13e06016524a8c48ebed1801d429d3136eedc239fd34fd1611c059f3c180d6e4

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 18:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Size

1.5MB
MD5

0600e5c301b896e4c6947995044704fa
SHA1

fa3bb1256acfd41d05ca763949f6827da0e3537a
SHA256

13e06016524a8c48ebed1801d429d3136eedc239fd34fd1611c059f3c180d6e4
SHA512

ad0c7597019365c9509e0a06c94596eee09ddeb873c03023555cd64c3fcfafbf34c4aa917101d767b257dda69dd17d87207478c99f620cebb5ca63d2927ca365
SSDEEP

24576:53oH6mhNF4Xx7AvsqjnhMgeiCl7G0nehbGZpbD:JoHRFEBATDmg27RnWGj

Score

7^/10

persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 22 IoCs

pid	Process
4588	alg.exe
4360	elevation_service.exe
4744	elevation_service.exe
1652	maintenanceservice.exe
2244	OSE.EXE
2016	DiagnosticsHub.StandardCollector.Service.exe
2084	fxssvc.exe
5068	msdtc.exe
2704	PerceptionSimulationService.exe
1584	perfhost.exe
644	locator.exe
3588	SensorDataService.exe
3336	snmptrap.exe
3340	spectrum.exe
4848	ssh-agent.exe
1812	TieringEngineService.exe
216	AgentService.exe
1604	vds.exe
5000	vssvc.exe
1872	wbengine.exe
2464	WmiApSrv.exe
4880	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c4da07acbb3a4e59.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_88171\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fb09885fb14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e65a2586fb14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090d98085fb14db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008638a85fb14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002088b085fb14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a04f7785fb14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025fbe485fb14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c139b85fb14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007910d985fb14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe\""	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014809c000000ac000000140000003000000002001c0001000000110014000400000001010000000000100010000002006c0003000000000014000b000000010100000000000100000000000018000b000000010200000000000f0200000001000000000038000b000000010a00000000000f0300000000040000ce4a9359b9cf0b7575c0f29bb2b4c298d446ddf9027a87ec14651177d6e996550102000000000005200000002002000001020000000000052000000020020000	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4360	elevation_service.exe
4360	elevation_service.exe
4360	elevation_service.exe
4360	elevation_service.exe
4360	elevation_service.exe
4360	elevation_service.exe
4360	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1296	2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
Token: SeDebugPrivilege	4588	alg.exe
Token: SeDebugPrivilege	4588	alg.exe
Token: SeDebugPrivilege	4588	alg.exe
Token: SeTakeOwnershipPrivilege	4360	elevation_service.exe
Token: SeAuditPrivilege	2084	fxssvc.exe
Token: SeRestorePrivilege	1812	TieringEngineService.exe
Token: SeManageVolumePrivilege	1812	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	216	AgentService.exe
Token: SeBackupPrivilege	5000	vssvc.exe
Token: SeRestorePrivilege	5000	vssvc.exe
Token: SeAuditPrivilege	5000	vssvc.exe
Token: SeBackupPrivilege	1872	wbengine.exe
Token: SeRestorePrivilege	1872	wbengine.exe
Token: SeSecurityPrivilege	1872	wbengine.exe
Token: 33	4880	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4880	SearchIndexer.exe
Token: SeDebugPrivilege	4360	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 872	4880	SearchIndexer.exe	124
PID 4880 wrote to memory of 872	4880	SearchIndexer.exe	124
PID 4880 wrote to memory of 2948	4880	SearchIndexer.exe	125
PID 4880 wrote to memory of 2948	4880	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-02_0600e5c301b896e4c6947995044704fa_ryuk.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4744

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1652

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2244

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3576

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5068

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:644

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3340

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2740

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b62ddfb4697c70420ee20ec6523dedd0

SHA1
cf9e154e6e8ea97b2a933346934f9d15e77624f0

SHA256
4586c385f98e230e621fa1a5ef8f614aa9f6aab1ffd32ec85e5f7d08dd6d2658

SHA512
275da16729bd9935d90e24a5818b70f71bccc2bc5a4c107cb82d405025e454e4acfc2b7213fa92654bd3a000ebc45712cc53f0ee65fed2ff49fed5cd6da266ae

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
d2e999c6e1788bde218cf817dc736a2a

