Malware Analysis Report

2025-08-11 06:23

Sample ID 240403-mln9sscf34
Target 2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk
SHA256 e8120cca3243174642aa8c527b2377553aed137547288cfb8079f1ed540b6b59
Tags
spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

e8120cca3243174642aa8c527b2377553aed137547288cfb8079f1ed540b6b59

Threat Level: Likely malicious

The file 2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk was found to be: Likely malicious.

Malicious Activity Summary

spyware stealer

Detects executables containing bas64 encoded gzip files

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 10:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 10:33

Reported

2024-04-03 10:36

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe"

Signatures

Detects executables containing bas64 encoded gzip files

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\89c6569eb3e2edcd.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\System32\alg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 9.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 247.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 uaafd.biz udp
NL 35.204.181.10:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
ID 34.128.82.12:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
NL 34.91.32.224:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 34.29.71.138:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 34.174.206.7:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 34.94.245.237:80 tnevuluw.biz tcp
US 8.8.8.8:53 udp

Files

memory/3444-0-0x00000000020F0000-0x0000000002150000-memory.dmp

memory/3444-1-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/3444-7-0x00000000020F0000-0x0000000002150000-memory.dmp

C:\Windows\System32\alg.exe

MD5 ac29a735ff99500e56fdd8362644b877
SHA1 7ea435383acc50eae1be0ce22a836d7e7030bb0c
SHA256 8b1b1c99c60b3dd71554b374430cc4cecb593b489927c9127080ebc6a877d20c
SHA512 6b8120a647f6523eda0c52df8fe9df631294fc2aab163fb10ad313a99c57bb2ae1ce1fa1f63317be7f2644bab30249f70e84978437c7db54f5c128b826119d91

memory/3000-12-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3000-13-0x0000000000750000-0x00000000007B0000-memory.dmp

memory/3000-19-0x0000000000750000-0x00000000007B0000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 9382392db3018a1ff04586be22384072
SHA1 2fc7446a2f3561f9d56d03d2610dac6fcb1305aa
SHA256 8a9bebbe5c2e6f8461c6e2acbb904ea98cc9ff46311e295ed1b60146614059d0
SHA512 539c9d221d2774e47187545049f51315d559fbfc8f4f7c28bc9aa7132010f8a54347485ee33b00caa657dc8086ca3df62ed599a2af97b81741a6031f431f1a0c

memory/1456-26-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/1456-25-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/1456-32-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/1456-33-0x00000000006C0000-0x0000000000720000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 7c55017c8daf5bebcc5d1c6c93e438c6
SHA1 76c33848b498d97fd4ba5061877527914c16766c
SHA256 c329e1784600e83824d8bb454c90483db9516aa43220fc7cd9b53a74fd5dc562
SHA512 9c7356d1e8a826888523649ed2a6d1d9c4dcf5994ed3d50ae5bb6ef364dbf41fc8accda2cb0efa4d654ac024cef9abd0847450ffc1610af7df1539675115088f

memory/3444-39-0x0000000140000000-0x00000001401DF000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 4d4c0ef316b0a44ab469ea2be8dbc130
SHA1 062a66adec7a0bc28be042e8479a00e12552c1c5
SHA256 0b886400d1dc7fbd4b2299dcc23608e54df3170c561b256eaa6ef5a794c858d6
SHA512 bf7b2d9c083aa8736e22c2e15aca6c051776ffd3cbd224d2a1c09672cacf09c599b6c68e5a073bb9623d1eab71c9c80e81c559a48057c5e32646688e7be846dd

memory/4564-41-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 bb18d0457e013160df0cc964d3da810e
SHA1 a773690763997420a437ac63c0c15db38d51b220
SHA256 b97a892e4d3100bc7cfc80b3f6765e18463d23d7f79ee7c4454913ed9749136a
SHA512 a60e516734a0d507e7383df68bccfff3cbf8d08e30a707a991fc3627d4cd6f6af4a982275d5fcbdbf48c6c610f7602b56d566d2f5eb35db91e9f1901d17f1904

memory/4564-45-0x0000000000D60000-0x0000000000DC0000-memory.dmp

memory/3852-46-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3852-44-0x0000000000510000-0x0000000000570000-memory.dmp

memory/3852-57-0x0000000000510000-0x0000000000570000-memory.dmp

memory/4564-60-0x0000000000D60000-0x0000000000DC0000-memory.dmp

memory/4564-63-0x0000000000D60000-0x0000000000DC0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

