Malware Analysis Report

2025-06-15 19:50

Sample ID 240406-frf22sbd6s
Target 2024-04-06_e5874500038ebae29fe765f303978138_ryuk
SHA256 522aad1b718682cf0d454ee79306918ad69ec05cfc31ecbd5a4d7eb427e45e34
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

522aad1b718682cf0d454ee79306918ad69ec05cfc31ecbd5a4d7eb427e45e34

Threat Level: Shows suspicious behavior

The file 2024-04-06_e5874500038ebae29fe765f303978138_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy WMI provider

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 05:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 05:06

Reported

2024-04-06 05:08

Platform

win7-20231129-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\83ab578956fe8faa.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\System32\vds.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{7AE638D3-C69D-42D5-9B63-3C52AA32D796}\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3DF00F9B-1878-42B4-A9D7-D9E438DB209F}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3DF00F9B-1878-42B4-A9D7-D9E438DB209F}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{5ED08B40-574D-4117-8420-87CD69F06130} C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap C:\Windows\system32\SearchIndexer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" C:\Windows\ehome\ehRec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{5ED08B40-574D-4117-8420-87CD69F06130} C:\Program Files\Windows Media Player\wmpnetwk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2620 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2620 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2620 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2620 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2016 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 1448 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2020 wrote to memory of 876 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2020 wrote to memory of 876 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2020 wrote to memory of 876 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2020 wrote to memory of 908 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2020 wrote to memory of 908 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2020 wrote to memory of 908 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 3020 wrote to memory of 2748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3020 wrote to memory of 2688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 288 -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 1d8 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 120 -Pipe 1ac -Comment "NGen Worker Process"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 248 -NGENProcess 270 -Pipe 120 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a0 -NGENProcess 1d8 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 2a4 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp

Files

memory/1848-1-0x0000000140000000-0x0000000140125000-memory.dmp

memory/1848-0-0x00000000001D0000-0x0000000000230000-memory.dmp

memory/1848-7-0x00000000001D0000-0x0000000000230000-memory.dmp

\Windows\System32\alg.exe

MD5 860f006505d429f00ec518bbf676d43c
SHA1 3479fba6ee8110c2f793fdc8c9ddaf01e117e851
SHA256 2767a3a97e5cb84e28cf78959088079ed18b899b3ac47a5072a76e3a9a86a907
SHA512 58bc185c0419b06c88f67ed710dd7987651b6fce6c146ad8f0f2177b1c41b5d80a03040ffdf0c822918e34b8ea04eebea65868ecee0c3ea8ff531c5f70125f6d

memory/2512-14-0x0000000100000000-0x0000000100184000-memory.dmp

memory/2512-13-0x0000000000860000-0x00000000008C0000-memory.dmp

memory/2512-21-0x0000000000860000-0x00000000008C0000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 a3e0b47290f7b3bba4b5c5e6fecf597b
SHA1 bc61342ed5573c982213063cb094defc05e71c39
SHA256 fb691a9824a903f4a736d876acba7e92f4424aa70e70d08640ff648f700f55b9
SHA512 56958911730ff504fff42af51da13cda7c82ea9c50c4d331010521bdf0db298626ea2d87d903fa45737c91c9740ba23879808fd004ea35cb74e27a916992c5e2

memory/2576-27-0x0000000140000000-0x000000014017D000-memory.dmp

memory/2576-28-0x0000000000AC0000-0x0000000000B20000-memory.dmp

memory/2576-34-0x0000000000AC0000-0x0000000000B20000-memory.dmp

memory/2576-35-0x0000000000AC0000-0x0000000000B20000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 84552bea8c1d30203c5475d92aff14bc
SHA1 1bae1ae53f312409e73042d8fae8aa5ff25df19c
SHA256 2df9aad4a402f55853bd1745112c32043cf8f32a278c136c82f65e84bdb9fd5d
SHA512 b329c1b6d8ad524fd0f8f65f1582531853a60983fe1530d65f47e6cf1a2e8caf48c3391aa5d83689bb9584d4994d21509c6948a3993d210c4a50dd94ec347938

memory/2620-39-0x0000000010000000-0x000000001017F000-memory.dmp

memory/2620-40-0x00000000002F0000-0x0000000000357000-memory.dmp

memory/2620-45-0x00000000002F0000-0x0000000000357000-memory.dmp

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 d059075990ebd23fbc182fb4ddc9f4d1
SHA1 5eaaecb024b3abcb5a599e8abf6169ab0a4c3dbd
SHA256 646da5a3fabf76b2dba19b1f38a22d2bbe0b33725d7787e4ae6440c4adff44ca
SHA512 c78356ca41569feac4677c7a1ac78e6668d1c3b5fa04d36c01cc36c00d7e74ef5de4d7224df677b3654d36ea25b5ee2b796c5f15460510b3be83d7a114dfb815

memory/2596-55-0x0000000010000000-0x0000000010187000-memory.dmp

memory/2596-56-0x0000000000560000-0x00000000005C0000-memory.dmp

memory/2596-62-0x0000000000560000-0x00000000005C0000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 44928b28f5e445b59c0dec34e3b1615f
SHA1 aa1915212af606c3a1fbe20aef810f5e3c64851f
SHA256 7b36ac684bcbf1d040ff72b002a96efe9838d88e7a1c9a41b1229c00894eb807
SHA512 6382b50ef0f92303e3d90f8975772b721a0792ae7d6d7dce3a611ebfc649b5b3679617af7c357fab861d5e8c278413857aa7ff407cc5ef6c626fa3572dd87a2c