SHA1
2248493b9d1ceec22aae0a264490c7a8a29a7e6e

SHA256
3d94777fde345f70ba329cfb747a5acd4c0ef94e0eb7c0ae05cf4be55ce4b8d9

SHA512
e1f705628dc44a9cf64b2f0f6bb32b58aa7824e01a624e8bf0372105902e8d4908bb10a13338a021bba8c52e09e8b251aa5fe938a7e27d64b6a43469e45e906f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
2d96083cf376fa2711405b7636218b71

SHA1
e11160b3b3092dac1827ece78b7a7f8b8b59c185

SHA256
2ba5a8894ac37e320a4601e6620a97e492a1fc49c66343f7eeb828fd44c7dafd

SHA512
d6194a16c8ffc987d8f67362a7f52bcb2acd97ed114766efe67d3def11ec2b163536cffe47001a17726e1c07fbc2e9947190b89ec61645c4f7c4deb72d2b9272

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bcbb15ff99819fe8e4c066a66fe60487

SHA1
85837c1f9be3f542f1f5ca351d0213f64109799e

SHA256
8ed0ba3668c3966efd72abe866867a4f60ad98ebf4cb13e7860514d9e250f4de

SHA512
2b326d674e605d48d64e88facb0ecf4b138c426fe4a1764a3e21673b579a87a8a3b88227697ac120e2eb6b78a7a562408806d1f140f2f84480e34b70ece391bf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e1533fc72331b747fa82922b7694140d

SHA1
ffe565f0576b3d883c8b50999137d0e19c7ea556

SHA256
57080a84f8c2b4685a086237f58da6a45445a450e74b597bfdc9bba6fd72e737

SHA512
ff73e91a541ca7ecd94bdbfac0b99c709f535b430c2f4bab5ae8893865d8f84bf15cc82eb4759ee8f2bb48b425314752ef40ea2bee8cde3a68d162a2354703cd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
a25e3d7bc462496bef8356ef17fbd0da

SHA1
7926aa7ea997981e0766bd4efd898b9306231343

SHA256
ab9f02da24d340ba6513f18a537aa9da123d046362f0d52da3ced016e736b1a8

SHA512
bedac9ecd755c07bfc1ada20aa1508e421b632be619b7bb2dc62b09f477e3c18b9555ad6e1d86f110b4ea7d342b67e9a161c6a0a88e3a6953e3c591bb8e47666

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
eac26fb394e0b327c703100c5c88ecbe

SHA1
b57031c7651cd0de79a60be81c1aa040fcc5f33d

SHA256
9034e9e40e66563d3446badbd62085ae960d35d410650a2dc6485e2c60543815

SHA512
1900b4fd42dd3206c971877e1753ef5367fa0533ce2cbaf47216ca5f7a39a44ae3d462e7cf27b92f2a86fef8016115a55c9f23a398abe0eead7c37bdddde65e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8fee05a7b8ca1a420944b332540785fe

SHA1
f4795f05132913314e10450af829695263893294

SHA256
be71f8317ea48af83f03a68fa7df5bd454a559c1fe4b3f488ef0761a6e1ec439

SHA512
ef6b48f4b68d75c65f398894d1b7130081c6723d953a0ef7dc5e191efb39d7e8993626d55182214c4fbc5048d7c72cb7d747ae423d2b7bb0847cd7bd75219afe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
2399a7790230093cc1a27046fe547f1a

SHA1
50c4d0eabdca9d81c072500b7b97a50586f78e5e

SHA256
e78e2c998eae3408703f7a06352745d1154b09eb7a81d679ab85ecac6d22fce3

SHA512
103ccda9130604c67532fefe24266f8195d69c1ca9520d553f8d5eac6cc841fdd8b0aa6b9b44b84c76208e41a12f0740abcc36af61888e421265b227f9e2fd58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e607ad498a1d9945d06d979cef70d085

SHA1
c26946046835591cb8f92f1002d12377a4f14d6a

SHA256
73863f9d62a175eabc52602f0c9deb0f33b89fbe82e3dc7ffad578f0dab4a534

SHA512
ec5ea1cd4016a1756fdcc2cae36c7e97797a7b10e2b52426847edd66721f0c2a76ae6a26f39d8f52009c3e3af984de3315e4d4e724a5f85acf40fa29abe1ceb8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f900f5c6a9e2ecc802cea0668ce0f8ba

