05805d85fb7865190cbf7e876c6734c0ee1b558337bf2f8bfbc5f85199698820

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Size

1.5MB
MD5

18fc97ec28a00c867b3cd7781e0cb1e9
SHA1

43a2c987bfc632bfcd67f0c35bf92ce6529fba62
SHA256

05805d85fb7865190cbf7e876c6734c0ee1b558337bf2f8bfbc5f85199698820
SHA512

14c42fbfe983d0994b9596d45bd53ff75ffbf63a1410c2ae7c85f85408dd438fca7661dad0e03a9704bd9c18114525b0b15790ed4474635abacfaabfb88fcfb3
SSDEEP

24576:piBE0LqwXeAVmYysqjnhMgeiCl7G0nehbGZpbD:lG5Xe6X2Dmg27RnWGj

Score

7^/10

persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 22 IoCs

pid	Process
548	alg.exe
3496	elevation_service.exe
3916	elevation_service.exe
2076	maintenanceservice.exe
2020	OSE.EXE
4868	DiagnosticsHub.StandardCollector.Service.exe
856	fxssvc.exe
4304	msdtc.exe
32	PerceptionSimulationService.exe
2852	perfhost.exe
1536	locator.exe
1356	SensorDataService.exe
3988	snmptrap.exe
2836	spectrum.exe
3652	ssh-agent.exe
1352	TieringEngineService.exe
4340	AgentService.exe
4180	vds.exe
4416	vssvc.exe
1752	wbengine.exe
772	WmiApSrv.exe
3008	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5bbc9054240c1bce.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C4DE67E0-347D-4E90-AF69-87B120456F47}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006867f42ac215db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042a2d32cc215db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c617052bc215db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000493bd2ac215db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce4bba2bc215db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\ = "IntelCpHeciSvcLib"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\TypeLib	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\ = "CphsSession Class"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ = "CphsSession Class"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\ProgID\ = "IntelCpHeciSvc.CphsSession.1"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\ = "IntelCpHeciSvc"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID\ = "{C41B1461-3F8C-4666-B512-6DF24DE566D1}"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\ = "CphsSession Class"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\Version = "1.0"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LaunchPermission = 010014809c000000ac000000140000003000000002001c0001000000110014000400000001010000000000100010000002006c0003000000000014000b000000010100000000000100000000000018000b000000010200000000000f0200000001000000000038000b000000010a00000000000f0300000000040000ce4a9359b9cf0b7575c0f29bb2b4c298d446ddf9027a87ec14651177d6e996550102000000000005200000002002000001020000000000052000000020020000	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\IntelCpHeciSvc.EXE\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CLSID	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe\""	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\VersionIndependentProgID\ = "IntelCpHeciSvc.CphsSession"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\HELPDIR	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ = "ICphsSession"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\ProxyStubClsid32	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession.1\CLSID	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelCpHeciSvc.CphsSession\CurVer\ = "IntelCpHeciSvc.CphsSession.1"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\Programmable	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41B1461-3F8C-4666-B512-6DF24DE566D1}\AppID = "{11AC3232-E7D7-49CD-ABFE-501700100B3A}"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{11AC3232-E7D7-49CD-ABFE-501700100B3A}\LocalService = "cphs"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS\ = "0"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91E0BDD-79B0-42C5-A3A0-5BE434329577}\TypeLib\ = "{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}"	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{66DBA565-0D3D-4D8A-9391-A2A4CF16DF40}\1.0\FLAGS	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3496	elevation_service.exe
3496	elevation_service.exe
3496	elevation_service.exe
3496	elevation_service.exe
3496	elevation_service.exe
3496	elevation_service.exe
3496	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3160	2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
Token: SeDebugPrivilege	548	alg.exe
Token: SeDebugPrivilege	548	alg.exe
Token: SeDebugPrivilege	548	alg.exe
Token: SeTakeOwnershipPrivilege	3496	elevation_service.exe
Token: SeAuditPrivilege	856	fxssvc.exe
Token: SeRestorePrivilege	1352	TieringEngineService.exe
Token: SeManageVolumePrivilege	1352	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4340	AgentService.exe
Token: SeBackupPrivilege	4416	vssvc.exe
Token: SeRestorePrivilege	4416	vssvc.exe
Token: SeAuditPrivilege	4416	vssvc.exe
Token: SeBackupPrivilege	1752	wbengine.exe
Token: SeRestorePrivilege	1752	wbengine.exe
Token: SeSecurityPrivilege	1752	wbengine.exe
Token: 33	3008	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3008	SearchIndexer.exe
Token: SeDebugPrivilege	3496	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 3976	3008	SearchIndexer.exe	125
PID 3008 wrote to memory of 3976	3008	SearchIndexer.exe	125
PID 3008 wrote to memory of 856	3008	SearchIndexer.exe	126
PID 3008 wrote to memory of 856	3008	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-03_18fc97ec28a00c867b3cd7781e0cb1e9_ryuk.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3916

