Analysis Overview
SHA256
b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f
Threat Level: Known bad
The file b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f was found to be: Known bad.
Malicious Activity Summary
Ryuk
Checks computer location settings
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 03:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 03:00
Reported
2022-02-20 03:27
Platform
win7-en-20211208
Max time kernel
172s
Max time network
32s
Command Line
Signatures
Ryuk
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9 | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_ja.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spc.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\TextConv\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayman | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\en-US\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\de-DE\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\fr-FR\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ru.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\full.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\en-US\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe
"C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe" /f /reg:64
Network
Files
memory/316-54-0x0000000076451000-0x0000000076453000-memory.dmp
memory/1144-55-0x0000000030000000-0x0000000030383000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 03:00
Reported
2022-02-20 03:27
Platform
win10v2004-en-20220113
Max time kernel
188s
Max time network
205s
Command Line
Signatures
Ryuk
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ko_KR.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ps.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\visualvm.clusters | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\bin\ij | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fur.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hi.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\it-IT\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\descript.ion | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fa.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\lv-LV\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.bat | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\management-agent.jar | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spl.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\zh-CN\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe
"C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b5149d96cfbb0805e4ea55c8ca526eec6d44e953a48fb9027165156a51b9fb2f.exe" /f /reg:64
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 52.252.42.28:443 | tcp | |
| US | 52.182.143.208:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 168.62.242.76:443 | tcp |