SHA1
c9126efc512b4ae4eccc2bcaf084bd3c749f0ef3

SHA256
a1afa562e5296f246684e9bf795dd578e287d3da19a59d3319fdf7ea72c339bd

SHA512
49a770a641bf801b9a02b77866d669a3eae907b82fc7d036ffbacaa173faa8b9a493dadb6e57aaa109fbf07fad7f317ac2e0607ccdbad86ad507dcae7a39ac08

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7f5f357713e4a09d7a7267c0741b7492

SHA1
ceb782c1829ea887d1c4790d5d84b1fc104bc5f3

SHA256
7c17d04d8d5ccc760c8bf7dadf2feebbd7d210bc72f21a7b6b4aa3e169331ce4

SHA512
077d310344bd0ac6bf2d60c118aec1104f106332944c2f408687f39187f460d52db4424b1cc890bbc73e82923ff2083c8cfe29064268ed97be29aef5cae28f1c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
b7a316a170e66e53c5bc8b05251b5aae

SHA1
c117fff8d1503ec282f3720ee51314f75be41fc2

SHA256
485561e08b8bc7cca561ede71dd38acea940214166b974543a944fd520095453

SHA512
976c3ee2c3e0d03502f3ce7c730393fde271e28d8c78be86396c2a640547e44dcd1eecc2da46f1a42d8d50a3a312af17bc709633f07d90a187464fff44fd2c50

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
b3afb12f54d5c38a8f8d5a944dfa959e

SHA1
70546babdf1b9492c622a5de57cecf786c038bcd

SHA256
49ac8bb02cc9d31db2c0ec69e3d292900d01f5f418fb2650eec348aae5cf9579

SHA512
fed9ca14e7e5f9c93c73454d5362a848000eee37b206f91cc97008d5807a0a8df62259ed665508ddeabc9c4f31460c94ca937a0eeca81c83fc1bdf815f08d08b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
8a12482c0ef40f2ea5dec3b19ca8864e

SHA1
956be82b9f94e2c1fb5f937805513da60dd6db2f

SHA256
3ac4c917ab46f87ca05e243043c1859c467877a07d2bba4aac759b66490ecfe0

SHA512
c2793cbbbd0c9c87c9be951be43dcde9957147b2f74d2dca340c44f7df3b6be8d717ccf9aa0acc59eb6e0f4f39aee53eb54727c76d9b4d0e94b881e7b4cf8bd9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
402e96b5477d399c8367d24a71e03fdb

SHA1
9f41f4e566f9f11a266e091a25be43c810d5b3d5

SHA256
0dd800b6416c04366624e3aa4145838af664dce2364b639c8ff88d6ac0d7beef

SHA512
d258e38fc5d6189f75b334c60ec9b0da23e85e73940a426a158f162570ab278f8fa424a820b2ad811d3c0cc6a378655a101f105721a7aba45ba241fe53715b3d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
baa10c05f7211c6748f0dd62ea279c91

SHA1
2f19fc151c9c83ad3e216cbc2654343b9610e007

SHA256
ce93daa92c74e6c2ec5d71c486cf93442ec9a7b639539e90106a9abe85629468

SHA512
cebcb3d8895f24660b9757ffe9ab0ec78b3e3a0c82ccfce44f84a0b83fbee84fd9ed625e781db8bbaf9f6a7f0a8dc31bc8718f749a7fe959eca79079a60bdb49

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
8f85093215583ab2b636371c1eb28b40

SHA1
f83c43f62724734f645068b8cc5e6af8b6a166e5

SHA256
7508987a6d67234417083d66ade19b59e71e10654f3995fc7f425779fad2b122

SHA512
00ffe5ec5146d8e4a16a993d2a566bd80fab34dd5bd8c38031f3869312b55b8f58335460787a5a35b716ce782fc56b8b253f11761fdca6f91b8e52e3802986e9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
d48286e8e64666fa043334986ff89e45

SHA1
60e65416e85b340eda25444d4653a0dccfca2920

SHA256
3879b7dfe4ef9f404f7942b97d4530090690814e1a347082f4a477d26bd0884d

SHA512
3797e5f4a8eeb5da2641d1cff4d423df62db83a9b5d7adaa97253990c6028fe03354648239433dc06546fb51b733d3c9246375ebfa250d268d8acab696f4bbf6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b6c63f47bb0f59c1cfe89dab63d35cea