MD5 b3fa794b7bedd44a284ef5241550c1d9
SHA1 a5a4d04d3a5c5c78a79f64cb42a06cbed1b71d7d
SHA256 ff8c4f9b3bb920c7e25129848c69c8cec38dbb2ebd980a53fc2a663906d30932
SHA512 4bd83b74f7c8c68c15cbb005120a7b18857ea8552c6da49332228da4dcf11bc7c06c32d2500ad3681baa3869aae468f84888b5fcf60961592775ff4aa2a7b11b

memory/3648-67-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3648-66-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/4564-68-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3648-74-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/3648-75-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 b1a5d9b66d9b2a725c08d0377a7dec75
SHA1 c9cfb76fb741922dbec67e57051c692c894ca071
SHA256 27b0f3f18903000c976a1b63e1be730269a4f7670b3cb90e7f7f2a37b27ab4b7
SHA512 c96a73495590ada5bfe09abd895a95f7c77bfb79233e22584cbc5a9b53c0670f9465ae9cf4843a945a3499eaabb605f72aa53558215dfad5f1dc36484f95b6f2

memory/3956-79-0x00000000016D0000-0x0000000001730000-memory.dmp

memory/3000-80-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3956-82-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/3956-88-0x00000000016D0000-0x0000000001730000-memory.dmp

memory/3956-91-0x00000000016D0000-0x0000000001730000-memory.dmp

memory/3956-94-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 395cca469e3d27e98394147ba75df2f5
SHA1 cb1c0ac94da4905a77c101a5d8e62326134361fc
SHA256 66a41b7608065e974a5e739b9a17e5f0b26585f800aa872d8e308bb262cd2fc0
SHA512 18165ee4c7a42b7244b97f0a3e2d563cd158c092e5028a3895df4c4b1bf360dbca14244bf3c5ba1c7b7c94721bc63e22cb6e8e36c4de1b8a8ae57aa1eeae906d

memory/1336-97-0x00000000007C0000-0x0000000000820000-memory.dmp

memory/1336-99-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/1456-96-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/1336-105-0x00000000007C0000-0x0000000000820000-memory.dmp

memory/3852-213-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3648-247-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1336-268-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\odt\office2016setup.exe

MD5 eed423a27a6024a09c474aef0d5382f5
SHA1 cdd743c1d90a1dac3072d638bc8b38ff32697f60
SHA256 a082bb99594e7400fd67124066114f38da2c8773797205dab698212cd26bbffb
SHA512 2291b516ca65321b56ae48ea555d1873c9dd2cb42d71d18ca1f86e2d2298f97af1843cb9b37d28cdee3ea390cb630faab1d89907e88e74e744879eda46a4167d

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 8237b1bc78fa37a90b3f6086da165284
SHA1 2657928fa795be10d8238dbf6fc81eaaeed3222b
SHA256 aac0fe822f01257b41fe8a5c81ebf881b43e11f993c94a61a4d93974e6c50d52
SHA512 750135e6b0e3bbdc62ae97fc31eb543b6601349d6602cc874b2f7027f155a4373e24dd9a03ac3c228269eb267b40535bdb401ff25975acaed9b1478e181438bb

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 6a9483254cb918f37848022543f49fb1
SHA1 7f56cad92ef9c5992f6e038db8c6fe289b000266
SHA256 3dfa3780050663f3cf4f14cc4340bb33b838590e77e724fb41f0b4e0e20dee53
SHA512 b3c9294982e6322a15011da5b19cb5fc8b97b7f64b51e02deaf09288a79fd67d4fce208ad09f2208bba5c1b52ff9f49c33bb6b992af126df8e6265ee6d5437cc

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 6059c5e30357921d0f12ad252f78e099
SHA1 43d3ea5c046f53acfc5f74cee45c7b37fc87a193
SHA256 7639a9918d850addc8224130bf1520a4032d5e55016ce198f5d2c9d44cd11123
SHA512 297012b91193482f21c5f123561764a8640b1f033658d5d92620cf9494456a1cf176b4987c46bed4a744fdd1e8c428f8b49245f13fcc9f165c96c88d46f6a8d7

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 96d91c3ae4cffc6a55e25bc8deadc18b
SHA1 3a61af1ff324368a04c27ab0a3bcb5e60623ea06
SHA256 2269e25d2c014d9c7961fb7ea62397843622493031a4d9ec5b4447eff2bb4c07
SHA512 79eff0aa67a1f2608bf24ecdb3a3eb2c35fbb3d9d6240f70f4079de1079ee6659db70d7471d3e11fff8e91d3b0dbc778df9b24bb02fb804438ec633d3f60cf2b