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 25f6640547db18f69dd5fa01a9c44034
SHA1 de69005078cdaf705a8152edbba0c1a8d5593a89
SHA256 1e3167a611dac5673195b8d6e110d2da6d123a6e968a2091043c0c5eae35f0d9
SHA512 fdd56748145dc081ce4118deb7ef12aa554ceff6e0ad38fd3f14bfed3f1c0e82d19e292da9bb0f7ef5979473f794e48080a67216177f8b02975dce7f923a540e

memory/1848-72-0x0000000140000000-0x0000000140125000-memory.dmp

memory/3020-73-0x0000000000400000-0x0000000000588000-memory.dmp

memory/3020-74-0x0000000000750000-0x00000000007B7000-memory.dmp

memory/3020-80-0x0000000000750000-0x00000000007B7000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 4d2b9b0a39d1742f2449a9921ab0b03b
SHA1 67832be69a2afdf832a3d4f34032c75546e0d1e3
SHA256 5542f6b4104b26223fb4f838600fca9b2048a7557678300263909adc0ce40300
SHA512 3ce947a7c37f257fba2999c3a117e1419dd690738ffc100416320d33e44469d256b61cb421dd24644ef5fe97ed51dcb32c01ffd32f39bacac72560c35557bb6c

memory/2620-89-0x0000000010000000-0x000000001017F000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 f174e17474b2ab1a74c08ebac4aa8b85
SHA1 f3122070cc2f917accd26e193b3a1d9f5e1d2382
SHA256 08af66dffdca283511a94075cd4861e8b40e62e323ca9f86f01d224b0f32492b
SHA512 ac56133725f7a89329e6e0f8cd9538861c0bde9043e35ecc171c5d854471dbb107a70682eed5f527442ac350fa3e82a3c847dd0611a3b842f3cfaf03cf5a6eef

memory/2512-91-0x0000000100000000-0x0000000100184000-memory.dmp

memory/1780-93-0x0000000140000000-0x000000014018E000-memory.dmp

memory/1780-92-0x0000000000510000-0x0000000000570000-memory.dmp

memory/1780-99-0x0000000000510000-0x0000000000570000-memory.dmp

memory/2596-108-0x0000000010000000-0x0000000010187000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 545f44f9525e5d685f1cca30c6d427af
SHA1 50b4b36e477302ae646707072d4d1d83e0225541
SHA256 bd82e04dfbc37a66eec6399fc98058ee70a0f9b153440cc2867ef31260a2b557
SHA512 054900fc11e6b3e188a9b8b53a54414e1b8d49c98ddde8b37adebef5350268fc96d5e69755543fa18a1f65190dd97076158b2007c05dc49a9039d54facb229cf

memory/2576-112-0x0000000140000000-0x000000014017D000-memory.dmp

memory/2404-111-0x0000000000A80000-0x0000000000AE0000-memory.dmp

memory/2404-114-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2404-120-0x0000000000A80000-0x0000000000AE0000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 767c9f0bba5fc1f930e5ebc34b886668
SHA1 00266dd5f33af3a39d1f1fe12b1c8a790e45b376
SHA256 424f1b19fd82f4e41ef0b82199dba0ec6fa102e94aeb447f53e8eb576516179b
SHA512 8ac89cafc92ae44123776f1a8ed4396a8ec21728c4870b0492c51fb5ffa49dc5edb37faae55df7dce7f041a13f22fbc3dee3acff3066618a00f85a3a31c8329c

memory/2836-126-0x0000000140000000-0x0000000140192000-memory.dmp

memory/2836-134-0x0000000000B80000-0x0000000000BE0000-memory.dmp

memory/2404-140-0x0000000001A30000-0x0000000001A31000-memory.dmp

memory/672-142-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 3c7144213924ea0aa16b9b55e6016258
SHA1 1d024d2de6dbec4b1ad22a127f2738c59f011968
SHA256 a1758430cf095f52dbd80218a38b0cdab5455fc682ba0dce11dcfa6340584240
SHA512 5d05fb1d7caf7cc2e44128c49a872d9c18444d7510823a984f48a415eee4e8a9ad62d62596fb8c511422bc5244e3cedab9f20709b01a149bd3e294c625aa2881

memory/3020-150-0x0000000000400000-0x0000000000588000-memory.dmp

memory/672-151-0x00000000008E0000-0x0000000000940000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 7aab63941629ed787b0a7e3153735546
SHA1 1f54892714441e010a6b46246055a774bc6ebc3d
SHA256 b7cbd3832a6a0e4e93d29e9f6e9567620c09b7f8f616af326576b3020328dc6b
SHA512 77e64dfb912ed532aa4efa310549a6d914c2d83b5e044dd80de8734a26611f64fc395283d2122c7f0509e678d7c15726ce15e11e4d1d9bb1526cd3ffca323c05