SHA1
ad2f52aa2131f81b420bb4f62ff37be7982aeddf

SHA256
7737e68be5354f377d2d102f72bac67f0acc14d458b369911e3cea05038f4053

SHA512
e777a6951dd978532c174c4134ec7a72da28940d661e80494d6b76f1203646157b84f6993984d5c52718a82a29a510bd32819a7b1ea956b2d93217894c3c08ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
c6a384aa55476b367333dc2e43fa06cd

SHA1
e18c103600b28bfee24bb7db91a09551dfc6c32a

SHA256
9d92ff1ba43d5c6a226aa7cc3eb37043684fc7be7d21524781c015beb71d6eb2

SHA512
563cb7e7fdbf40e1509ae66fb4721f841691c361452b1ce17ce77b8f554ce66810b9b5fed379e478d8fc134ff0ac54d17ad0919bf4ecd905881b8db24b834828

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
768191cc7723694abec7dc6fba7e876e

SHA1
32fe4d8986824bb7da00f92fb40d6c495ddcedd1

SHA256
a09f4aeb4997150f039bf4c80346bffd2221a96c2a30b16db0cc1dd46d995d22

SHA512
6232ecc61c25ed921eac617244a74c416cac65d7ac5bc89ed09bc01e577a83b4e82ea9b23e516bde1acfbecd2b3cbc59824b47023362d00444a579ebd08d26d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
f0ab004f256babc99d2aa9caa21cd894

SHA1
811ae70d5cfaff83fbb0af83c7a22afa9b1a8b09

SHA256
9db7d0d10d9d20388cc2f38a8cede1be3a535c6ea254593578a5dc7ec7383295

SHA512
c12fad7b25d11a1974b0149af96f195e49c36a0a0829d562ddf1974d6634ea94add8b72150ab6b05ed5bdea2344c937410af6fc85fc208abd0b115a12eb7fb80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
0a067b3000091451695c3c5ad19a80fa

SHA1
f08ec1b27a10ae555a9a782828d45c8b51fb0d8a

SHA256
def51fdfd409f55402ba645074f0a6362e247c0e4958d3ddec2103729e9b038b

SHA512
76c9f31d6f612465263100407582d2ae2cd6695663c6fe67bd13ff1aa5fc7c21f29c0ea105ce6d566ade2e24fa34a8f32488e92adfb2f965de19a1038292d35f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
7f9fb451d8696a9ec8f5d006f78ae70c

SHA1
06182629a2223e1f62792626a3e01a40d999a659

SHA256
9e57d7301b88d429e7a6f6b7f0364216ebde0c74b86b8e1c281dfcb3ed972914

SHA512
84ba354548f4ca7b719bc98323bdea15423b07eb2d6a3a335413e522fb8034f8c4502edd3fbb600b5cb27b883439790af538dcfe89ac1c050d919421695121a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
bf1d7868b8c42e4c1f07c0c2fe476c87

SHA1
44b4e95923050a4e9482359deac8538a484f2583

SHA256
a40325301625f6f60d80f387723ed8eaff6de7b13c0d7a111134260952cf1313

SHA512
f135669cae4fb5b7079b85dd2caa448b0a16a91eec052ffbf6317ee5847baf1b2346fda7b13b44d09441824d9251c4fb54dd998601a6f37f9f017c7168276bb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
e6fe3cc665384c0fa22ff64eb6412a10

SHA1
1f77e2dc6021408a92e5ac9b206a211090ea9488

SHA256
bd9b097ee4394b94fe3ea47bd4839d47384a88109e7b7ee4823e4ef9a2cd4a4e

SHA512
114630ae41027b361e704eb4b7408710bc96ae69faff649cb3aa0bb84b72fae68faa74989c8b846e9e0e08aca5f259ec670979f3d10bbf66a64c6c14334b2cca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
40a61f73bca8b08c1932ba1b0f758fbd

SHA1
0f561fcac80fc32b60e7790e0a34c99ff11acb0f

SHA256
ee896efcafc1c9bc8f376b940385a9c4b22d3e8a473c795ecbc423eb0c8f514b

SHA512
351de36095e680151ccf407d426ec37d3912261474802f5498a7126b3967484033207d220e3713050f2a97bd7bd873cca0db659ce3f5c0129af993ad23532b78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
f028a814188e2df787f18f28142ba663