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2076

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
1⤵
PID:3448

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3972

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4304

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:32

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1356

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2836

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3728

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3976
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
cd06173cd32e8e1cf986aec60fe68594

SHA1
4ff725aae93486c655db90500b85b2dde745be78

SHA256
6d206432324693b9a04b5bc4d44e868ea53b4602ad38d25b253fd85abcbb86a8

SHA512
44042f2ade2561f54dc48b966f62aed5baffb243848c475c6c72486beb0fe201ef458f708b9f41112d053c73ec319544db31592cb5a212fdfecf69af90f50d12

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
f07fc7d72a27d3c849a1edee75005da4

SHA1
183be7a4de5967de7bbb475329e3e687d29127cf

SHA256
14f9a3018ba4517d8abfa05e539f43e4136683e9f7a9366eaaadfba4000d1d4c

SHA512
8885c2e49a9cdc7f2205e0d763b439b8466169593aebf640fa03f046ed6e664790f260da7601dcaa42f7053d134a5c78eb503b9db80890622c42aa18fadc8c0c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
57b79628b20c48f1d44d2ec148e83831

SHA1
4076712a4e7dce7d8e8ae920bddff8bad062e4d6

SHA256
c8a13d643818168285770b934655949839c5fa6cb67982b4b7e0ba75f5451f85

SHA512
0d9ae75aa9c4ed4e4d03d13291d0a53f6bdbc4c00a37257b96c48c042b29f200fcdce81db1cb1b08d9de53cacaa30102e5f160f07c91389d5f3805da38622e4b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
91cd0f097cbb1379e3a96e42351e7d9b

SHA1
d1e0dd69ceb08d449d2e86046c6c84fd2610cf9c

SHA256
2d3877694b03ced90082b9ac3067989c2457d6f425603da2620f2ddc243312a2

SHA512
121253ce7c49c691106b8d15d603d65392a61a9d0c3a1b0af38b03497668f4ab91b81f4decb69de6ca2d847eb90f1293219a3aa1abe1387964cfd831d81dd9a4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4538ff16627c697675d7ba36a3a1b68c

SHA1
64ef71f5837995a41a66844693071206b72761de

SHA256
976ae9a95d2579e0cd1319ffc37d5bad11b2c4bf26ab76d65fa1244d2d1ce2a7

SHA512
fd4d3ce38d7af766056897cee72fbc9d22576dde4f308bfd4ba13a6ca30212967a3cf419ee528293577a4e36f4eafe5aeadda5442293260826ed8dd48397fb3b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
50fe6ba142bb771f82c4ee36e93d81f8

SHA1
480e202704dfe4aa41f17467821b22c1bc204b03

SHA256
9b939c654dff82f01aed2d0ebaa03faa07f315e6eb6eeab8a184752d85cbaf99

SHA512
bffcd82428a747e2d669861a14879f90518b3e52973d68466bc2b8f7ea4545226e626ee8d4b5c34f65c18d0f783bcc73ac2858c6ad0c89e78e9a0ad2fcb032fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
dd6a66438da974f5f093cd90f16ff55b

SHA1
098dcefba436321ecc347c46c67fe86b702a2daf

SHA256
a41ff91f2a61b22a628dec6485b57121b55a69710a6d25a846dbc729237031d1

SHA512
e7943dd3e8d4d18fb520722916b9bafac4f27e3511f6be0e0d9695e0946f3a8d639105df05775a06a53011debbd8ddb6def6afe709d580de93138c590bcfc7bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5d6191bf12812ac4a628a54efcc0c12d

SHA1
7a401530c56fb0bbb37920b5b90e9201d2c1f9eb

SHA256
1059f0fac9bed73cd195db2d455d39fd6750b5cae5c3f536d1fa2009ae40656e

SHA512
6c2298d60839ac10f75c8613518016d1355e77bd9d3a528c711defc41e23ab8e2dd3259ab9034d0c293d08233637121586ad9c22034bd225c0601477b30bf004

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
78e03ef1045483b2b63bb4b5820f3abd