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 d3a93856d0b7ab0d9d97ff23aa764a38
SHA1 7c9d2092d9eda2765ad7fa4ede2525694b5b4dcd
SHA256 5b7e99b2aca5de273759f3be60ffc79222109cda62d2a44a64646c02da8a3770
SHA512 baeb5767b8e318158c2bd362889e596837f1a92361807ebc8f664b81fa3db3c6fd28658aaa0d53fe5700d2d2b07c4218c3b87ea361363a49d61b0389fbd95236

C:\Program Files\dotnet\dotnet.exe

MD5 cb9c81664c9da716fac3c486d524b08f
SHA1 b9cc6a2103b4a771078677367053a0e2ef6d8d8e
SHA256 eb60a5367ecda78ea97dfe3b6fa0fa61afbeeccb2a8aa6e601d0c9a01f2b2c3a
SHA512 93254b39118175c7eb8c8d880a36a22caded31f7151ab6d26fab53c7375a6e8ee62b0e49be0507a14ed9b1bce17e3345f8cdd4547372874112ff0bba90b7992d

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 17f20e64a4c7c3c09d88405a333098c1
SHA1 e63f0b8a2f0389154188b251cc76bcf503a31f5c
SHA256 55eeb2c068f1e67c6b8797b0e16e1afbc36fd353494b5948e22d9881b7aa9b79
SHA512 50fa79e451614c81052a1330e407b64e9d484cedddbe80c04114e6a4455bda25348cf305f636d76f5edac32f93d0e7bb6b66b3ae64a715636447b8516872b2ff

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 8c1fcf9297a34f102c3e0cfa08f6495c
SHA1 4d4c84660f7d2a7e706685822b70d3418774f43d
SHA256 865b4d28dd3cc8927529f4d8052ca45f4c508514a029638c2e79beb54e7c4769
SHA512 1d20ad8aab08f480978665760bfed95c5dc985dac42179c7e168e984706e54f56889d7cb57b9e7beb0e84d6e4940c162239dc715e71d8c48edd7c13ae7c9222b

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 f6e26f147d618809f3e287f38f4198f7
SHA1 22147b4a1bd84e36ad94a16e98a9640ce854cc03
SHA256 3b0fdde22a5841a28e09a92539dbb431a416339f70217f1bc807be6d88a160d6
SHA512 f109b61943ddd8f71f8c8045d75d2951bd0e915ef55b21cd34c1f47e44d3692c83adb738b5a80b0219356c2d7ff7e1cfbc0e706ed1f369d965800016eaede02f

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 2af6be2c355304712694136f35d88e6f
SHA1 6cdcc6fdab1625abfaf5d6c12f0f57aebd880f9c
SHA256 5acea7ee410596d3e1036b0ff6b17625587a8bd2a4fe6263e60b5edeaa0f9262
SHA512 b1211ceb1f3c7d8069d92b62a0487a30dad01e0a6ea277fefa697d967cab809f1d2102937b6372d474fb4020df6f3471f69390cd990a688b448eaa9e7900015e

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 888a03618ede4b28714588ee23467168
SHA1 9093cd2cee6e3f25c6cb30b23554a79cf358ea1c
SHA256 d1d84b97af5bc47ab45dc507f01f4ad8842f6cb7659d6e5b94e9c2d2467e70a5
SHA512 a6458b51a25fb2f794555c267e0f83d699c270cdd207b4f1750f629b87adcd381e053de7771bcfd17b9a70ed49f57ce824b0e4ce67837b3ed10f1abbf1098e41

C:\Program Files\7-Zip\Uninstall.exe

MD5 8b68a4ff0eb8fdaa5eacb84e24cc4ee8
SHA1 5f4543f8891d4e3351321dbe4720c7e4e280ce29
SHA256 25ee8d1beaec40e4c12f7f6ce2750bc2d52bcb42faca3c979d4d9818c168315c
SHA512 932bf826580a84cb273567beb089850c053692c25f5d6f16d8899adfbeec16a0442101f4722ca6cab7ee029eaa10e02a48b59c0d74be65c79d4c3f910f849dae