SHA1
28da0bf21dd3b7100d8a5fedf054faedc4cac366

SHA256
ef30539503de3e064058351c0ea24abb7915e84688f5de5293c7b5f5c266cc19

SHA512
1541ae8143ccfcc67a606c31985cb538fb4797c8626378fe4f029c851e85e3619c955620e10e5ef9a12727dae01053462d90f741adad3c39600acd00a0581cf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
2108d87502d54f7233f7b71eac578da1

SHA1
9d302986555d835fe313a39754f2482b2b45515f

SHA256
4463e4f21e9fba48efd35162906bbdab717e8f03956a5e54070272765a82f7f9

SHA512
5e8516d0c84824c72ddfbeaf8ae3f356ce3ed4e6de21ea22e2e9e6bf4f4ebc5a209eef9d0f67a7434a9a9d36a939b4bd84697ad77549b60fc254cfcd039ef7e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
0c5b16afaebedbceb2a928f360b0ac15

SHA1
fe5a8170e2ab78aad4727dc0c8a505ab1f9278f3

SHA256
f39dd6a74e9578d42b8eab59ce256336e63f6c9d9d4d914642cf5349bc8ce9f9

SHA512
3e22987284a9339d49255c45cef6331e7fbe362abeb71492bffd3e520ccf812f849bed14bf8cf5f3830d5e3fb29e52f298ebe16cfcd93c9123883ff96c843c72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
c351814b62afabeaa906b8fb44c7346d

SHA1
760bf114b3a1eba6ced94fa0cc8326cec5cab2e3

SHA256
1adbfdfe7aa2ac1ec507d5cd547ba46934e9fa094dec4e2734992a27166945ac

SHA512
aaba490787c76dfa64b93389a7823ec2d5270d7f14dab3d22f8378163efd2d5c8c5fd730fd8750cc7e2e0899baaaa22161629fc1245f1e1b7ad13fbcf7770408

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
b7d51848ce705c3775f52ea1d457a806

SHA1
1d86e9c2607f556ba27caeb1327da0019b6db0b7

SHA256
3c98971b07706d004da0793ae3b7c2f6e09fc0d0fdc07d647cfce9f89a64410b

SHA512
fa838fd4db91119d7ec29d55e2f1dca8feddc7c5fa389d65a4657009396d47bdae6da4a663b2da80cf47c77fbbf9eabd2794ffbb8ac8f7f0337c3e66da10eea9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
694dcecfaab9cbbda07012c5d50538df

SHA1
3e4b5036f0aee54b5ea23da43c8b2d61c7dae250

SHA256
e5f503f85c11dd927e18b544df66a2caec9c356efd27ba9b51c50c826106446e

SHA512
954fc3a59963f2477882076d7c250914ed9bb953915a1f2ae838f556f0301df914185890a1e82425a98d0650a1f2157578480dcac85f6d062a7ea64edb8d64d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
d027deaea821cc02fe514118ef05bf77

SHA1
2aead61693101599194550e6f31b880998320f7d

SHA256
e1e86e0ef193d214c826eb6813c671d779dc919ecddbf22d93a348f7fdb81c4b

SHA512
c52b162b779c0eb2f3411d55e2f660ac9126ec18a790bb5f38dbef06454397bfc4e377cf76f6455e2a60182c3d54e656db5ad5af5215133b6962b96f47d6c928

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
1a051921b268821d3f05b271a6d1b493

SHA1
2eb9d8d5f54cb03901df59e808330a2b2c727da7

SHA256
db399ffa7b33ad8d6f340e7192645124764035d3ca59c05e106b49b5d1398444

SHA512
6e181cb27e71bc1e406b5fe1426b0b82cb182d9d2b7ead0bbb3a15a078f6ae7d0e313027479f6201364d02795c9c1bd271d33c7b64fa50aafa453ab8f51b4e52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
b4512c9b3565a4e4b8180cc83cd5b057

SHA1
c4e0c95e423c2f9bab05282cae8693bf841da684

SHA256
6e4b0cb95639a8dbbc163ae2b50e2564195fcdce2679cd739437fc49e4f586b0

SHA512
f83f772cd4d536b5a5f53b1cbcbf03ae49c5f6420817a8feff8a298bce4512e04b1f19760689e130cbfdcca5e7cc5307e78e97268bb0e4f7247ba2c6fcf8a46c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.1MB