SHA1
2973d65ad6876dce23ff01bebb72a68b84f1b830

SHA256
75c9718e2860b211b09096e481743f1568c7a37c05096a34e3ac4543fbd48163

SHA512
5b260ba1bc143c87330f6e96c80eca8e403c66d13f9c564d088b7d25daf5859cc47006d9a3f72cec9f211e82b0e8313070e44b3b32c40a9ed1a492bd27ed4102

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
de04b1fb6d15d2647e846705866d1fe4

SHA1
31bfe1bd8e2964c668f8f2e0476545e6901f2374

SHA256
985af2294f111e6be04f3a8ea2a240b3fafaaac98001968009e47d3e9b681b59

SHA512
0352e5cb15941a8bc5cac8517569bc021df2ee577d514b4643088df1302ef1c694020c2c8c9d018b71bb5eb38a180562e38e1796d2ade924ddbc64ced84d2856

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
aaffa87b11241a18600460b41589f480

SHA1
391dc6c5e432962f6fdc4859e5147e104e951f7e

SHA256
364250086f359e8f457bd086b832fc74ad88aa8b9aa979749626216de369517e

SHA512
ab7d24d0cb6afca817ac6ee9243ea787ab630829ea60b1fae1222f97f1bcffb19f2019fa2d82456d10fc1df91993de2be3e8dffd6e438b8aeb4c7bbf35504694

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e0e4541166ac9e02a458a71e39514f68

SHA1
62cf7bf92abe663a86f7876f993df56832f73a96

SHA256
4364f2051b6b9b13f058d01f8ca9e9576838ed4ebc6476cfc946ae436a85f291

SHA512
3dc9d51a9a97783123797cc47d317b2fbb645578e8ce3c44e1b11784a219e4dc8d57e314d248ba708ed3c2f1d7e6c21e20b59ca27987c5b0c6ad486fef62ccdc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
549a87f3731c26d923b496b60b06c1de

SHA1
8d4183cb572731d5fd93867002e06ffa7157626a

SHA256
499a30567145218c243a089bb439b693138c36577ff40e9c8e71c3ce33113dcc

SHA512
14858d2e02405004f91e9d7dbc7aba58a387a9c68512705e55c5b8b294526393afe38e4f88b2bd25a51a17ecbe01c38acac44d963c14e54b475e27967e748b73

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
78ad3e5c8d722fedc54087a46fd9b2e5

SHA1
bf13cefc8ef7e452d1083a00e8b599fc041e17ee

SHA256
bcc1d9e25f8db9a90c47a3d29c1ade23760cc788d4d5245148e88dcef5ff1284

SHA512
e5fe5f722aa95cdf442a7b6176dd7d4bde49ec17ac576965e1e26c389791354fe780f020533ea186fd2e84743f4bb37443940dfdd5125c0db05d96ab1b33f75f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
59d6e4ecb4b274106096f81a36f0a2e5

SHA1
6725af8238b114dae72a725b195864c88ed27ec2

SHA256
a765a50c055c2223bc53143aab0a0d3e55046c6c85041fd099e63117ff13c9a6

SHA512
118d984a5913ef5b24d3be14c439d350c0d2cbaa558ff2bfe2e61b81eb53a0ca07eb03cda2332e83eebb199e1e5d83b781b1409cbb70b7e205b64b291affe554

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
99856b6486367ef9a1edea7b7ce476ac

SHA1
0a1b33b7fecbed21659ef2ad4bd150d96c8c92c8

SHA256
906926ecad170d7e5dee1925391248321780b4e3c2ed5d0dc539ba09dc35000c

SHA512
b1d4ce47f226fefe61fe3af3ad9fbb75f073011ff669acccb5002b46710a6adb62bdd9af48d8a66beefeaddd2cbaa8d44f76e90d908e142a5d2e7981f7e83ce1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
61d678a940186f3143d12d5730f41bb4

SHA1
f76b2e8dee5061cc1283a8b9e1a5d8969b0b6726

SHA256
df5d8b66cd7b87d9913b9f0475f85ab3e914b540b0c7bd2f5eaf76b191e23c4b

SHA512
999b616bd4a2c084c54f03018017c3ce4b76131606c17298a8bd238687d9cce22a4e346f95e83a34d2db3d35dd3a9a533e3cebfb2278d89f2d1497b9c1ef8607

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
6ebe447a2dbfe341bf9938ac5a5018fc