C:\Program Files\7-Zip\7zG.exe

MD5 6e14119fdf0e2591f3d20b661783d579
SHA1 1577a7f74bd291a72c3c30c4bdda58429910618d
SHA256 21ebce764e1056f1f769af24d5de581b95393bb9b02af0ef65b4948de540b33f
SHA512 ddfa3c2db2780f3fd53b8e6f2fced99a83ed032c44f85a62a0f27236902ac1f823d3a4e23675e833753dcf928041c1973372e12d1f9a9a64d325e540f37da8d0

C:\Program Files\7-Zip\7zFM.exe

MD5 363f478d87779254fa9d03a0afc42277
SHA1 98f489b0f05232972714f4c7ebbb5c2dae755ef1
SHA256 b818755d82ddb02f0fb766e011ea010002b7da3bf25b24e4ee527fd106028b00
SHA512 e875826d2f132ba6ffec31f3bf5a35c40f17c3665f764ad338017023256fbf4eeb15df11a0bd014e7ff7cae7d7a09b61b2537b7fa61843fd9a76e6b69f410ea4

C:\Program Files\7-Zip\7z.exe

MD5 8cb857fdcfce18c385825822bda91234
SHA1 f4e4020dfbe92000e43a44874f4f906e8a3884e4
SHA256 785b5e87b597961460597a19c2e30589fa17fc10fd71be4ba8e6bb90a95be726
SHA512 d7c6ea5236a6af8401f757ac11f310d0feac21ce224c64bded57f1003dcf114b99b1ea3b66ea50a415df191a0a3025163b6786506c21038c43e55f652790c9c9

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 5e2f017e9c50c84b48db1162487dd54d
SHA1 e0c8be7066e72264d3d71651763f380f0b70155d
SHA256 d76af34bcd1e5463dd4c3be02df5ec91282734bec541a34649c665968eed04be
SHA512 832fa50b94d081221cbe9172fb9c75435f1918d6bc6fcf54b10183ac2882209b575c7e2dafd5d93dd89b27aea2f094bdc3a1f7f77d9b3256e4543c43162c2b83

C:\Program Files\Java\jdk-1.8\bin\orbd.exe

MD5 1ba9103dbdd9b765c679b5b02f995330
SHA1 2d46692d9db884fb7b55348fea94c2db1c4c03ea
SHA256 b7c222682175103e96772c96d229e364510676201757cd1ac3ad7fedd8da2432
SHA512 4a67d0c2ccedcbcb6ff423fe9f4082fed31620845f81817ef2f9df032100373dffc780a650b48908d0c97f5c109fb41782ed39615c8ddd44f89c17e1aa2b40b3

C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe

MD5 ba62e370a3e4a707dcb967c92ee7e4cf
SHA1 0825f0aca9a78575342081d1f52c4524f2f59897
SHA256 4221c3d386a3ec36cceea4e6c879709d9411eae35769d85d96ec2c609458363f
SHA512 60d6c3c7d9b2a0276eeb66b13a55b93f7024e43efba920844aeff0f93b5b182a0e1eb211d82d562d9dcbf038bae4745f4a8ccfdc9fe1679d35c0341bd10bd700

C:\Program Files\Java\jdk-1.8\bin\ktab.exe

MD5 71e8fd31ee2db4fa78a0734f837d0ed9
SHA1 2d3586b27429c3e53d70f51e372a93ee64ca1b78
SHA256 47171e1a8be2f407ad1b0c057e73f128db2e55d49a383c17faa451989e8b278d
SHA512 9ec67cf11fbf8c9009427f22219f24bdfee0b9cba4b3c47d0996b56d72915167d8fee571553a2a3036293cefd36165fe6f9ac5f01e728771867c82d8f82d3e6f

C:\Program Files\Java\jdk-1.8\bin\klist.exe

MD5 e689cc73075ae1f3686a590cfc964c15
SHA1 699d80e6599eee3938ade9648ce6287c1a8d5344
SHA256 6eea3ebd6d486f69727f34003ffe72b2a28edf5ff0c1e0cb87c1f18dcd5c4b46
SHA512 3c3cc7d2c0d317af6b62c5d1246afd442604d107b05b6378c6c25abc6df40c2ff784afb15df68f6a8f163a14e51542760171315d46fa1283ca60e90c2d9abab1

C:\Program Files\Java\jdk-1.8\bin\kinit.exe

MD5 b452796e688b4c13fb5dab97e707ea38
SHA1 e5f7880413d2fd99923defbef83b0fc0a4e39e6e
SHA256 56f22fbcb580827d274f55e2f53f7455fa8d9a881e69aeb0dea1f6fcd277fde9
SHA512 5e67601c994745020123cf74a6c5b4f121a33abd85c8474ff47f12c2ce3e9822f06485f1bd3412a55e5d3e3d035514718f20494ec154dacf09be8b78be0fd1da