MD5
4fa13c1aad1155c039893c2cc0360831

SHA1
dec94eadc03da11b1e74a5760538c1febbd6b7dc

SHA256
7ceecd9bcba1c71353667e825b1bfe5ef215ab4c6b7d7d8b4defbe7eae0c7053

SHA512
22bd8c9d57d0f274b883f5e3e8c092a01daf70d05dc9afb1ffe5c5cfbee677fe5d4aa6ae55fa9e8066bfe5f75116db7bdd0f10da38d0e8cb9f3ae7c80db90491

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.1MB

MD5
f1f01628160bbcc7d422d22c3e7c26b8

SHA1
a92cd63de4811d05e67e663eecb57aa516033fbb

SHA256
1d0aeb18f97d5a1f3eeb07de78aeee3493d20dbca4dc6029f144c01e0f0015ba

SHA512
2337ae8ebcd524873a82a66cffbed21334920222afbc853264612477de5f021fcd63c698b7e85221d9a6c3636f1ee0c938302e3543f0d5d29c313305d371cc68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.1MB

MD5
e3042f2881f38bfb13c191bf84de37c6

SHA1
1efad23e02e83e9a37b7c70d668dd6f5e0b58093

SHA256
08e1ceab57d2cbec0510b26cb58153f0a5a1a9c434fcac400c8113d0a2769561

SHA512
ea135bf6470bbdf87e257044ab3d4e2b65c351e127abaeb31c7fda875e94d36fb399359a82f1bb4cf109b7f6b71de5d5ef16423f90c69dc30a1fcac4f1e4e70a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.1MB

MD5
5cf290776859e9ac1850806d092214ee

SHA1
be2b1f5d803089eb1b424721db289bc1f83ea85e

SHA256
a176d29466c1a55e933a91542a7bc1443fa53f526ff6c27a2cc3b649e8875e24

SHA512
dc1acd569469628a5b42e9f93499982630dd40c11772dce9540c5a536b1d8e540b842a0de74d0172b3059e44b08a86e8be368bd8658ce6cceff0a04a7703eeb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.1MB

MD5
c3d1a8729322436ca86848a56fe17cc8

SHA1
8b7408e11c61f35c3a5a1f5a7f6feadc9ed0d6fb

SHA256
0cf8a801b5c652fb0031d8662b0e83ba7373ca684dcdf54fba89118740aa2cc9

SHA512
2fc54be6e48a47db4a04cf5a858bb52792149c3ce8c6448782fb58ef46339c9d8392d6ef5c3bfb8c5b784dc499eb6bb9d3c3da7c55c851008c945696254a2dcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.1MB

MD5
48621ece1737ee24c01e95bdaef91809

SHA1
00b56f54fb41a55524c76afb2f20209eb307aac1

SHA256
e047ba91bbb1352e9892cbe1fb7a3adf73fa55043ec6fedb19c71661d76d9060

SHA512
f7340c2a427736c97ff23d8149ef631ced41360b53a62784e45e29bfd35895c425ca7d24bf05a78a6ec3480563c1f154fbf316c41df098a41bd3ee0229add264

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
b2b51cca7dd15da46cce4f4231277cad

SHA1
495da753b5bcc6af88a70b2760f05568717ddee1

SHA256
51a70612fc8760ede482ba100bcb07b4bdaa5c4c7bd33218f331f9aad7c44253

SHA512
dc8f685599cd4ae29935e2ba5c721878521298f78cd2bdfb0651e5be39054fc6816d7502ca2ff095887fb7f6fa0b4ca50d9e1545e09a6ea3593e25009e718e58

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
fc3e417f16f38b40f4c360c79e2860ca

SHA1
c792304b5844b9c9a31ed1020ed8291d13ed7216

SHA256
a0fc763343f54f5ce30e3116a88982ce53ee9371da9499427218635a28b309c7

SHA512
ce528cb7fd8c026042e863c66867a38dfc699e0a0d17dc038a83f9d9f72e32d3d965bed7202592899e688cbef4ea15f81e1d24a471310aa8c4210a3c2b81fab5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3bb3783aee937bcbea32839c607d968f

SHA1
9d630bdaeaf2711b026b92ee403e44165b82a970

SHA256
820c0d7dcd8b885ffdf1727bf8844310303f4989ac99565469f81412b029094d

SHA512
ffd3b7c43e6528b2909c1fa7213f213483c41c2bc9aac44232bed7521f30308174a600371f7c582fd9aacdce39fb8892758254be13780796a6d2791b9cf4b714