memory/1988-157-0x0000000140000000-0x000000014018E000-memory.dmp

memory/1780-164-0x0000000140000000-0x000000014018E000-memory.dmp

memory/1988-165-0x0000000000850000-0x00000000008B0000-memory.dmp

memory/1692-167-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

memory/1692-168-0x0000000000FE0000-0x0000000001060000-memory.dmp

memory/1692-169-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

memory/2404-171-0x0000000140000000-0x000000014013C000-memory.dmp

memory/1692-174-0x0000000000FE0000-0x0000000001060000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

memory/1848-186-0x0000000140000000-0x0000000140125000-memory.dmp

memory/1848-187-0x00000000001D0000-0x0000000000230000-memory.dmp

memory/2820-192-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2836-194-0x0000000140000000-0x0000000140192000-memory.dmp

memory/2404-199-0x0000000001A30000-0x0000000001A31000-memory.dmp

memory/2820-201-0x0000000000700000-0x0000000000767000-memory.dmp

memory/2820-202-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/672-205-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1712-212-0x0000000000240000-0x00000000002A7000-memory.dmp

memory/2820-215-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2820-216-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/1712-217-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/1988-218-0x0000000140000000-0x000000014018E000-memory.dmp

memory/1692-228-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

memory/1692-230-0x0000000000FE0000-0x0000000001060000-memory.dmp

memory/2708-231-0x0000000000300000-0x0000000000367000-memory.dmp

memory/1712-232-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/1712-233-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2708-234-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/1692-235-0x0000000000FE0000-0x0000000001060000-memory.dmp

memory/1692-238-0x0000000000FE0000-0x0000000001060000-memory.dmp

memory/2928-244-0x0000000000590000-0x00000000005F7000-memory.dmp

memory/1692-249-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp

memory/2928-250-0x00000000748E0000-0x0000000074FCE000-memory.dmp

C:\Windows\System32\dllhost.exe

MD5 c398b45820b94b127297fe385e787141
SHA1 13673c0b88880dd5ed9a76076478a665be88edd7
SHA256 fb26f201cafed2b61411b9a6abe16cdde56e0bbde53a3ce6a8d3784f5a5a44c5
SHA512 d19ca92f25affe51f928a4b91b6bae4024c604eb1b792cbca9b95f15189bcd59a908d77e254ee8439cf4b2a993d3db1566ffee13293f7420aa3b86f4a2447701

memory/2468-260-0x0000000100000000-0x0000000100175000-memory.dmp

memory/2868-267-0x0000000000240000-0x00000000002A7000-memory.dmp

memory/2468-273-0x00000000008C0000-0x0000000000920000-memory.dmp

C:\Windows\system32\fxssvc.exe

MD5 921be4bd5e0d157d8532d4ed9704282b
SHA1 909e9055ea3fb7b9020c53a1d3dc6377b09bc991
SHA256 d5eec5dbe3be44666b57768f327c2b5751928bd71e18ee3299a360598e1dabeb
SHA512 bb044471233c784bb2efbaaebef86a0f4289c45501c408022813f96c9feb8440bfb3b8f1367d96fc136857e5d9f71db2b50efdc4ca04749afd48f0560b7caef7

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 e65f9170af042b8b178b15db2a46cbe7
SHA1 0fe1af369d1f339ca9af5db28f8f5792e6fa12fa
SHA256 1c68524462a18330372a0026c4f2ed06b7a4cb10f904c2c54e4fcb6fbdb94547
SHA512 e155bc8255480c45551370722a71c4f45073eec7421b610ea8a51ef83cee2b555ac642cf1c38e23d542e2dfbdb67adbb10f79926dfb896edd4cb8e4cdf8fc6d2

memory/1516-280-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2708-284-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1516-286-0x0000000000230000-0x0000000000297000-memory.dmp

memory/2224-290-0x0000000140000000-0x00000001401AA000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 089d3616ee857000607267b0dc3decb2
SHA1 0dca5177ad4ed266643cf22862c188e1901b7c6d
SHA256 a3dc29818408ae6a02404f6a6f0fb228e383f895c0701007beea2e967029940c
SHA512 5306921fdfdd6c5c2e5d92f21d08dc6e832f46d4d45bb04fbacd51ae9a990ea16362429ab5c7b63dc01713b8243f95256847fa29f49a041827a0bddfec3008a5

memory/2708-292-0x00000000748E0000-0x0000000074FCE000-memory.dmp

memory/2868-294-0x00000000748E0000-0x0000000074FCE000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 4a1d8aefa4a995c26d5216895f605f6a
SHA1 7609e8382c63d683080f439adf2a1f4d910a4041
SHA256 aa1df2e7ff12b1d9d383244995d6bec37f6223a9daedddbd58e95a47e580ca78
SHA512 2dd9e22fb3a6044e1c73204e5d519c9267fada66a821a01839a221cae5ed1272fb9e970afe359aceba53fc00767a2af3e93d61d0c8a82e35b9b02a3f0183efc4

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 e9793675c341c67bd43948ee63982932
SHA1 5d9efb132fd3c853384da979032ceddfaaf6afd5
SHA256 8f9b2c00ccfd24cea04f97c931d43b5dfbddba71452c67d218e1e61fdf1e0ba5
SHA512 9bc203117c8353b91386f6e872599b81b474f2886bb6b7bbcafa8a4d77bbcef8fe9cf45ae2f8e98a4521239d60f3bbb61176528bc6dd09adb963e6553079f9cf

