780	OSE.EXE
4760	DiagnosticsHub.StandardCollector.Service.exe
1052	fxssvc.exe
4284	msdtc.exe
3312	PerceptionSimulationService.exe
2984	perfhost.exe
3368	locator.exe
1460	SensorDataService.exe
1704	snmptrap.exe
4008	spectrum.exe
1984	ssh-agent.exe
876	TieringEngineService.exe
2944	AgentService.exe
5004	vds.exe
4908	vssvc.exe
1896	wbengine.exe
2600	WmiApSrv.exe
1604	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d886c219d1b02b8.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85546\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85546\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85546\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002135d97a701db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028ed3697a701db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5a9f597a701db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b497c397a701db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a54f3997a701db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c433e097a701db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe\""	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014809c000000ac000000140000003000000002001c0001000000110014000400000001010000000000100010000002006c0003000000000014000b000000010100000000000100000000000018000b000000010200000000000f0200000001000000000038000b000000010a00000000000f0300000000040000ce4a9359b9cf0b7575c0f29bb2b4c298d446ddf9027a87ec14651177d6e996550102000000000005200000002002000001020000000000052000000020020000	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2428	elevation_service.exe
2428	elevation_service.exe
2428	elevation_service.exe
2428	elevation_service.exe
2428	elevation_service.exe
2428	elevation_service.exe
2428	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1904	2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
Token: SeDebugPrivilege	3744	alg.exe
Token: SeDebugPrivilege	3744	alg.exe
Token: SeDebugPrivilege	3744	alg.exe
Token: SeTakeOwnershipPrivilege	2428	elevation_service.exe
Token: SeAuditPrivilege	1052	fxssvc.exe
Token: SeRestorePrivilege	876	TieringEngineService.exe
Token: SeManageVolumePrivilege	876	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2944	AgentService.exe
Token: SeBackupPrivilege	4908	vssvc.exe
Token: SeRestorePrivilege	4908	vssvc.exe
Token: SeAuditPrivilege	4908	vssvc.exe
Token: SeBackupPrivilege	1896	wbengine.exe
Token: SeRestorePrivilege	1896	wbengine.exe
Token: SeSecurityPrivilege	1896	wbengine.exe
Token: 33	1604	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1604	SearchIndexer.exe
Token: SeDebugPrivilege	2428	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 3252	1604	SearchIndexer.exe	121
PID 1604 wrote to memory of 3252	1604	SearchIndexer.exe	121
PID 1604 wrote to memory of 5104	1604	SearchIndexer.exe	122
PID 1604 wrote to memory of 5104	1604	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_b2a2929ff16a5f07d021f3cec3f1ec09_ryuk.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3208

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:552

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4820

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4284

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3368

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1460

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3056

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3252
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c8c8b22e4d4d0cbe7b2598a24ee9ba1f

SHA1
beac7d073cec3bf306f94ac748a3abecda71ae4c

SHA256
28742e4b5a95aa3e70e3d506659186b0e17a37529e6388190a8d0171e5d2ffc0

SHA512
d14525836d94b03031d2fcf4b5a557a7521f4b681f0d46dfdf3484df41427bad169665875ab07fab9cdf217488e6daa55b3e82ea432539b7d04d0d17f1b88487

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
0e219dd2903f50a464756f9b692f916c

SHA1
e01fa3a3cbe3c105a9d1d5b227575419fc35c8f5

SHA256
17d2bc6bd2dc697d8c37d2fe4bab773872e144353f483e5f433d10a597817703

SHA512
ecc8190f0a5cac2a5f9069c05eed3500c64c4dc7448443d35b005e2af9f96dc515e14eba271f3632ede343938ca11f694d11d870b43b7250e51fc0817d4c69de

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
8730ebfad66630ef81ece62bed23a231

SHA1
a35526d5c879fd825585624036790c5e6038eaf4

SHA256
dd30811a0e1577eef6fd47c4c51591493f9a397d5c26cabef1d7bc6ce736abaf

SHA512
cf2ae773b74d3340fb123110c16c227af7513289ccb88d15376e0f9e5eb982e6e6288d3d4d9d608943ec011c7d110dc4150cd074b1ef1a09ecc11913984d6220

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8ff552d51c38c17a6c166f6df83afd3f