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
6f5cbaeea2c38d60b1293a33b250f663

SHA1
dcff6801e63016d07baee11085255df55b7a8ab2

SHA256
39fcc989bff8c93f625f1dee92951e946e58a1829ba77ad2b357d4993ecff875

SHA512
44dd537140b42d443b35abc9347e3998d0eeb7889821f693b95b12762637b0667d0d5a4183415ecfc1b5e4b0a8bfd106b1cfe38a9e0a376d32ffe1b4c62a776f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f9abf1daf712911dee00debdfd23e0f6

SHA1
057795b63605f3110bb43584e0f7ccbb66fc0573

SHA256
ad5f14f58ea752eeb5f92b1fb11075f139094a4bce9e6fadfea770e04b395c53

SHA512
b054fdd4ede5b4ff8bb00378da1e7e242c486adfecbce8a26d3924542a533e7934def5c376329c5a16efafe166e6e56100bdc4fa20a5b2ac0b04a2cc8ab36441

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
574a5b9ee3b67f29d03e89ea0f5bd719

SHA1
119948fda5496ab6905bd18170d0c4ec4e6c4bc3

SHA256
281276b082231392031d7c2e08a7e25938d08939f9834e21ba9d1ab33a15a1f9

SHA512
1842e2f06b579af574a2536c88abb7d0f89acf510193b9797160c293ee6957705007940ce3c33b3b8253507c0844fee2c24bde776cf345934c9f68e48e25994f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
67f7b8238438cfd506660c6fc08c2dd6

SHA1
d4c20737ba128fd32fd7d38a017f1d7710c90af6

SHA256
b61a43626f8f6a18778128999b0015d58984b344e9d1904544723c0d7a4b2355

SHA512
ad0c8511cf397118634e4b4e83bcf2c560b17c58ff9d6ff691680a17e9f7182ac932e3e6e149d2e002f34f57bc3c9196aa1c755ce6f5883548c331e8215044e0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
2c037e89c35e82ba1296b6e5dc0bc4c4

SHA1
e92e63de28efb5a67f315616271477bc2bbe3a2d

SHA256
3d3452a37949cc273d66637bd4d446a5343161daa42a9da9044daf40095a5348

SHA512
879f97a0e3d47660fdedac91acfe0ea4a735ca1722a212e629ebaf7784ad987be5020fc9ee35253453f02d56b98fb8e0c1f3567bc45358982c690649d5ed6743

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0cc949fb5560cd91892a772f4da5e584

SHA1
b2bb35ed961d4b2924b87206d2a13d088ba83a4b

SHA256
f6accbf47639421ec0f8fcc2993930e0e4cb8c7dc8744cdb518d059a999c8f80

SHA512
a783e16355a2e3f3311195cdaa3d69cdefd50edc002e965071fe016f8dd6a3ebbe2e94f75441c0a6888d6049bf635f8f491aab4e10de31db96f9e494f8deede4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7d95f9be8f1f5b51a4612925f92c112e

SHA1
02cc27ec97982508cfd44c913a37ff56b03581ac

SHA256
b251abecb25a80f0d9af1bc84b3cd279c0331f96ab3f8d85c4537e01ca201bb4

SHA512
e00552336c09c89b41e477eabf828254d4f3d66d984e5fe3fe138e16af03d621cf3880af7777d28611605061df3ead22d7e06eed2ac5d014b4f33eabefc9ae80

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f33263789d07b70bded0e523bb0e8eef

SHA1
4ac81a23d56aca183c8f63737c5ac1361910c226

SHA256
e2c576f6ad0fa0741664fc073fa8bfd761a023eb7c56e2bff2c9595c832353e2

SHA512
259c57d9de7f93d3a657fcacdb74f630ece6dffd7b0ccf70b2bd11564bd5b311f42f886a0189b1de702621d36d73ce4279e5bff164ff1b6e121f109ce852ebcd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
578cdf21f59c7cf68d7ccabe565015fc

SHA1
4fa11e2541d82d72288f3a55d38f4697f066c4db

SHA256
e531516df6131b8e3a23b8dcff6a7270683131813f653d6df074d2229f230bfc

SHA512
c47fcebdc235d6829073f8e9940f95c2bf95da16d031940eb69c66e7b3f62e7ef9de3fa3a67ef52dc421267fcae44d92de00cebce9d153d0e8aa592b8f05bded