\Windows\System32\msdtc.exe

MD5 199ba9673f5565635458799cacb391fd
SHA1 006838844c31a116808d8e187197104f3b21ef64
SHA256 9f7508d1b8287ac6bf92f5842fc7d8f277fd2abcadcc2fe76283a2734c27c018
SHA512 267a90b99284deb706f4268d330ffc5559c9825516de1dfd87dbe149a965b5fda0e113e3f7d20e5f5cf586cb48d02d44d0a57480f97967004da03be6c3a8eaaa

\Windows\System32\msiexec.exe

MD5 0169220bd3cec0dfc23f46e5fb76e235
SHA1 f4fbcd9867c6e64397debc2aaacf1c1904968415
SHA256 7bd60d79163db9adc40bf29abdddaded26c340dc757eace7acafc27cc33adf83
SHA512 e9dc8c629c79357f57a99c4938c5091dd1e76794d50b70546ed881fdd4000705478f6d5784f0b9ff006c1202584c2cf5fccf5487db316d58da625ab98e93d61f

C:\Windows\SysWOW64\perfhost.exe

MD5 4c45fb776e29dd355e3d95467bf4e31e
SHA1 e3559465de2e260554f7783af63bc6a98c50ed23
SHA256 c167ea4bcbeb03aa0d07ca011ebd73b66c2ff67c9c34e18c2f20fd1d900b85ff
SHA512 dc11e433a97866f9b8a480fd25df58a979fe7db5e9dcedd7572f96826610eb641b69d6227cfe98ccd1e8422a74e66f574448504d513d896d66628d56618a426e

\Windows\System32\Locator.exe

MD5 69f449cc8d2cc53d7841a15a012ee2c9
SHA1 3d04d0a89a2f291cf2ab0217316d6741784b1817
SHA256 162cdada4f5b00f1426b7239a9bc844619ee1db9f540eca96448eeb6c93dac21
SHA512 44f62861cc0335f450515fa13a52d068ec7ce9b06819f2bfb2b9ce581f93acc6f358d7f6e05dee4311b83e6465b1036101f590afc95cabd739d522d305f8cfb4

\Windows\System32\snmptrap.exe

MD5 fe3b327fb72ffdb268ea3e33255bdedd
SHA1 ce01678a47fa1aa2b1a21810383e519428a0785c
SHA256 dd304be0cb77aa0a53d09ffc35725ab4a9e3bf74ff1b1e9126f448d4b95e6bcb
SHA512 8a37115718d69bd4ba79066c3ca2cd73e5a3cc4350fe2fc6bd74a90aeebf220d32d7ef62ccc3361fcf52204f3abba62539225b3306a63900d94137142b8d8a5c

C:\Windows\System32\vds.exe

MD5 a4013d69b8e30de722d7ed4d906f505a
SHA1 62ad00d4509cb0146a96a48b3e8420f07c768cdc
SHA256 0bb1e7730c5981640127c73117d1b4fa9762ffa19e033ec6a040fbab0015dcde
SHA512 ec9880986525eedf2dbc552758e3c8bea27bd1f50470d07673aa9b0d49097427ac33f2fe5bfd524ef6f62bfff4a78226a6f5c3c367b90ea46b95cf9848884155

C:\Windows\System32\VSSVC.exe

MD5 601e9d9c533f37bba9e2db3ff15bcfaf
SHA1 ad2a0f205911b75cf86eeadd2bd0f8b88e8300ea
SHA256 cf3fcb01c17162fc342ec57a922c862cc95172905082d74274e1b7a190d50ddc
SHA512 9549707ba61ba0579e00c8fb0909d91382babc5fe48316705316b2f1bb7632941216e4c1386c78cb778ab7f01003eb60f0810ff0da8e18740c0d6b219865e346

\Windows\System32\wbengine.exe

MD5 b17f2b2deef3b27ee2f17ca1f2220ebb
SHA1 b1399ddb68502d2c025cfaea3b4384c41b00b2fa
SHA256 cef17641cd67a6bec90261c3c327e1879d9629e01421f07ec58b35c7b7a9b42a
SHA512 141fd996167ed0c9c9112d80b5fb792aa32412e9c2a5b4b49dfaaed5789b7c1f3456a9c884a8edf399ac32b152567f9ada3dfa0d3dfdf0201a1eb7e08d5f25b9

\Windows\System32\wbem\WmiApSrv.exe

MD5 8c6b82fc863eb6ec14225c152a083fc7
SHA1 28deb8bbfeb7b34c2acafb83c36668005a71bf53
SHA256 1229e8cf3f7c302bb2c864dceb09b2809f8cb25e08493db2960d92d3cc05280b
SHA512 87d25e191de531069850cf9fb55b8a0998556a45b488d9f285511e30223272f899ea8a2d558b47404299819419aa4cdc7998fcc5634aff391b5e4434371bc906

\Program Files\Windows Media Player\wmpnetwk.exe

MD5 2c14d49a377451ef232f4b24da5f3d2c
SHA1 50784a66d954a1e40843efa46d9f77a7d7bcba2f
SHA256 1273c11c48dac2bea3190b8734de38dac444bf3efab08c4c87d55b939bf984f6
SHA512 b8db19b904db9b70b5a88a7cb7c8a553d15f563042cb1372e8857dc27168140213936e32f3ccf307a6d7d32156fa231829462a13a60e2e995f26965bf515e0d9