SHA1
1321e2d3a998b093c8394148ee81d0e6012f103e

SHA256
16d7919aa8bf56ea2e83bf1b27f322cb9ed8ef650c536c5e0ad1c8d44bb23561

SHA512
1c355ea3980d32de4dfd82c03a5cf0e1d397a05d8842e56a7efe4eebc40d490ac32af389c173879d7e69e149c1bf3cca647fa44a11d23def6a6719db7800da1e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0b323f1602d34b756bd3e70597525ba6

SHA1
6aa99f0446e82628cb65ef4158197a3422075f04

SHA256
56e3171b5277e416aa8a5fdc0b0c0939fa432d151ac48b66fff4fa0a184c855e

SHA512
a3763f5d5fb9a25b58a75b1756a94ec4c157675d3eb3e631ddccb798a0addbfdd494b87f3eabc5b6d86527fa6747c63a239b8a3eb0c04c76b05297bad2d263d6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
a9f70c0c58412263f5a378a3c9cead9c

SHA1
02f193b033e2632a2097b7252c37013e40a51845

SHA256
097bb328771fee783502139067ffb89a30c799b23377556e770f972473d2e7b6

SHA512
60d4ea5396c11bf4a464ebc01f51583997342c0a436472070a473d188694660afce2c6fa183e104a5aa29a07feb7f6484fe2c13b0695b8f103638a7bf4ac8da2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
cf204a4c57bf029a7306585b1adce2fd

SHA1
34ffd87312e6b52d8439dbd06716fae389dfcc68

SHA256
db3dd3c6a072298c887c1fd16e8e3910bf6bb7b11d280f4f9431987878d5a5b2

SHA512
7cd0789f822a24ed608ecb432d2bbaeb7b9f1ed6d91b88fc9ebf7d08baaaf2cfa0a42439c01976392ee8ce2d518d88ce7bd4814836180cade1325d02f97e0523

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
96bbb1e2725e81e3ef9bcf244363d491

SHA1
a9e96eda1f0d2999feaeafff0d344fb6c9b20f4f

SHA256
6aa54a456d880083600e3d52dd47b7e0d3028186cca96e5034afcd216ae1fed3

SHA512
28f182463913e967c124c250a5e4c7d6c1d8591a61df14dcaeaf3c5b8fa737d18bbda937ff09a0408a5f7c4b6c4ab2ad126c70942b2b9dbb76271ffd781ed286

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
fd289d0d366fac89f72e513699caaf1b

SHA1
f9be2ff96e8be4ee09ed600479cedc17920f4d02

SHA256
ee8a3d4bc43c62b6bdfd1d7154b69dc8be7d9624d5d0969b907255789b2b95c5

SHA512
89eba02a9e2ed48a90779834ef5b5cda0d4da71c64f6842447bc6c4645d65e1d3db7dcb5a968793500547f566ee9d036f8a6536a964647396af7f21afdee2951

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bc1e7598873e15a85b9fc80f5f19a6dc

SHA1
caf2be623627d409feed6165817d26d9e11d74d7

SHA256
ba51775dd70f2c19014659e36a4bf91345ed2e8d0c623582c2887a529f23ac07

SHA512
81f03f196829e79157f06d30f60766358731e6ed377ee42bf7a64440526658501d28bb73c29a17ddacf3e98d79b7fbe7683e3f27715604c4e3c3329361866542

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f3d14c1bb68f45f9e030e564fc58fe8c

SHA1
d7e13d843a94351360edbbf248d769bb485d9b49

SHA256
c833e7b965c35944af8dda51e0aa8893871a4c94cec6ab10d52e4ac281ba6aa0

SHA512
939595ecceb67c247b73844705440d40cc0a8ad574cf967ca113414da47847f69452e1dc67ab8336bdf7708b10d0bdee3914b7ec9bc3911306744075c1b69902

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8ec0368814c2748d394e293a8fd1fb54

SHA1
443fdd91b7e7a01467a97bea2dd9f17cfb7e0f9a

SHA256
0e46d2acbb08512078724a45c533afbd3027833a4ff6767ec40ed5c3358733cf

SHA512
1601938758d2c4d6e4a2f2af4e8573a2f9c575886c1426ce4dd4984a0a547447b34f16ebe22c709de82582f87cc11da56c8aadb2084c8b04e94bf8037c7e0fde