SHA1
b689fa41353a2fb83c85c6bbad4dce2aecc6c9b8

SHA256
f2e49cca857ed9b7b4ae5cc50cf1a068403caaf9e50c67022a46825068dae18e

SHA512
de603a2d4eceb22eb2cbed66dab66373ff72a137fc4291fe2b9d8ee8e3b0ad6f1b08640dad77d6c8129a99ddac2e666e5fd29bb6af10cb97397b55fd6454494e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
c79c5ba3417c91fa59ee5208447f5b4c

SHA1
d30fa90c7acbb0c4d347c1eb4d71a3cd23514233

SHA256
2e4e1971ce44a3469aeddb8817d3868e6300b5797ffc2fab95f2f8ebc57a8e18

SHA512
639e3d1e8d127a4cb54a2d35375cee315f0a3395ac290747802b556a832f7b69aa05fa3899daa1a3f1fb94c083aae5433cf256a62565750278bb368787adc623

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
64f5040d34e499051b17fc2dbd116bb5

SHA1
f05e3a12f2e89000c0a17124e737e65f97250bb2

SHA256
f11f2dab99d013e1dc0c86bb304bdded9c625f2812d051847673d4e55f83636a

SHA512
157a0a6a22ee547ba94c308ae4db1679459463279e1e77081e3397bbfa7cf52ba90542c21e855cb8119f9d1d59a50349cde33af0b9740e3dc2b4bbae40ed7d43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
164b1d71254d73233bae28167d2f561a

SHA1
bd31f0b9381d97f465ccc777b26fd85f87b98261

SHA256
4a58577a060cfca13cff40c3fefed6d0d79f8db461a6e343e9270e65ab2f5e06

SHA512
8d98a3b98362040b9d80203275295e8bb217e6e5051ae6dd872d560d7ca4c0a00134c91c03156c46b145031e345d6799bd47b0885fe48e67240278d5f279bab6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
797add0dda44a0e721a5061796d2c10a

SHA1
1eaa7db922ff2de7268b0a842243a91ea3b69fe3

SHA256
f2c2557c1d3d78007a93a710428f265189304bde5500b04c9caabb56e6880e1c

SHA512
1bb9b7a7342bf8f0b7cc3a68b1f38bf90af81bbe77d2a413e11c245587e8172fa2533a88c5484c827ed651b363b699bf880ea9d4e3a13465bf13e5e331e43464

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
3c0ad13a3a3a473daaf1797445100949

SHA1
289dc9a924f1bcaea60accbf22c1cc2acc6a22b9

SHA256
36427124a462cc3dfd0cd30227daef7cf44c7b73b2d574c4b5c1ee7ee4a855fb

SHA512
861519bc2a8bdf560c6fc18f88d7ba5c0b864725b4b7ea815b949647ed33e5537a361116e7a4e189a2101d5449c16528bfe2fe088c4afb1d62fc242b9251a979

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
8b4cbfcf9c9e4978f1b69f6a77d8dad8

SHA1
7d5a81404340aae4f1cad1c39337b3f3b3b9de22

SHA256
45543ac78709ffec4410c97e4fb94e329c2d2a51b06c77066ecf38c5b949554e

SHA512
b23539eb1277e1de78ef3ab890094919f40e73209f3b48babbfc0a10df27e58c74d19e64fd7eb8ac6e843bd9b1990a26414fef9330f0b73fdb2a88dbd0c477b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
4c5b4a4ab978e7b094e907c69b4c8f84

SHA1
f43f3a22433f5f6b37755933c7b2b83028d8fda8

SHA256
0de7847a0a58876f890e009c687a2ce9dfc4a57c02d5dface10cfde68ae7feb0

SHA512
720be40fce9e79481cc6401d1b1042fbe94e0261abf186d6e4badfcc84954ab2597964ebdb4aa0b0c5bdbf2be9a3551556ee314a55239e016d977d976ab00ea6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
d8eed48f8e871fcdda38d90025122360

SHA1
d7c140ecbdc74f004736bc81f1787dfb932b5eb4

SHA256
8cb8d796dee54b0635d06b9eaea7153266fd93554b683d805e7e96f975d0bca4

SHA512
2ecd33b9163804e9c36914fc7c12d2a662fc37200a2af262f6da2e574e4a891ab4e1badec0f0521efb2b7085534a6547ec65752a0bfb4b4640b4dae9b4a6db9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
89dff8b0a5e74cb487bf0bdd4ca2cd0d

SHA1
3b3e1e44e3fead6e425740f1b3e772a7bd8c46b6

SHA256
460e490f1f4f4a8a3e987b322be1f679ecdff9ce84b34fd9b9e9f49c2fac3d39

SHA512
3820126a984bafaadec5281f22f0520679ff947225413b9f45cc7901707f908d3e28221a9626d289ca1470213ecc68b02b2872c8e44ee1c72ca409ae33496192