C:\Windows\System32\SearchIndexer.exe

MD5 3b2de82864def7481a29a485f1f15dfe
SHA1 3cdcec3cae3a559ac401389697c3ef69123039b7
SHA256 e0320c25a4164bd60573d3b5ff78ff88edf338e05b4fd117892aac17dc397081
SHA512 6df0cb45862c22f0624f7ffa0539b771fd4ea55b8c10966a3972f5a46e4b9e63e601bf8998a9fb3d3157599d637e6944f6953c65eadee013d58f084c52837016

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 797286f6bd275073e20ba1d6dfc4ff1d
SHA1 1f889d4ed1188976f33ea15dd44f652dfe1225c0
SHA256 b52c6ee028dffa1497cf118a32b54ab7c9e5b56c774ad2d3799bc7257b9de459
SHA512 6dbd54f0cc16b9fc9dc479a9fc5b00573c1fd29e65cd6c8870794cf0fc5879ee7b05cfe0211fc3bf84d3caa695dd826562e7db1ba08f1b3e978fbdf4ebedbfc8

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 05:06

Reported

2024-04-06 05:08

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\dc8f5f4b8642d83.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp

Files

memory/1204-0-0x0000000140000000-0x0000000140125000-memory.dmp

memory/1204-1-0x0000000002070000-0x00000000020D0000-memory.dmp

memory/1204-7-0x0000000002070000-0x00000000020D0000-memory.dmp

C:\Windows\System32\alg.exe

MD5 8522822dab5ac8c5d554f30f453af072
SHA1 00aae8a624941687cbb3e919bf7e284c2e8465b8
SHA256 051ae805d1d1add6d6afb388b9d9bc7beaf20f6ec1068878109677d16d507da9
SHA512 dd29a44719adb41565577cb4a589904d808749518498476637af1a7641b95e8e4bc273618637a8df59b5897b4d06ae4def30803853576a1be6101e4649d659bd

memory/3540-13-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3540-12-0x0000000000710000-0x0000000000770000-memory.dmp

memory/3540-20-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 4038cb9250c7c412c61d4c636cbd6d3c
SHA1 a78609b083f76393da106d85e06e666aee34d64c
SHA256 1a0dc6f1a551c5c9be05a2474253a3304af405d4a6cf7c8b77700596923320aa
SHA512 f06fc2a3c85c05288602b0a5180601790e22e6b12e6d4be2444425455b142cc51ffc5b047daac0efd8b1ecd6acf670f34168ba010fe7b661a8f4afe32efe9604

memory/3700-26-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/3700-27-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3700-34-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/3700-33-0x00000000006C0000-0x0000000000720000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 ff414134262ff43284ab194545d5f12f
SHA1 679354521b83817575640bd36281cc5031974f16
SHA256 e95edb7793fb697d611bc9e594d48500ce98a51a252866d8281d3e20bcf29d07
SHA512 a7ac00bf5935c2509b65cf50c275e1b5494df093cca470d9bc89393da078dd1e637fa28ebcf38cbfc68a4810a8a1c3d5422471bdf8c55ac25937c58489e917f4

memory/2748-38-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2748-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp

memory/2748-45-0x0000000000D60000-0x0000000000DC0000-memory.dmp

memory/2748-49-0x0000000000D60000-0x0000000000DC0000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 c3eb0f1d32e5d9635327ae3ab65bde2b
SHA1 29ac4d0252e3c3e26f8e864f50c349bc934ad6c6
SHA256 9b2144174859b9bd36941d84747cd9ee921c094bd6ef2351a0530669e226cbcf
SHA512 7a7586b67b8aebff83acf92de3aa8f3b0ea5363921ed39a06b2718ddd8ff72a0b3604b28da0b5ad71cefde11a77ddecc64057c1371d9a4b06b95f86bce752b84

memory/2748-52-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3652-51-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3652-53-0x0000000000DA0000-0x0000000000E00000-memory.dmp

memory/3652-59-0x0000000000DA0000-0x0000000000E00000-memory.dmp

memory/2196-63-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

MD5 ca5f1bd4481fed66e4e4bfec275847e5
SHA1 67fe174c35dae1af953a13743f96a68bf84a53a6
SHA256 a02e7cdb5eb15b42ea8f3c22d2c75c8b00e2f0c7b15fb7b3586c0b6bfd57a24d
SHA512 875e71e8bf7df9ca9a5b0c2a4c5a485d9242d15138547ff60253b4cd56da44495c456fb7974b21d28c2ce94f7c073f0d78e5554c23b85495b64162eb15fe9ce7

memory/1204-64-0x0000000140000000-0x0000000140125000-memory.dmp

memory/2196-66-0x0000000140000000-0x0000000140245000-memory.dmp

memory/2196-72-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 aebeffb17652f5158c69bfcd2a7c4e09
SHA1 83924d56b582c7fb813bb428aeebbe71e300bcad
SHA256 c8be8d0d33fc563dacc4545f64bf43fb55e3b9ac18ef201c06b241972344ddb8
SHA512 b7974c3e58658045581318aba8061074d178c55e0ac4f727984fc2472ac3ab51c15d720aa9f31f7e437df672005a18b3c0c45c3798594e6372f1861858badbb1

memory/3540-76-0x0000000140000000-0x000000014018A000-memory.dmp

memory/2036-77-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/2036-78-0x0000000000C60000-0x0000000000CC0000-memory.dmp