C:\Program Files\Java\jdk-1.8\bin\keytool.exe

MD5 4f59c94b5a218dda6ff5dbb358162717
SHA1 cbf0cd03dba2cfed5d092bd337282c686dbbfba3
SHA256 84ead607a4111f39ae0e1fc989c96fcf81b438392f2fc348f9edcf3450266329
SHA512 684e82e83e32dfd9c686ba8a01ff6eb533d3ca06f7b7b70596277a5d470875b23b4e40fa13f832bb4f67c9f409dc202c60a772d0b189650d0dd2d5949a835b69

C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

MD5 aa5d3f13f9ce97ab25261559540deca4
SHA1 4561ffa961bda95fa4b58c2613d8c4a97a0e2d7e
SHA256 aca80019879f8ca8edd92d9b5e5575688880eee8ea6693699430521d24c20e73
SHA512 fde7d0b0ec8bec193e6b3cabe108da9d36c2139598bcf95da81c187a1a0dab35991e32f1a63a6888712bc7577d3afe02f8ce5c051435053cad8ab66d37a19840

C:\Program Files\Java\jdk-1.8\bin\jstat.exe

MD5 422d851b2d83f4b3e3074e794fb6da70
SHA1 bf6638adc15acf3a3c2da8dfa423e93caa34fff0
SHA256 b6baf9311806da87b4fe2a0fd71f8cc687294ba372ac9489c0acd32e3016b4b4
SHA512 948ae2216fe3400e9de8ba3baed9aff792a11b1dc8c90aa83c24518eeee15cbd7923adde8a8ff0b9e6b9d154ed339ef25438c859ceabaed8f911fdc93e993a42

C:\Program Files\Java\jdk-1.8\bin\jstack.exe

MD5 3de95e766439405af7b1ca9f7ea2e53e
SHA1 91da050e94da66fb691a2a47989011608eb7530d
SHA256 b4d8e4dd320ca1c58c8d4cecf97731ca0e0db4799c4fbc74484856da626080cd
SHA512 4b59feed117112026ed26f3fdecbb2498256a454cf33ab92ad100aabf8377b4c838d52754d7df9a12ee4e48048ec9f836a5eb5fd3ebac18f0e65ec6d06ade390

C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe

MD5 90b1efaf46cd92da5b76e2de21756582
SHA1 e070dc05150d1644014652be174e8cbd6b19f9ba
SHA256 362abd6294e974f8cb713ead92f60fef432494fba9b0f5c438ea5c7c77ce7721
SHA512 1fa180b585310f7177d0e64bd913ba7cee69ed46d52f32b7f9ec47f5f49018cd39e78ab931b1f97242eca1e0bbf53d661be902700416468f1212428a6083ad93

C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

MD5 faad352268c6342ac27e8fdcb0c2ad1d
SHA1 6a40c424ded66cb5cf80bbc66c8e60390f53a363
SHA256 a82a923dc96205985e52a779b1e11ddb6582c8fa49e49e8c1fcb7d480c6db6b9
SHA512 300540d2a187fa12b5e3c7b4fcfce603e98e36c8d5de0c94be91e13815dda09d06a13993aa99085a1affd265b49cea5d27a699d93a8852ace20da548dcb158c7

C:\Program Files\Java\jdk-1.8\bin\jps.exe

MD5 9ad0890ae573362224c34110ca73c1e3
SHA1 53a13d24140c350df90143214298bcb4eeb68722
SHA256 ca52bf1b54d4cae98a001bcdf5bb3e8499a825a20c014c52e4375263cc4a46ee
SHA512 d4586a15f4e35a46b15bd3bce4c42e4675439af449cf041da529574fdda58b3da5c5988094e1a2cf3c3ac7a5a3bd2a81f78c45d9e60b9522c4c598720a1f13c0

C:\Program Files\Java\jdk-1.8\bin\jmap.exe

MD5 1eba58eb7e4090902f440941453091e4
SHA1 4219998ba3ed73b0df263fcd532296c8df4487d3
SHA256 65602cf6e748530632dc3f83c4f95007253ef0ac280af63e789fcbfe3373f893
SHA512 c27b0f08b0c56be9dcb1cbae986d096aa1df4e7670b938f2860540665e9d99be360d860e60229b8d85852f12f95a8685997bece03888d0413c061844ed60e307