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
61ee6daf9b8313f7a2e4995ec8e98593

SHA1
4e645b60c57479b7c0bc2b4d851fea12b1a80d90

SHA256
fb58113e411fd60680fe30861c30cd2ff876bfee4ad43e212266c16193a34f90

SHA512
7602a9ebe89773cb9455ac93fb7787190351f3ca23207328615bef3a07976b6d02ea59fbe4437a2a2ce3a570f45e509d9b469cab497c9377220154e5f42193d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
c0ec30001df2e9fd47248fa3784f27d0

SHA1
4eae86aa7ec2e68306d1997d2cf612e4e15f20b7

SHA256
e5e76446b48ddf40c6b3817f24efdd13aaba91233c1320fda6dd833e07772f5b

SHA512
95a2f744cac179fc4d5c9ed54b6d131f7f790f3a5b0a458c6686b36d5c4ed61ddb017d16a20f8ca80cbfa0553d5b19ca631b7607e711ab11eba6c06475b0b26d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
2c3b89bd4722087f2e95de4d717af2e2

SHA1
5d467285a3e6779ab73790684daff423f92693cf

SHA256
a653aae4dbdebe0b6b0cbeb690b45ebb4e9a3346ebead1de554e63228e7990a8

SHA512
376d2726f8ae4d0e91dde3a6ec2ef880de11320301c2c208b1e6e948492ae5e08b3c6c82c316d8a728b6ceb09c8537c2b5a4d050b2a98824bb8bc6cff4a1a633

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
95f35a275a4fa3a9f549ea84c7503565

SHA1
b175f0a8c2f21d3c622862c7ac2c1e8ab155c032

SHA256
9b86619dd813dc1f9a7ca425ba3f12f27fcf9d00c501b2ed6be7799f1f11205c

SHA512
9c6dbea5e46f57cab1536a93b6d7ad15e1b429ba45c01d304bbe397f25d10be8d79acae0ad6a038c8f47bd7ba1b4f6e2ffef56bd754c72bef2dba154cbe5c45e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
42165d33d98fa00309446822aea94d39

SHA1
994c07b0d7c2661d86f5210616238e44c4747641

SHA256
db8c91be3f5d18857a9daeeefdb09cc040ef47b8319069d2dd09a96fadd0709e

SHA512
2b832ac4c4cef6d3f0aec133866614e24e9a3c073b475fbab3c8f0f3c38e919903f2a0c337a947a8fc0ba4aeae83f15b71e53e0b62ed86e91f8310de27518329

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
36d1a84248356839751db336da282f91

SHA1
a5411108082144cbd6a48fc06f8a2f28cad41979

SHA256
9f23969d0fff68ff7cde648a6f05f5301230c98e0984bb1e6503e905ce825100

SHA512
6fe0a9e893675c21099f9f2471766ac4b27f74f5f1791a11b8322315154a77f7696742795fbc3849edb4fb079f29124b4e55e37ab026398af61280e20a010dad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
dc5d57614a8289892ac3237771ca315c

SHA1
b6c54bcefbdd57a4dcafd9b8c6bbef4f9ec3eeab

SHA256
5372af7ae71eb91a3de0da89dd08060fa96ed3fa5e2465b8f2998943200e68ce

SHA512
fac39ccd018c21afec4cdeddf4c5bd3399a32dac5946fdac9767316f2e3aed07e0c0db4616b8a4cf69b9d25cdbb60083ba2fbf4d6281f5b37ca635feaaf0d5b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
2a565681b92a3e01a2ef697e7e823915

SHA1
f2670e016dad4d3929868a749ab392259e3b5931

SHA256
af44f63a1533b5ad1c48d2f22265cd8f3e7f49b3e82ac90ec4e45ab644b5068f

SHA512
827460e97f6036b25356b678224b104461c8ecb5b076b1656735ec2e9d2b261cf99680f6dbb0b97b104b036b49d73fd94b6237d9a6975ace397c4b27b8fc06df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
92ed23a8df4b7cec145e7d4947462418

SHA1
09e02b6e49b501110be52acd196ba677600dfe87

SHA256
a747bb19834e595e1b835ec6d1bd397a6b051b178808e7f13cf6aac7c91a4fb0

SHA512
f6c31ad87f0cbc90b21cde4814df9af4b3058fecfb68dffe297461df5bb952757fbeafe9779696d8e298f9cf3e05869c55de75a6f7c27dcd5071e177e31f8d4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
3febdf7f5519b8844c6920c6fcbaf365