memory/2036-85-0x0000000000C60000-0x0000000000CC0000-memory.dmp

memory/2036-84-0x0000000000C60000-0x0000000000CC0000-memory.dmp

memory/2036-88-0x0000000000C60000-0x0000000000CC0000-memory.dmp

memory/2036-91-0x0000000140000000-0x00000001401AA000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 e4c434075c3b47ae4dfb6a3d68f9f5bc
SHA1 093e17cb3d5f7955c4b0630a6bfbb794469681ce
SHA256 bd07aca85f0539655c9efb49dce02d49d72525a9625b2c728b6b058e267741ad
SHA512 69d8d9456c71991efc72da129842abcd76d70cce47d8a735110f796640616bdbb7e8a4e29f6e13b4990763a15e35c231c88aff8c7ee7a411764b5372890b417d

memory/3700-93-0x0000000140000000-0x0000000140189000-memory.dmp

memory/2224-94-0x0000000140000000-0x0000000140199000-memory.dmp

memory/2224-95-0x0000000000770000-0x00000000007D0000-memory.dmp

memory/2224-102-0x0000000000770000-0x00000000007D0000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 c10f8afacec632c00249e1ed775fa8e7
SHA1 e40883c178bd1ccd0c6b6a32dae6f097bc32ac75
SHA256 aa4111d0ae321f41f1790998f26121d8f766eeeadcd4434f6a431f820e60861c
SHA512 50b6a885a0d0c1f7c3daf11ff2dd70a051b185dbb0c8e0a2a16278ca5b5e5268b6a83b129d2c5b7c6fd1df9a8c37270c26325da771700b8315376eeeb9e1a56d

memory/4480-108-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/4480-118-0x0000000000420000-0x0000000000480000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 6be684584b458b40717efc70c47d9b33
SHA1 c63bd0dbf92b17555ec1662ffb3b0484c425b9d7
SHA256 6e587cd6b44efe34b27b75ddff4f37c7b7665ed1203f860e80e013145dec4be1
SHA512 f85cf2822dd807bded608568385f1737d6e8fe9d980877932c6d66de756f5f052ab3dea8ed1b94efba286c84cb8cc9653f198846930decf215f3a021665b7e86

memory/3652-123-0x0000000140000000-0x0000000140237000-memory.dmp

memory/4192-124-0x0000000140000000-0x000000014018B000-memory.dmp

memory/4192-130-0x0000000000B30000-0x0000000000B90000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 c0d68d899d02ed25e6ee77847c2776f9
SHA1 e49e773799591858d16213f01fe52f72ff5e15cf
SHA256 9de8f7ef62744941b9fc6966bf5158b946138930a337e7b247d752888f389a72
SHA512 df15219fbfea9416c440cba5effe5c9f8c26d0a04649886f9ba6d7b8406a5bc1cab1c8003edab72cb5c381f4b8d646914298836c0e148a7ef1f21ad5649e44c6

memory/2196-135-0x0000000140000000-0x0000000140245000-memory.dmp

memory/4200-136-0x0000000000400000-0x0000000000577000-memory.dmp

memory/4200-143-0x0000000000600000-0x0000000000667000-memory.dmp

C:\Windows\system32\msiexec.exe

MD5 fce5a00040b28d633f002692634261ac
SHA1 c212561f67ea13f910b60238adebd69680f7a600
SHA256 d87f50369f5748283e4a5281aa36c022f6fde4e0e3549704ae877dd7ca604ef0
SHA512 938bcbedf9fcba7a0475cf81d9500db26f6281cc6bd3ba70f0b7b8a6ce0758896d3a9337ac582140b30f36728964bd084711dc9091c215f72fa3678f830b401f

memory/1204-156-0x0000000002070000-0x00000000020D0000-memory.dmp

memory/4432-154-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1204-153-0x0000000140000000-0x0000000140125000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 2d56c45c7e0d46d24430d985ca6af17d
SHA1 5f4d7da695bd8f3e683aeca1687b8418fe68c2e4
SHA256 b38976d44098f563d425d0712a755091ae1722d2c2d2be0484edbcae961b4ef7
SHA512 9f02a6991c75d0bf27d114af9dd72322836210b3a42bc83de95f802a53c56be9985992ae2e1121d263633fa013460c48ce475ab5173a27e881bb243703a02b98

C:\Windows\system32\AppVClient.exe

MD5 8440fbd1bbcfe39931834523cfbe0ac9
SHA1 281504e98c723643296f7c5fdf8175757c39444a
SHA256 404806d4ed23a0da0af69f90aa2b2ca1e13a5cb778555082ebaa2ba488f72499
SHA512 fdf8448a32108115829b2b59334a2e31e6652173db6d228262ff1008f76216f9c9e811fdc7d7f68d530e98ad0f62416d1b43a013237cfede1f2dd5a8766b68a9

memory/4432-172-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/2224-233-0x0000000140000000-0x0000000140199000-memory.dmp

memory/4480-319-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/4192-322-0x0000000140000000-0x000000014018B000-memory.dmp

memory/4192-323-0x0000000000B30000-0x0000000000B90000-memory.dmp

memory/4200-324-0x0000000000400000-0x0000000000577000-memory.dmp

memory/4432-326-0x0000000140000000-0x0000000140175000-memory.dmp

C:\odt\office2016setup.exe

MD5 a33dc0062ec3e87e10904e405d69bfb5
SHA1 fce904818a3ae0f40d6872c5c7ff1f2369ce3298
SHA256 b6dfa530d2fb86a49358424bebeaf3577bd124fbd566fa8d0c7a7939d8920e84
SHA512 dc56ce491ea37ea95d277f4bf6e3e11ef8579d62e1f2790589a9bf9cc9da617480344ded9d47c8d76f574ffaf7cf8c6ff9c802c06c0cf7a3c4894f90cae8edfe