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
10ef0f78bb58758e8f678e0dee96b1b1

SHA1
de3b2d87279aaf20f4c3e32ceac5fd548d29a3d2

SHA256
3658a7ff6c3399150bc942ff0900dca406cd59e1e03b1526fa4caac2abe106ef

SHA512
5a29a04848ab425628fee9a77e48a2328c4e1da5d8c0c316e9e8742023249bab73407201a81d2b43ef2d24d002184818ea265370592948be40e2fe8789d8d147

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
d207bb02a862ea2a446a21223fd48da1

SHA1
c4c14cba965e922d216fde18c6153db409aae595

SHA256
306cc0462ffcabc0aa810498e67adc23e1ecb8d1a7fc0394e3dc629f673dde95

SHA512
93caf7aeb4fa685c52b892b1b71439e8bcdc75e57f225cd5e5c2c0c7c3f9bee79013ec48fc10a31a812a79a48de4708aeea55f6139042e3e2ad5eaff98e6d1ae

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
7218ce1ed9c9671fbe41ad0755667d28

SHA1
9d35da3c9c691b1a041510957e0cca7f7b20e887

SHA256
a46a0e400b0951b704b1383ea44e0c4665658099d03283930ed315b2853c46e1

SHA512
23b8a4f89d29ec829c5c259e015e90518fbafec8a139140f1f437697b38e23cce0ab8e7743e1a38baef5882db0ae822bb11ecbd7c859b5846f6c39df98a37a00

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
c99040fd8fb7a3d4f0870112bb21e26b

SHA1
cbe0fc759a0a9c5d4995045055511828ed892e59

SHA256
f20a063ae05eb0c7a3ff8afc8841c16481ff851a475fa44a588022a931bc0a87

SHA512
00c7478516e1b2e010591989cb9195b8d9480a0f4a876abebc302ece4008639933b46a97823ff516ea394377674344cacc2630fba43abc16db769fc60b641c4a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
64063911dcd4fcbf8dec968a3d58f58c

SHA1
7c63b1cea5ef74c133512d6f061071d70be09a61

SHA256
34ed50fd532c2d079f4ed6fe89130593d95c0b2b1625c3ec398dec4af1112f32

SHA512
401319348e57ef3313f77565a18c590ccca79fadb7112e0393a2b470255e1a903068903cedea1383b065ac3e25e85353d1284b82f20f3628c57759049c1bc11f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
37f17814f58ea8c55c1a53f67742c310

SHA1
15ff75fbefd908265b87b1ed1f77957217a818ac

SHA256
90e61f7dde6339dabc7e730efd00bf8a002b26bb034e896c9d1774f1611006bb

SHA512
226bd531a8c01dab5ec7f3ae28c96d73284850f545fd81ccd0d4db93324b2453ee421328994526f98c7fb03ce6afa7a489d7ea8a43601f9fd14668f46ba8c838

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
e8b6522ed13f3658ab5fb29b16a2351a

SHA1
00b8d948fec43b9a44a7c7d3bc9e39007e2e995c

SHA256
34c16932516d9902677e04475b8af5651611adb24457c3657902b69281da2f63

SHA512
85bc3670ff3dd4a902d2828df76cf97c58c4d9755fccc000b226e02772ddfa4aeb02019df2dbc903a0319bc391c434d2ec58b5f317c357a6d89cf6fa71f626dd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4414229bbbc68a2a3e6ea8bd20308099

SHA1
24b45afb02696f266b88cbaa0f6466c1bc01bbdf

SHA256
088089d62ef517adf07299f8d0b33365ac820aedb7e19942d69aa0f3e8937867

SHA512
e37ba3c86f38b679b2598f67ebea72891216bfae274db59073bfe2d6eda83a846facd24e2490ea93eae87abfe96b5aadf565e5d326bc29ebf242254938d97608

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
8d83dc66d6c6be2157883427a3cfe866