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
34694fba040569501125ec983cbfed91

SHA1
c2b84f6175363e261220bc6adda8c950d9faa253

SHA256
c9d358257c29e34431ab31b8ddcf48e98bea1c0d5464f8ee26c59f35c993f883

SHA512
eb9de39b80c5c55b3dd35d138469afdff6f2d6a12b1beb829267ea4fa15552208d5a6419fd6d2671137c3dd907002074ad37df63b34e787249bada7443f55e4b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
b1e25683a59476fac46571a2c148b9b2

SHA1
3017b6d9c6ca05363442d59bd524c16c98930fda

SHA256
e24f9a6cf55c7afd8ddfdd43dea1132259aeb2c93bbcfb9209f6464bf2890e1b

SHA512
5eed49c0dca7e221b8c296a6822ddab48a121b928a48506d72af037bd4cb84e6af887976f1799306a339d4d18e348f1aaeaff48f1a31e9b48da6f59eeff0c179

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
4c5aa04b4622a888dfbcf8e0014f0fe9

SHA1
aed1b5d121e77049f5978ee66a8e412dce41c269

SHA256
f07382c986fc8817ece424481c1069778cf884ab78019a1d4e4ca1cf2cbff4cb

SHA512
4fcaf045415bdc518cf64ef127aa6635af3b2b8f66471716abc5a93dc092c6a91fe3c64af30654354e626514ac1defa3c127325e9cfee57bf4d05d0086620d33

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
bd18ad52d953aa56649100287bcb7c99

SHA1
c4de8cbc460d36263ccd95867958299bc9584da5

SHA256
87c0106e045c38c056e0fda5bc084405d9119f5046aed410875a2a03c5379486

SHA512
391ebf7259662feceee5c09c7c4559e7ceb4f9daf7f4fe020f43bcaec99ffab0ade38f0cdbf3977f078cc5ea798662847ffc78b35d3c07e4cb439c8f828d4014

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
09fd0ba54978a497c35ca1da66fe0c82

SHA1
ee03040846dbdd4e9f721db5589f5d555d278ea5

SHA256
10501905eb02a925b621dc58920c95c60a70c1bbe4a08ea7f0aadf4c404beadb

SHA512
ed408802a4d32ef4f74f398706f77c017d16a23e8b032ab915f670b3a4be5d7065feefb4100eed24dbfcdbe701a08f5920e26a1a9fd3a3249bc327a38564ccc5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
01bc9e0011e36f0b57e58370f5b2a158

SHA1
f7cbc2265e491905a35e0363b2d18ccbbceab10b

SHA256
b325b7cfc14699ff730cbecdc5d045a978f800e3d89bfad2ce8d5ed67e2bc363

SHA512
ed27b6f7210bdbdaf36e8f80ecb076c366f479633e7d6e61614cad3cf97792339d4b57bdc31b28540a3fc1dba8d32bf982f0eb5462b13909800fb1cc9148b0e5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9bc01a78c6846dcd20c7a7e373009827

SHA1
2a05dbdf86ade37d243b386708c49bd109e8685d

SHA256
e0ba80e04a219522e9d72d5090799d0dae0b7b3f85996472a660d4ca78092e1f

SHA512
70e0077c8af4ee18e6013631b4ad4faf2a610915ee040e7db1d51d586ba481ee039e6365cb7df3166a5b3b663d893189391d283b395e600ef41f38bfa701e6f0

Download Submit
memory/216-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/216-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/644-298-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/644-417-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/1296-8-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1296-9-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1296-24-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1296-26-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1296-0-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1584-295-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1584-411-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1604-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1604-666-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1652-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1652-66-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1652-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1652-61-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1652-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1812-356-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1812-665-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1872-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1872-673-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2016-355-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2016-250-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2016-243-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2016-244-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2084-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2084-255-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2084-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2244-236-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2244-69-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2244-76-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2244-75-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2464-677-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2464-418-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2704-393-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2704-281-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3336-321-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3336-514-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3340-519-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3340-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3588-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3588-669-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3588-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4360-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4360-230-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4360-38-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4360-29-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4588-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4588-211-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4588-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4588-21-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4744-49-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4744-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4744-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4744-235-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4848-600-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4848-343-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4880-437-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4880-678-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5000-670-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5000-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5068-269-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/5068-381-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download