C:\Program Files\7-Zip\7z.exe

MD5 daf2289ee65bcb81293935deb6ba0074
SHA1 df7f518f006368d38fc51bef7805511f77aed474
SHA256 a7401d749b3f2bd4ef2f0cd8a0e9721035a9bc3b15d661710caff908cc77b138
SHA512 e42aa25be7f2f4c7b389111dc1ee9c55fc3e2c84a360bf1ba629da75a2bf8a085a90293a355f678a3fa5daea3c4ebecf85ba72d91873024895638dbfdb8f389a

C:\Program Files\7-Zip\7zFM.exe

MD5 268b5f54305ddb0b0563bb5724d5ebee
SHA1 446ab90de6017bd99e3d7b508392e752d989dc7e
SHA256 50f9f1b02778c1ba77bbe60d32befa50cd68c10487c06c537335762e0352bc4f
SHA512 ed6fb6ee515399b9b77949d965105a45e11d52ee325d7fef142b27d9faaf365d980ac817570c6db4be4098f03bb3ac4ed36d77160270ffe6b92f3dbaebc5a3c7

C:\Program Files\7-Zip\Uninstall.exe

MD5 b860259a4ad0fb8d555462f81b924a6d
SHA1 380ca13d62d9697f2bdbe4ad7f1f8609c1cd36e3
SHA256 23d3f0955eefbf166fad3ed5ca88b5545ac40af1d3e9913721f42d5edd3914d9
SHA512 33abe4ef1494979d59a35e9f482d32cbee4b61bf3ef3159c2a26bfe564bf5782ac6df1cf027dc6e1a9fe817d1bcad85598812f57e85ff327c8de59673be06857

C:\Program Files\7-Zip\7zG.exe

MD5 2abec2ac2688fc7a578951539b451229
SHA1 b53f6cce4f693b96c03587886b9f5d3cf7d2ca95
SHA256 9fc2299e048741b6c73b181f56ab297b3a5803c81d7a9adc1d0473d22d3055cc
SHA512 76fb35b63832e9acad73788478549e7485fdfe2b50c2f3cc41b4a69b3101b97980a484a7a8bc5f9facde215cb7e564702a629d8cfc041a4a28f4aeadce554d9f

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 c4b7826f7fb58020541ed6b30f857477
SHA1 568f193dc1e5f92f233f5f48959e39a314fd8964
SHA256 8c7b9e260cce939200f0d7085d051fd755c3b74d5b2d79ccccae7864a2e6173a
SHA512 4c594e79a07892639dc4b0754dc95e8f40b171d55e01c6d4a461e7a76753edd30ab8583ac41c0a569056fb6c45781b2f60a27bba5cbbacf791790fed75b5709b

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 7b9f7fe0ea51cb2fab0f7771a29e1016
SHA1 feb02822669655d79f297bed77b8df45d5394f0f
SHA256 de54b28501d4834166e01c4454996fe5befaafc4a54f398614ce42c7fc43a796
SHA512 0c5b0e103830deb290ac94d9ed8ebc08bc2585793d02b6df1f6cd2ef70532b38404783e3e01059fff534de0ec8b1e8e4942f6b251dc78b5efc570b092b6f5d6f

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 b1210e371503dc06f717dcd3a4b524e7
SHA1 95ba25f2ffd65182390d8b6dd8980cd17da40a57
SHA256 536725c32ff2f5122b701e0b32ce2a08920c891fe9bbbb6c8b3f74daf3af7782
SHA512 34583a184881e106baf7e6a5ab82e51cdd0c678c1b64dc74c2efb775044c2d76041423c3a8483a3f53e94513946ac06cf948f612fe5a0672c0e8f554b415a4cb

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 9e3b6a406916c8ea0505c6229f696021
SHA1 2b1e7993a65f8f0649c88c2275bc36443a50f60c
SHA256 0552358000dc7ff623242fe0d6e5bb2046ec307b25f06566faf497a5c2277a07
SHA512 c5c33ae0858355123b06341e5ada75f3635d13c39fe1803ae146dc86d83aa2a6834426abca669b97f672094fd06d315dc230160ac948a35f7dfc10d3f737953e

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 cd427bdf5e4b1d02979613fcbb35a24c
SHA1 5c6fce47f2a5443f5be6de47e660ddd0af3292d6
SHA256 bbb01c2dc7cdc67b9bc2635a94e78b5f3724f526cf7f5aa88c50d6c52c32f519
SHA512 afa9be709dc3eaa5d2e04447c010a6b575ce4b7c70036c7973b54050672159f681f3669a8dd43afa86ac98a7cb2f06af8b8b87c4e0ae261fd0f56621f8302c8c