SHA1
b06642b2a13ba9709f610384dea4917d66053d4b

SHA256
f4461a5cbea26762d47d45a104a79f98e98e7a8a0b4db43d1b43f6d5ffc62706

SHA512
f02bbfbc9e098ee38ccf762848dcce94bf9e19d0229ed7abdbdb55f0e38848c23a143ebd365fd40ac4c54a0bf4232c3c8ff9b7409b529a334c4b9877d04760f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
e9c090627022e814d1df78cbc7d8814f

SHA1
b1cf603c4baa2aae323ac77ce3d096507208fafb

SHA256
a271a962a7eb903b13e6dc86d614995795d9d1f489aefd588129fcb3b284e10e

SHA512
b9b9f7e01be1310a1bd33da71c73aee035171ba532671fce8f409e14a59ec926f9783ba4e993d1c950d00b5e49f50e4c2b23398ce29137f8d25f8974b50ee7aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
664ef2b8b6c75000a23adce6843984b9

SHA1
a645c3c0ab547a2bfa361f40070487601d284fd8

SHA256
1d39f3cdb6fc1054ab25532511b01119a0df9d2b6dea947293097156f3e92abe

SHA512
c7d8b047348781f3a563f6a2b60fb9dfc7d8a16c24146e84404d5efbb7afa9396a0cbd30d997d5b5aa58d24c103916fe352a64a83853e25d171ba38716e9fc79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
ec12e5debc6b995f4b3f12e5d3efd51e

SHA1
c5fe7a7ffdff82bc263f8db954221c9bbc5db4e8

SHA256
a30f9724d50fc3c740fe54ee0afecff782dda53195d47df1e36b800a4b24afbe

SHA512
e6dbaae5880bc5314bd3efa02cfd77ac18fdb7c77a3cd35c5176ba4de9b2e05cf68c010958f2ec5c5634138ba415bf0d412110e8db318f2ef0218e745a317ebc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
6d2c28d00935e7c1d597ca29bfa0bd81

SHA1
41bca2bad9e3ed63e4360e4dc0c1a40dc3942d4a

SHA256
6050eb948d12e831abb0d4641cae6d993ebe6a4e174b4939d6ecf98d98db7789

SHA512
e7b3798d398f37f126c4c461f92ca3c1ab971e5a6346b861117cf323f66c4b7b6cb9b4731bb68f4a2e49f80548ab674dfbd1e4acc7bf0f5c63afd88fd03974d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
1233fd36239a2fb1d1da9e8bbd045aea

SHA1
94931049fd8c2a587bb81e7e0ea52a1a51271b24

SHA256
8b9036a03abd543ad7c5dc8808475f77cb03eed7aeb4fd1f143886f9b712a7ce

SHA512
506cb7ed7a2510af4654ea62493f13158fa5c59029a77afd14e0079fb4dd6e439ae823706d229788da1aa26d5cb8e4facd1207e23a795d7e164a6954514fd6b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
6368f2c1157529da3030ce0b413b3e6b

SHA1
9754c8dec958f2db65d77af084758fb35936cfc6

SHA256
73b21ce8d4c531949b811991078b6a69576642cf5b901fdeefccfd91280f3c15

SHA512
7fc60055dc5875fb3a63fbfffb5ce29a36660031b1b1ca2d76ca4aaab37d52b3746d614efdcc22b582e6b69cb8cd78602aca5e8ce8092c33830ac3a303866047

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
6028976390d3951240dfd9d85b60f5c6

SHA1
d115ec2b90825b3bd5b1831b76d918816756cbc1

SHA256
a02aa42344de8137438f0d178ff4ac388fe26b7668bab367a47b87964d0e5956

SHA512
ab8f8e14a908a71b69daa0ccc916e82eace5b0ca0cc3c63f2728f107288870995f741301d3e0b677675b4b9531a2ddba286aa825128561ef7ebae828eb370ac4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
68838e52be96258a316beb3e17ae9dca

SHA1
87f2333917cc74ddeb893d5a5b3e72a88634d975

SHA256
b6ae25d6cac007b2281eb33527e1048b749909335b3bdf582bb38ee9e0fc05a3

SHA512
ca0a15a2131587c24421b994d3a62ae77eaeea61429981a93fee15a1b63f5fb716d1ae5ff037c4a5ea83cd1bda6f50cb83f19dd334549accfa904de29d28f532

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
0ab8cfdd5441ba562ae4bfe32dae9b1b