SHA1
25750cf6f5e85f4cf8ddfd34b1d12e77ec24d15f

SHA256
6b29f93911aa5da100e94dfa24e6be813a8ad8245329d268bdd8a0ab8087f316

SHA512
64dea04fd4aba84f2d0b929afce70f4035bdd04f643109e60ff146e6ebc0de99d26c5f25ed3ba593f29bd499b56f37488fd9e78268cc8a441c84dff0196e7878

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.1MB

MD5
82dad0677c30e0b82649e4138a6f4476

SHA1
1690221f8843cb965e3cebdcd5e11277c0bb5ea8

SHA256
d4e0038d0cc8496d8d2e67ef20eff0d471539d030eb93d671a368018f5cb2698

SHA512
456dc17fb10ff33892d12698a147832cee8c69b054c6e1012d396513f7511943750cd9bcf9554ea745066822532e5fa8efaa5b387e164f66d2f6cd1d02adb79a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.1MB

MD5
576fac8c30fb1d99121b1756d48eed22

SHA1
d4cb6ea35a4734be4912292f1e4a2549e6976b1b

SHA256
db26c7ca8dde6e580c3317dfc54b5c8e5977b4eca04f6873a4dcda2c4511d3bf

SHA512
d6c9ab58e34f0d6e452282593032b2f7e63344978badd783c46a9a680f57a8dfff4082176bfb5ac5c8d03279f3d2ff903c18107687a88acff3c0393acd0c9e03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.1MB

MD5
cb33d70e73f461e3f3a4b9ec3ac90e20

SHA1
2ea6489b382a311e55646232523354ef336291f9

SHA256
a4e525ba92a3717ba1d457ff5e22053728290a43c597db982c468a1edf1c0731

SHA512
b362822fd79619dbc8c9ec3b8b3002ec057441219745e09a0e07e3999b65083375fae28baf3c2942a9f838667d96939b00e54391a25a117f3dcccd46801fb099

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.1MB

MD5
9372ec910b89328941041fa8d2698dd5

SHA1
d7247bd5f425a76df7d5cd5c623b912317c81774

SHA256
3ca18c82453a7abcd6a793943c21291be73c41a836155b0be8159979934272dc

SHA512
3d332ff649f10dbb2eb9e6c1ce84d073d31313296ea437ace2686a80a482a45f3cfeb1957394ade80055fe4a4451e08054d54a5123c799d04e874a048683db0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.1MB

MD5
ef891d257f04f7f584b3e1637799f2ee

SHA1
d54ec9aaf9b49668f8626199cfd6268402dac85d

SHA256
e54338a94e8e948b1aa987945d5965f0bfd61956dee5b4d5f665ad14fb75dbc2

SHA512
cd0c8adb1b475f07a37d2b259ea981d4bc88c96b57d94734dc4c339094dcdc399fbb2207738660f33d32bfa291c095017ff8ff7df750f1c50696bd6f17c2fa96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.1MB

MD5
9a85d7b2c755684efbd1e4613d2e5b77

SHA1
cd5768f3875d5b62bdc3a6545730657a5cc1bdbd

SHA256
5f5c8a54dc530169ebc0e35507e26072f6a2030027e43a6d3a45472e0c2460f0

SHA512
5d7ee7111d6ffb1a1dab9b15d03a7e1a547e1e60b6109aacecc80c7cb7a74e5456815cf0810de937b539aeefeec90d9753dbd489561b0a07094c199ce2df4632

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
37d68adb31c0fd48f4e8512270ca105b

SHA1
f17cb4cb78310b4685bc443a457c902623422886

SHA256
39b1db5bb6c69dc20e0365a9ad11b68329eee483bc4317e8542793e2307b0970

SHA512
1cfd659863e98d11a12be0d12ecee0ed4d81339eb402a8d307f5254ef13abcbc15cb0e31e305bae4594e68aa537f83ca6a3f306132ca7648f0b42cff08ad0c76

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
2224ca217dfbb3b6fd45411fe8a072c9

SHA1
285f47e0a5a4f2abe19addc4df0f3ad0b90c9cbf

SHA256
8bfa8b13bf5d96b2bd1b62396c7f43a328b11e1afc67fd63473b472b41e773f9

SHA512
1da7df6bf991a9b404eae850bdd8a471221edb74847e92d17e46c4789f23beb91e48990068515e1ac5253e66aa64b958b18227d5c2278604477a61e210b06658

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f5ebdae70b76c0f13618fc2299061ce4