C:\Program Files\Java\jdk-1.8\bin\jjs.exe

MD5 8a6db8f78fe1ee7ee17cb8908664883f
SHA1 528c49b846a03760571f882a520f7bcfa813a160
SHA256 1cde7522efd01e72206eb7f9f48cd6ee97f25ed8de0c016b1fc3e57b2f29240c
SHA512 3b0857674d8d27499942cc10d9331dff1221b34a681ade9a37ef38f523853a3149afe57e298667e78a5787d386d73c7873819bce152ffbae24f9139e7a477859

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 90569ea80356b93f788362330d21304b
SHA1 0adaf5a2771aead5e6e46aa316533cae6991f17f
SHA256 7c030c50366202627399e1f98f07f1430f8f8a634af10703a1c13157d8cdaa12
SHA512 5474711629d1ce6355e4315068287c5ccc6ceeec34725c4145721ffcf1557a5ef5f213592c3c549dd6e3357c71658524bd74b1562d2e33950384bc9a11b2c2f7

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 9db82364f4e6515ba70871bd0ad9492c
SHA1 352566862b36413b95f853226bd4c038c7f3b50d
SHA256 c0547dfb2b587a78822a218e41ef149a65e6bcd4574d32412979255c1d41f43f
SHA512 62ba983a77b6666d69f7924b88e459c88203a71019f56488df2c52e5b4c6ae6bb8d29ea3fb2fe56e3e699655c1b51c2225d12b1373c9d28ae6723721b0518788

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 8178e4b2f4c2d68438c251acfd6cc6c2
SHA1 3e76f00e867665941ea3ca2881ed154fc0a5838b
SHA256 e0db0a4c6393c65f61d682f2c2fe14d79b5159bcea7898587d9e6e38f0329735
SHA512 9d089666539ba5d5ea4eb9b0a3313f991215c0d30681fefe675ba4ef9f17b99b4bf3a45faf399904e2f86744c3f9d757ddc3cbe38c065e9e56fe264f482d71b3

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 a2c627c7a9326aff35fb845191d7e1dd
SHA1 a09e7bf61212bf35714d675fe5e4155a63de5df6
SHA256 c8fd3bd32cba9abe0af7b0f458412133fcb05572b726c29984001bf81b5ac483
SHA512 364bbd4f55d3030a2587977f3e71186ea581be4aa3992b5a9f99e74ac0cb6a6fa9a3d1466a70f9ff32a0aae36633690cb596db2e319a2b5206419657333c7194

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 738cb659b4a90c610b560136762fb3ab
SHA1 186cae8472917802c364c1ca5aea7a44cdd95e19
SHA256 8d05f4455e767d23299425487968969cf831a223ddaa788ce5de677c8afa59bf
SHA512 704b82c2b9885e7d28f436d8f2bba3807e95827878642f0fcfcda1fb3448f89917a186e24a53cb05b891c2c3b869083d8e78846f9dcd7b3de38ff81338c32d02

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 7e79a33a72d9d43e519e1276326b9c60
SHA1 f45f7407636cc526125dda70d4adb8cc66a05568
SHA256 14a589064e90dc98e44b60e89e26c90021c2375c538b6ccd42e38349bd516e1f
SHA512 a189b8001e41509d2c3ea280656ef0980ca93639d826cd36951e2a0f83b02aa955228e9487fcedd489f7c0fdb1e29b05d5186dacffa99720ad785886128b6fdc

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 d4a334add481a6e21d0bb17f238de43a
SHA1 bd1cbaafccddcb3412acbff2c5eeaa7855bd74cc
SHA256 da8f3c19a7f812ee4b1e25f603a65c04374b5d6c3fa2e9030d19c4a535d32dbb
SHA512 f72e11eada3db7e5e5d1ab15deff2645250a8b29795b31d2e60696750a5cfdf93ed4245988d5df873dcdd07ee70075c59d6ddbc8db4205f6e01c3a6d8ed08067

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 13510415705de64c85b9fcd337072b63
SHA1 f62151f53c3457db733a49d6b1cae30228810a4e
SHA256 51e0492fdd58254df48517ae6193e50c6cccad7a454abc3afad8634ca72e633e
SHA512 7b9b434efe52a4384ff04d5b0c12ca5074b6422a864e9415f5f876cf422ea8d66a50ed854f38c07e9d2964df4cd65515b0237986802c4f5e98486b6d9dbf5910