SHA1
888b8cc8c13970add93493a38dc8009e48ede703

SHA256
7ca9ae60684c616b0fc4fd4f2aefccdbe5633fc54289ff55a506c0e8429d9c36

SHA512
0dd9197d88f946753d4bc995ef2e024a3597f16612112d402883843741b2682c1f4cdcc796b3df1ff51b53fb24f914bbcde18d55544775a2d3d46fed45b82906

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
d497bfd706b4856672b2356911da99a5

SHA1
19d406b9d16c596eb1339483bfc8ab479819d7fe

SHA256
fb226984909a3a0ef2d91fc00db989a5294ae70491eb1f6a4f921b8145fd4d2c

SHA512
6f5cbd1a7efda41fdc37487802d99acb77103465fd349ab66664da9ec58dd3039d27520af47435841dda18f8948f68492754569cc3f9123f315a9bc2e8fbab9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
f0ab29e331457233a0f32b2fe54a244e

SHA1
acc9dec596a92b589ad2a709fbe112ef010749b5

SHA256
e14bdb56968f2d1d3e7641e46736f0e82ca742fb9a56687d1c6a59c0a3d71da5

SHA512
ac96ff4a236d95f2a2b3b79c3fe73fbcd85019103ad334d91718fa25b39ec2b215c10b434279f3f82436f2cfa65394930f49d9c02ff4feb26740c7a55a235ad1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
37ea7971cf20bc6406a6fb3fe49f20de

SHA1
7c35e3a831db6e6580453426a576706495c03f9f

SHA256
c16e15e425db0b49e52e8912284c8fdabf4cbbfb1a9436b72205812ebbb8e0c1

SHA512
a5ff76284a20975282c07a9b8fade0e5a00e0949c682ba028edcc9439965dcba24808382220fc21d5108100482f228a84f2dc247bfd72acd1107c3f71e96a952

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
9cce460130d4453a12f4bac4dbac98c7

SHA1
2bd81f433bd281d9ae970247e2bcebff292b6eba

SHA256
2d28c6fc4af8da2571483524715e62cb8138bb36336646f76e812572dbf6b95f

SHA512
180c9eea9fd64124a957a897ee97f13b9ec15b612e9bf60965d257a41e3bed6a990094773c8cddd873637b769fbbf1f0e1ffab2e83c67967cf2e5722248fdf8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
58685e564b3f543a96d9bc24b4c5d081

SHA1
db403e2a4cb945e95b11955fb0cdecc16dc04a7c

SHA256
7855c8e745734e13ff2b337558637bdba58fcb90ce5095cf9efce7893e6d3ad9

SHA512
6a5a618389edb45a74ff78dbb76c8cfa503e157d8838f044dbe297f4f0a3e0454dcbfb4bb3d6107924012aeb1f3889162e2ceacc27b1610108750583714e45f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
499ba41ae93863fb8000a81eff11eb86

SHA1
404b48cfb106b267066be1b1503cd99d46e1439b

SHA256
61dc263095bea9777d8f4be357d59eeb3eb4e2a0b0fbe0626123930abe8552ca

SHA512
b4bb60333a457ea673131c611565fd0486b1789ab92d247811d1c0aa2fae95228dbe8093e11d7a875c0de6c743cc63c4d347e8f6f4048db7605c39ff7a9b4c4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
ccc2007ceef5449c5b018d7e6481389d

SHA1
c04f9075f78a02234438f6ebb96efb2a1db18bc2

SHA256
2a8ae348433a9a8f0458dea896d8f6528637fb9a91cb85041bb11f71adfa1795

SHA512
4b7e7b0616f50144268bbe2bcadd5af5f4f774598c333d5cee7821d6a42e33ff6922e378e23362cecd9cfb63b7bfe76324c0fb37f1aa69577bb4bf689aa6032b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.1MB

MD5
555b82e997512700ae97fb67be4e60e0

SHA1
82af15a140e9879ae8717f1df4fe3abee4ce4db8

SHA256
b0995df2b68205fa74db8482eb7ebbbce99a38d1f4441a12e6853c952542af81

SHA512
1c60504a1dbfef6c108b22f6b9561ce268f5ed93dcb495553a9891da0168d6fafb9ca000b6449021796b47bbb7c5860ead7a281223df9b9a49545558a83c409c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.1MB