SHA1
bbef4d24595933dabb1ffeb7d6efd6f554269d8a

SHA256
fd45d77ceb2f920e1e8c88ce19360c6974f2965f4b846e8708916afecf951c97

SHA512
8fdadbb1714018212ccaf603d53f12f3a9d68cfb3a80f3bae5c5848b061612f681f244a0497935d3bad8b5ae3ae87cfe30ffcb4584c93eb176a013c08e2a4e04

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
03daf5533c796b5a2a6cfd720cd8357c

SHA1
ec799fd7e63b7f56439bbe7e437225b115cac0f5

SHA256
9ff9fc2a6bd865dcf5e67939504c6d073db65a2ffee0c6db8ae037b9e612dfe0

SHA512
c686dcdafcc7bd856d63e0f569c539b71cd87bb7cf9783ed04eed3611cf6b6a35c45bc097bbb82753b0cab96f92567a3ffe14f12276672aeaf98c378cb897523

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f480f754ae0418f2baca1ae692d488a7

SHA1
372c2b415730723f4e1d8bd7674947faa2b6dfff

SHA256
48bff81b720c4d95e2f2c7abfa2335a9e71a91ae33d7865ae301072fbaba6417

SHA512
3eb5ba6bf8f39d4d1d7c3ed341b8dfdce4dd977dccf678c81620a006c8b930e5dfc611ef389f07e430226a338e483467abe20a41635f4c27672030a193ee7a67

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
8b17667a32e4dbdbec5f3cfdd044418f

SHA1
a285e39ee94a452043b59098b8f420a5eccc9946

SHA256
e301148dc68ee9c5ce9a98dbd5456bee83d00d87f5bf30dd585d895c5ef68847

SHA512
2f20dcad0b580f04b3f2c82ba3e45e13c50a03fa4a733f9c62390f017fc6e756f40b752470703eb3a372d5600b36312349c378d491b5f479f4163212adc7375d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
cdbe4239de0ef28800a400b5f512ffec

SHA1
223502922842afe2272a684dfa0c5f11e81b80a7

SHA256
8192adb1ffef934ead5a8986227476201d4c4213b67867a05321a9ca104e9ed9

SHA512
e3cea576c78e5c1d529d107018f27a202fcf661ad5ef58c516b01585d6db82827fd105f5c7219f6d61be5bc0b9041889a68b04934358a0a33c2a66426dd80403

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
b193cb028011ac5a8a10f0acda70420c

SHA1
c6cccc725a2c27efd38025cb5c0dba84e8fc8377

SHA256
41176293f251bc8f63c0a897a33d08d5e46781f86d3969ff8709e4e1608491d8

SHA512
6cbed6a2567564739a1327afeeb4b5fe1c64f4b68e533549d61ea8525a23149b594f41f3651d603a282ab883c8c36415aa6076318bbd37c4372b477225104e95

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8bf87f2ab43005a4ad7d56357c633050

SHA1
957dcabe7d86979cea54af5585dcb94a0b72ecdd

SHA256
3a131ce6fd62a0c4665210a6cb048d5e24d3f529e1433aefbc36e91655de6820

SHA512
25e542744dd2871cbc1c24155f044e9d03393773cd7de775e2f96479452574a2f9796c843f376743a015285eb400ca53f9d433d0236779ddfbe6a9bb653187a6

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
612bc8f98db0755a3a45cf855d4e62fc

SHA1
11d94e2371e9cce4552a5bbb3e0b5453f743b1a9

SHA256
99ad4fad957ab2a74969173832d1d7bc30e4e5f280c088111267eeead6a9008c

SHA512
b46e2ac33daf59eb50f74e866a175ab86eb91bc73a94f61c55f2df9ebf04c3166299f24fca385a41914c7a8f9b3c564fa9feb080950df47313c4a8f3ce30b91c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6980e5a292ef2541f21c55c1e5c60c1d

SHA1
bfe9cf11e63cfb8cf1d6760da9031eed92f316e6

SHA256
5d82345a99b686a2b75b57876347942f2a47631c41e6166a8e9d4e3ca5522705

SHA512
4d116998e01e3bffae7632d1d64aae3dd6d4116d2a94fbc36b9a94be494022d542382397e72af44af162bfff0091e54b17a74ffa26fea06343a247e7cf77ad2a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
7f391c98024d234d74f92be0ebaaa095