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 da88c68be7bd5c160bcfc45af94ea4a0
SHA1 f7251d2994615e76d281427fa4a5986c5680905e
SHA256 13227c84bf3cd89cd2c983ee5d2be9729bf6f34aabe57eaf2d0a2c27c2e451f4
SHA512 e0176929bc2e85f1617ddb8482605ce453547771b90285ebea5c9256faa8b7e9bec6415eea46b9081e3474de4db46a69d459d8d4a4f565f12e212b813e960cd8

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 f2d19389b08ff935f8aaebd093f525e5
SHA1 52680c47379b6e6610b732458b759f80b7e71256
SHA256 a612485043f8991a639dad3f08438431a3c9d709199aa334d3042b8a94e90acb
SHA512 56579fabcc4bd1f21089628f1ed239ba8adb226777a1c75d6b3b4ebf07b688bd74a867cc0fe940b26a7d43f62c0db33e55a7c1dbdf868de5f816d354118e74ca

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 d086f6ee69fb6ad336fb7924fa615c11
SHA1 3dae5c1ceda565ba93e06d1a94c72a4fd1a92332
SHA256 3375dfe146d4105b0f9b1f0d88406da9cdecb600537f309f36b5d0df28d34ff0
SHA512 75c6a79a4958f09f199e7edb875ef5e3c21d5cbd88c905d5c7ec8e5b20d5c35684e369c6aa4fbeb65e8f3ce0fe668a2e49ea49710191175c984466d81ef34d97

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 08a6cb04f0bb51e54419802668dee738
SHA1 1d9da47f2547099087891af31037f0f32db6f937
SHA256 8bfaa294fc97cc2d359e62d61a582cf7a3b7ee90215f0764bf05b30f03e24a04
SHA512 ec8acd584738ee5e5cfe940182ede0b8c7c31e83a5e2a05b60a971e85d4d4690a511867dd467828c9011e268f4f2e4db9ea2e6d5260b733d66c9dc1daee24f76

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 0fbb509867f8f6237c8646c5c13c204e
SHA1 03a917bca0935f165d32c2d2a61b0b3b4b26e6ec
SHA256 6b03227f1d357fa9aa0f8a0943ac7737c898075952cf5f623ed7454e8ed3e72f
SHA512 d82e56f90b52102043a6261743f335d9a375496e6c6e6c9c9233a4e34b5f829b41b33dce7a6de9f3cdad7b49efbf6eb70de5ed59fe0b796f8a0bc508a9f81a8e

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 a201306e29b491e765cece37460561a9
SHA1 768f0d4e1dee9bb93ac29a122788598e72a0e781
SHA256 cb7aa1efc2e7403ef67509e3e488c33b60b6191c717e7987f5c746a41a801da2
SHA512 8de3cf320fe68ade16f33699ebd2a42fdd9caa360f6747340558208eb950699674529aa489ba7d4c8a35e9b970f022c96a6f5d99b17528ed4cc99b6069dbca01

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 aa26507d16ea5086e98137de21de7f93
SHA1 8c3b8cb891764ef4241b31030f0624a69255c519
SHA256 c7f3d6d27b67a2d9b5e5f81151442052ed47a1a66cd3407c6081d5cb497c6430
SHA512 9e80ba44c203f15b617d76140a3b576aafd6a31c1e1803aa2b1c145306a79f586f502cab9d683df01903b11c859e0fffba94332becb60e25a6039cfd47eff9d6

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 19dd5daba38e45182630982ac0aa5734
SHA1 927c09cd74e532add69a5112e468f9852b7ec411
SHA256 1eef913a274f3bf205827e4e50f4ec8874d91254db7b40cdd165980c6495c1d4
SHA512 f44da44824a27c282d86758558afc7d4221d612a081efa106a70b3fc997a21334d3b8d6869c91b77c59f3d58dffb9b3a112c537ab07acb1ec6947cec2f7dbfd2

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 0322de4a8556018bf7690d75d015c8d1
SHA1 04f83e7721cab8c07a2d3128afe30f47692715ee
SHA256 0b48bc00ffa019efa5a828d3da678db0dceeef922941cd82725a7b2566401417
SHA512 54c1f588cae28111ca0e1d984555a1c78525b044859fb0caea8bb186f02e6ff9271afe57f02d27b9396c33f08908b5b205436ac8c5ade6ef6325d4a6165caeb4