MD5
0affcb8aa6a0fe13aa16488877c116cd

SHA1
9609770e93b5c929a36c7d8e822cf4449ee6fc87

SHA256
5efefcf15c2333cc2c0927dea0aff99035b9cc16da1eba48a370521767d8add5

SHA512
53486c439379b745e58b8ae88353a2a93f1864df17b55e3040506fcc4d24053373b694f83fe54b9142f1a86b44544d09b43546dfaf3ec8e0de7ac475b7feb3dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.1MB

MD5
e3951b389af2d862601d9029cfd46726

SHA1
6b77e95d9a8187f16be470271f31e4b27bb5295a

SHA256
2a3445fc3e23a4d18e947f3e0fcf62fc0cf2c889d851ce3dd9c7780c811069ca

SHA512
cd6e5c149663b8b2bafc7cb477e63ee72a18105ed57a04c7aaeedcd2d7098796bff6db93ee2afbe207fe632e5977144a796a06f850fcbaf9084d2ea75c9c8184

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.1MB

MD5
099a22c391042458a2eb4d9db072fa38

SHA1
ee9ede00e25fc50d2061898dd5e7ae45d5b01072

SHA256
53fec8bee671a1d371282523c8bc26b54d871537873e8b36d9ae92b16641fdde

SHA512
a551d6ab9f358c9d951a427bed5b5ae7ae8d5503691ba36c946e2860ddeb761a2e03be5c3056c112009bfbc9bbf041f58e414cdcf5515ec071e0864a0a49cc9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.1MB

MD5
ad2a940f93c5e352ebbd030337dd6d61

SHA1
0b2d3bb54ef5fe2d8efaed523629e9519cd6ff75

SHA256
4996a80eb9d48bad16a5d60422b0aa6186f9449ff0b58b504f602c33a86c8df0

SHA512
243a022d940cfed710c5a571ee2e0072725d22cf167ff36a701a092b6d001e690f0e9fc4a59e7f6fb3ceb3237b51f1e886998094af8a71d01f70297141246d53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.1MB

MD5
c95fc1d596bb0856e7b219d4f08a0970

SHA1
74808a1e319f79195ec3f6bee6bd6b825b788110

SHA256
3e6b8161e48e88810739a437b8254b6cbacdffda80142d0bdbddaa5f9b9785c2

SHA512
d2f399211bf57845f8ec65e0ae93308a6fa335910a62057878021737f941c52476e69fac550b919515fab01ee3720b04a7c04ba34f0dcdc24694633f1320b0c1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
9dbf18af808ba21a89fecd638afda021

SHA1
ff8302be3908292d20db977ee441baab6dafdd6c

SHA256
44fd9b941b74a1ac745354f25625cfaaa85e8c4c8266618ab0e025f0437bf164

SHA512
1ed846a938c883e05e9cf71fa3fa444a506a3346682233a4dab3ff5112f0ff09f79334a88a8251da3af7c9b227c7a3c0d83ea82cb7ef9c9c9ea5d71101614735

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
912fd3c97f9009b2fb1692ea552bfea7

SHA1
72d4ad10f335dc340ea9ed39032c8ae7d09df242

SHA256
de574e9b9abec7542dabe53620de2d994c8ac726dc704e90a1484adf28334af8

SHA512
8c75739807a9d76f2ae879d92e58ec0135f302421566a9dbfcbd77e99173df88f6fb39cb7a8c26d3437fd165570f1d27bb5dee17584d0fe5ad867f611e39a24b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5ab680d964aa7b19377e21e1193db897

SHA1
2baacb6effb684321dbce82283863702ce382aae

SHA256
fb73cd9fff505d5bc7f20180f63a78a06d975ec7a01986e61862a8d1784fdd5b

SHA512
8634a64c9e55e8d47a297e068167ea4671f4bafe6e2d4435c740efbdd792ac0a1afd366a7402b4c1834465e6b5c490eda8a9b64914fdaaec4618df8f864f700e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
466deabb37ffe0c19317300d34286642