SHA1
5c222c96b927f39d468dbae877d0458052324b65

SHA256
ef226c8f4fc7af801fcd0106b7c83659652d42518e6380029a667046f1b658ba

SHA512
8493509b4b6af7c4e0f9c46fcc6897ac14a2e2d57061768bd10ce30d4025b3721d82ec4bf61916e6d34ffe41aee1115965461d93ec458e1e01680832e6c89b96

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2a810f106e5d00246d32710503aea3cf

SHA1
030a79016486c6e1d6e850bf7004df585deadfe3

SHA256
50fde8732ee6d462140854925a39fc5359b554327bc4f5400dcaf41812f8cf4e

SHA512
dc4b6dd102f71954cff7e576b776c6e29fc101069ebeb2efd49e3e11c6daa2ef2d24539db7090b588e818b93edeea523f3ddfee5c8ebba9e5258be95771a090e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
d21f7d426d4b67f35e32a7301c2b86dd

SHA1
4718677662405241f8a633dad9a03ca61ae9092a

SHA256
145371110ae9fe1213f5b23085054121f021cd0e221a11e7bffd0e4e9c697159

SHA512
86b58bc395593e922770607ad117816be72368d159c68b82a65af4f9b67cfec331e7817d3150913b9227306418ac07aeb59c25ae7fd9f33a1d8ab897d2f37377

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
2016d71f999c1b94f60f0158ad6e6b50

SHA1
3d6cdc3b0b9ce2bcb5f0e260cbe007b1e0fc61f5

SHA256
5a1349c8b0b3b1f6163892e5767cc036ed19bd0be2db63fc8cddc1aa685d360b

SHA512
c520f405b6fc66b599c60df04d902e8978f81260b20b34c74bfbaa71656cc52f737925653d86a6614b3fb741fe08481119043167980dea4f517bc31475ba4d35

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
7e61dd1a5852f75769fce40773e7e4d2

SHA1
8198dd00f8909e569ecd79333c7672d44ef9269f

SHA256
3332aca20cf4e5c1d8276c0c7333ccf9a8d4afc8792b899a6e94cc05f9e41cfc

SHA512
2d56657d766cf502857c3664a7787b82595df45655cfc5907108b3a1d5badb5451086fc48bbca152eca0eba334ed47a33128e81de28ac528b0dc014a9fc41557

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0582919865c58a52bfd6fcc0c5cb5336

SHA1
fb1f51911864e336a561e37e6baf0d67e820d440

SHA256
81512d9381d5c09a212a9de66ddacb74194b8ff06638db5d4afe04d396b54f02

SHA512
8dfd28ceb34d4402dbc3b57a2724d572d6c1fc3c3220b3e6161337b94a32666907652e9389402bc55352f48676690b1af2e19825d4341208e890763ac79cc2bb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
9d95e1602de48e4e7a7e422db7c43d10

SHA1
063364f29a0ab08f810521081de97927fd6ab067

SHA256
4661d2aac1242d557acac998e613edb46fbceeecf4552cdc1de30792dcad1af8

SHA512
dd032fa3dca25f95f45f49adea3c7819c94b64e3ef0f981df2644a5c40cc02d5f6ce22359c39273cdf48403a65e458110cc85d63d219084d5bc500813e899071

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
121b79a33b0c751a260fa1e47438d61a

SHA1
54fe5a6ec47e98ae2b483cfab299d345f29b7bdf

SHA256
cd4c3498cbc0b85ce0ae9448659e5f89a6d71e7e185ffa8d6e0267c7978c9058

SHA512
3dc52dcb808d35924c280943672ba16e7596be2de80cf8ed84a5d20ebafc73cdad778cb9a2c3131f8c11131cea065cb1cfbb251648dffde3547b322bbe00a408

Download Submit
memory/32-281-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/32-393-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/548-25-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/548-24-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/548-16-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/548-191-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/772-424-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/772-629-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/856-255-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/856-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/856-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1352-524-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1352-356-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1356-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1356-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1356-543-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1536-306-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/1536-417-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/1752-406-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1752-626-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2020-236-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2020-74-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2020-77-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2020-68-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2076-63-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2076-62-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2076-53-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2076-76-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2076-65-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/2836-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2836-517-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2852-295-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2852-405-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3008-630-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3008-431-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3160-1-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3160-12-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3160-0-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3160-15-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3160-9-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3496-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3496-29-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3496-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3496-37-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3652-344-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3652-523-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3916-41-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3916-235-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3916-50-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3916-51-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3988-514-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3988-327-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/4180-560-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4180-390-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4304-269-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4304-389-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4340-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4340-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4416-561-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4416-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4868-244-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4868-250-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4868-355-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4868-243-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download