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 e8d4970eb6916613b2e993eb3da3ffa0
SHA1 c4b1a6c7c9dcc9ccce54359774b100d7cd049d01
SHA256 0ee9de3209b2337cc80f0ba85ae11f4cf2514754b93b4525312e02452702b4ff
SHA512 ccda79d45eb0404ce373fad8abd89fe43e332252383bcdaa7d18e371f4b1af99ce5ae1129b3d6475fd5fcaa7e072dfa926b83c339f91f98ae23f5d20eb0e9a63

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 e84842d25b7d7f9ab1dcc5dcf0ec2f14
SHA1 3ea18f2fc320eb015e7126e3e64231caba4035c9
SHA256 4d57ca394e588fa3c77c240b984f2973bf94ffc5ae7362990d10143a4557185b
SHA512 f43af7897ca59ac0455d2fac55cdc89bc655bd9775068de16e27e35f3a1824a70fedbefed9d8e23528f1f1a7280f62b302b15cb0b42b2b3414798e0825f99d17

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 b895ca231ba8d145baebf183329ce020
SHA1 7b3bc4a03c34f5cfb697946771c1ea9d259abddf
SHA256 8e4f73ff8e11043feb1adf1c722d8aea69d40ef8366f9be3acfe7682b3f4e64e
SHA512 52a663a903dad4b93cadcc31f88b21dff7c87c49fa53d18b3fc97e3e9c2efe56e899a06c85db6568a6be5644425229bb7d756f572ebb8ffdbbf6576895fa50de

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 b173388fdc38e771920f7c259c9d7a29
SHA1 d60bd545c50d9df5665787ac558ea0f8e7f93aa5
SHA256 113b7ceadb85c5c204896f6c9a760f820e444b3f8a4b5ce7993c1610d7c6de37
SHA512 dabd7ff2eb26ea44ee6fb0e7dacac087d9458d5f35e86c09a2005dd91baf04176792bb99d44b7d22c20481b135d2c33715043ad22a61da0474837700e3826c37

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 3baebf5c7fc27ffecd02340e7a66b9bc
SHA1 a99d025d6582b9f98ccda8252561d4d4319c880e
SHA256 683e3aceddf02d3aa6eb4651f62b372d09b5991409c4a904cbe15a800928e559
SHA512 000608faac2704d7924aa641c29283caff07914b1acb012db41d6a0317b0057ff212476d3f2d1e80994a2d65e25c21d201a31e15ee55b5b7d4961670c8d434d8

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 10e36e81510f26a9c70f2e8a4b53a950
SHA1 feb4a7191484bf8e4af3c7ad521d949e2d215172
SHA256 939b45b064f0cd8d78b955c452d9e83c672eccf12b65b455d241a14da86e31c8
SHA512 f4d4e3b632e280a12dcba66e0937907664f24179f3ccdd1aa6cff469b89d0f9688c83cd3cbff33b41a5ca06116be09f0cabfaefcf37b72e8b3359201e2467d07

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 10:33

Reported

2024-04-03 10:35

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7c1409eeae4ef42b.bin C:\Windows\System32\alg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_f20e6b22d8e4d9df82aceec26a12aa5f_ryuk.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2456 -s 276

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 udp
US 34.174.78.212:80 tcp
US 8.8.8.8:53 udp

Files

memory/2456-1-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/2456-0-0x0000000001C10000-0x0000000001C70000-memory.dmp

memory/2456-7-0x0000000001C10000-0x0000000001C70000-memory.dmp

C:\Windows\System32\alg.exe

MD5 18bae83d85d97c354d3c409095584c69
SHA1 92a0e087bceb4ed6500900c30d663c8fa4c47dc1
SHA256 6474fcfca1a793f4edefa02230a53a3441326a9b33d757c39bdd4178f5735aef
SHA512 8ab45cc061a5a9014ea82e9cd7e433eac71d7ac4252d0b41c31b21c75d6fd8840ac144d5772bfa397d354340c453766f5c050157785c5d62cb725be58ecd6419

memory/2584-13-0x0000000000870000-0x00000000008D0000-memory.dmp

memory/2584-14-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/2584-20-0x0000000000870000-0x00000000008D0000-memory.dmp

memory/2584-21-0x0000000000870000-0x00000000008D0000-memory.dmp

memory/2456-24-0x0000000140000000-0x00000001401DF000-memory.dmp

memory/2584-25-0x0000000100000000-0x00000001000A4000-memory.dmp