SHA1
34f2e693501c5f17e2035cd2a6994c521c0f12eb

SHA256
978c9bb356c27095599a24e8db0f32445c06d139f8cbe829b9811c55c844f412

SHA512
5bd614e206aa180dbe28cf238d6bd447bf171eae5b95d15d1656cca01f76a07288cb6db087142b8362892e5bea31242967506cf462546f62775bcbc83a8eb551

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f0f09f062ee80ca0dbc030caa89f1c70

SHA1
370c9c627042567b1b51ce9a9ee06d0b2990c9ce

SHA256
6f06b961b28bc33f95c2cc0b2f35ae7ffd1fc48ed20c457ef70322914827839e

SHA512
5ce0265ccb07ff3c1c69c23bded412a3555515542da1552162d4b060f964df8dcab7ec8e5bf218cece0b53f39fd2b80ddadfb8c524576e2a048f6d5ea79459d6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
0c71d45b91512ea6aa31e60a195226cf

SHA1
d261aecddac19d70f12f2c7dd0c7db240b850044

SHA256
6c199dcf3262e665ed822c37f1160c5ec500a2cb5107806c308dfcdae9bac5fd

SHA512
15f32600044438b6732a8548e06dc5ce975077ed07883b4451c645a94fd69ab16c42193b33e813aa3da4a8ccdf8aa399bdfff0815b410268b3c748e9bf2ae30e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
e738aea9a80d84ff0d592777d1efeaa7

SHA1
98f67a0893cbf737315fc318e521abe13918603d

SHA256
01fc2a8ef9466eed4c353a3b079b549ac62af6a8d1248c4492ff7d14e1918dbe

SHA512
84d4bd83d6e5252d493a700467dbb6035d25b404b80f1092c02e50b9135dc1b9be1b2391e0541d8dbae66aff6ca6befa0d3b8ccf74406bf289b20ea313da7247

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
7b851241fdbabc2902b8644430ced8ce

SHA1
d3c07eb72e60dcd6abdb3f762cd3cb6e99408df8

SHA256
8620f3bbe4a834b3d041a103cf3c5d89017d78cb173d7eeca53b2060063a5e47

SHA512
eebd193ae9c79b4487a65b58f517fd575ceb06fe4a2f18964c894fb9c5d2c3c5eaaeaa16225df46d7e71c5ce3b5e65e625d7de005258185603f8aa0734da8430

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
532b97aa860d9dd8cdff8d1aee42e2f0

SHA1
dccdbd2e69040423c6e9b821ed0126a41e96fb12

SHA256
4fdeca361d764e6fea8047fe372351699dd60ad528d95b7c3f46e4d5a73799ca

SHA512
bfe25d41d4ffc276ac19c5b32ee657a40695e4b016e478a06a595e0a4c06dc86713ca9aad635bb183f4b66c7d2c18455e08334c6a0c7e8d777db3843e778eea3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7d88c62cfb4a035345735c2e35aabc80

SHA1
17daf3784b01848ffbd7ece2a89923fd05f194e5

SHA256
3181f5c8b5896daf6ab1425decfa8226018a450026408ef64bad398a83da9cad

SHA512
c6bb0e0c70f22f31f3a900b550d8d3445d45505a29ce098eabfdece26fd034e128a00a0084711e670d519b329cbc1c7642d456426188033c4ae77cc73c702746

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4a852204b1c702e7979c69bfb2076afd

SHA1
d8b3f870d1679af9c85bdee2480b331329b80ec4

SHA256
88d675453b504c62998cbf348c8bfe9891aec16bc0e455bfe4353f5d1fab742c

SHA512
edb09acc64d1c72134d3025bea334beb3ddaddd0135af9239d050e75d1bcdee2734eb64950b64646cd929e08fc0ec4e7beb125cee75cf9b9769a83595260fa08

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
3436ce10bb3faa70d6dfe48465b71981

SHA1
6693942eec33b901b6b94a538c46e10aaa8abb95

SHA256
961a4c458b199a1ec3894c06b70ea05d8fa7f5796da402fcd4e17abb351ee84a

SHA512
d27ce63bf746868968a69ec95ff30b994284aca444b47f282edf587377c40c6c76bd4bc5459478a6e4dd82048c9ae464824b045401f98de4099412afe9a5ec27

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
276afce17d17cc1f1c8865350c01f974

SHA1
0680c23aa17ed615dc3d2a20c55432d02815342b

SHA256
9295369b365f29bab74014c59a52abd170f1b71855515bec6bfe4d0d0a59118e

SHA512
a716be9606240f635cca644eea5ab40cbc04e0695110b38836ac0dd4b4cf4e3afca9cbf5605312d5e9be707dec66d125ee4fca625df2ba4c3840eb45e4dd5279

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
7b124160f2269c7a1da166e7d73c7c68

SHA1
a57cdc76aa2338444695aadb9a1f7c9cba4a9c95

SHA256
df76bad7a5ae2fbf9f5d0af0a0c264b2c8d0f29c35bb98f8154475151f59af19

SHA512
fdb32e0f36df9d0b504000d41d3003b85fcf99789c22017a5cad8b67e89153690d75efc0c523945281ae1d54010f530dcd145297fd94cf2a17318819cf4e3a66

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
eae69f1ffb45b4fa5afafa9369405479

SHA1
c300816d50d1c2f9e3d1ec23a6cb60e54a3f9d23

SHA256
3e01747d277eb794815af34e4b2dee63c0e8690834674c6ef330839d29bda95f

SHA512
8c569d18f2098f2777d951d9d0908fcdaa1d4abefe81378f6d15acf6dd08f388851db6a4746643493a3f7788f5f0f8ec978aa6db3c1507d0752eb6ca8769d3f5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
5e02bc31c662cc402cea726b1a35b639

SHA1
fa3390f6e8daca63755a63c38c3db500100bd1c1

SHA256
86afd08fe39898053bb22b74350b2919607cbb08e9b72e85cdf4d9475862d194

SHA512
2d50d83817a66a322cf1d9d170f157c2e15090dd4f47e32aae043f77e5444a59d72e2cac46ebc495e6bad918db058eea471ffef20d30aa523823fefdec593a87

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b788ad7f13bc40468cfd6afba31555b8

SHA1
c915dda225b56b06818204d8cd7bfd1b222f9e16

SHA256
167e672915e0057200a72e3b6a76eb47f375c1c5d83d9b8fcd4dc92d58885381

SHA512
00326c8724b2258d31cb9a20d48fb17a26fa0d829fc4d033b7200ac64f0832ae8b565b0f2ddf43679a9df5486fafa38fba47889be1a4fd940fd87963faf347fa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
bcd03348b0c129ebe12a999c02de9ecc

SHA1
1f1f9adb417d2151d091e64ee6494bd5ff0021af

SHA256
7b3d479830214185aa94e3f0ba05354e6587ad80bc1e47b60930793f866d6b75

SHA512
4622787673cc4191faf76d10ba510ec7b6b31a41d8326a879bb35bedd4fa274a3d2eac1052cb90bcd7c0ddb042cac9091286dcf0a3e7a1fbf92b930b21be270f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
69f0ef1b99b7040eb2c96486ac4adce9

SHA1
f0bbce2a1d2cf99362411d3fcfc73aa1b1d728e8

SHA256
8de66f810d64a8723bb178e9d1268353744b117487678e31753be61f7202fb3e

SHA512
d098623610c27242da712e91caf1348170926cd94e8c10e3ce5770d551e0e2ad0e33a974a450f7ac564e90e927a458de2f4ef6138c128e2140eca06f6aa520f9

Download Submit
memory/552-60-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/552-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/552-67-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/552-52-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/552-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/876-362-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/876-632-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1052-254-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1052-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1052-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1460-638-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1460-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1460-437-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1604-642-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1604-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1704-513-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1704-328-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1896-412-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1896-640-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1904-8-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1904-6-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1904-14-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1904-7-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1904-0-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1904-12-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1984-567-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1984-343-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2428-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2428-35-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2428-29-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2428-229-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2600-641-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2600-417-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2944-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2944-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2984-294-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2984-404-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3208-234-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3208-40-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3208-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3208-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3312-392-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3312-280-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3368-297-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/3368-416-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/3744-210-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3744-16-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3744-17-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3744-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4008-518-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4008-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4284-268-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4284-380-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4760-243-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4760-242-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4760-354-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4760-249-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4780-76-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4780-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4780-68-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4780-235-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4908-639-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4908-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5004-633-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5004-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download