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 cd1ac3f8d422d80df06b7670966dbd2e
SHA1 523bef8520f6bb787b402334fc5843d9138d6559
SHA256 36c13815c65a80ca5c85c313bf17ff7283b46c031426132db73aa2b8b2623fd4
SHA512 57fc2e807fc7d17815f472b48eaafc78b80b278321e4a803afdb074487a3896f5e224a1b31cb7fbafb3596b6446a3e894e35983129f756f5c12eec3d97ac8e6a

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 890142616d4fb91cb80bb855af66f327
SHA1 830604f05d64bc3dddc27d9523ce73ad31a801eb
SHA256 3c28e6e4500f50c5e4712c95e2f01d9ea0dbe8e49e0fcc310e0c64da4c0597b7
SHA512 f1906d30441e9749e7b77d4cc87b9be3c3b3804bdb1d5397e2e3c7d5dbfe10e155e5dd88cea517c3283b5d69464c4a7b399d1a640108a9b70b297b2630959ceb

C:\Program Files\Java\jdk-1.8\bin\keytool.exe

MD5 1f6fd077ea025edd956d820e82baae7c
SHA1 3ff3042237e89cb1c3190922e9c8a72ddc3ac77a
SHA256 25c63acf730b0ba000090302aa7508d1c67e2c3ea98bf55b9a8c89c79f8a9b51
SHA512 fe8973c463dfea4eafc1693c0d423448d74459e1e2d6271eee7552c822d51490246b0c7906c68f52d85b4bd6b6c34f6421283a4d0c151425e9b5f28e7612860b

C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

MD5 bc5db2cb1943870a5be952555ffcaf70
SHA1 621855d545ad72ea145e38a686737dcf0d3523a8
SHA256 13625e9e2c99cd13a0b77b0b940c38b669e79f6c09e1bbb6bcbb358031eff587
SHA512 287ec91e6f7fa2f46b31ef3d49096199a2987cab183803da79b95bd3621120e7de579a3c66c1ea2a0d449c8c1298bda4155bf89c295aee96c1d45baa00a86a54

C:\Program Files\Java\jdk-1.8\bin\jstat.exe

MD5 f2c9785e25674a75eb86c5ad3e512c6f
SHA1 adc5ef2b2b26375e23fc206be97016765bb36f7a
SHA256 657de3eeb0d49cb10a90168bcc784f124223edc9056cf01466931caa2b300cce
SHA512 dfd10865d4a6cdfccdc547ffeb19bb5b00098cd3e4ed44525b944a537a7a77412c8484642064c9a180dbf8c53f4bd7892f0f9eacbabb2d6369f490328178ea44

C:\Program Files\Java\jdk-1.8\bin\jstack.exe

MD5 abb132f5b06c6b1d95fe1b4cd289c630
SHA1 e47797ecca347cdf3a021c3e81b728545aecd3c7
SHA256 85ef3685613c3362b42f0c34834956f2ac09c94a083eb112629fd8700e99f067
SHA512 3692b1531fd7966a51adca7b8ad45c7e8e9ca66fc638b3dace2cb646e0d1188fc159eea72e32011fc8f1afc65decb86632829be23299d96267737cb217f4cca2

C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe

MD5 4ca9aeac988a814a077f69f6e161bf85
SHA1 82821d17ade717d06f1c198b3e1d67c12d4dd56b
SHA256 1e2e4f75a93cb2fb3c71207967e7f7106e630b75c3e9301f827c8668200a4590
SHA512 6af82d45bef1a6166ff3bd8c40407fb6a5137dfb2d33ae6f827d498c58fc3467e5266e5a1df80e54f7b1e811a0a9c988ab0c2f627175fc45a507fd6aefe50399

C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

MD5 2e22dcf66fc1aa6f7f7c31d2c46588ba
SHA1 69e3304a6fd1ddd73dabec282adae5c8d0ec98ef
SHA256 e432b08b4f7e12207769982f641597d67a977531f7b4fab90ac86265ce0cbf37
SHA512 e5e04141e75625fd32832955334d73bf22d39c7d8ab15949d463eaa6b3ae471c499c7283db6718046f4d2dcfcd2d20771dcde34971df9f4147a8fdf31859a1eb

C:\Program Files\Java\jdk-1.8\bin\jps.exe

MD5 3865050c8f349a60cb431cc8dd5199bc
SHA1 3389852954309d34f857393167ac57029a392cc1
SHA256 c5f0e52f18dc9af92bd4c5420a39a850243613f3ea2f40ef9286e59f4fc0a879
SHA512 ddc050e9bfd725ff8dad01be13e17064fcf73640dc633784116646cddb883858ac0999ec4acf1e5016bd2c6e51d51649af01f5a626f25f9971de65861bb360f2

C:\Program Files\Java\jdk-1.8\bin\jmap.exe

MD5 b268960a4ba5131adec0daa739df82ee
SHA1 1d8f7b494d57bbac6d3473da26eb99859ccf62a3
SHA256 93a35d2f1cb6494e324fefb4dd12d1e1c5474441b08fd52ba727e89ee0549123
SHA512 0607c8bdc4ef16002200209f24f9cef4ae1e67cb1f95cc188f1698df213dd25290b821ac5a4d09702d4e11c07f019d5f5dfae1de0579fe649075c39a746a5e70

C:\Program Files\Java\jdk-1.8\bin\jjs.exe

MD5 1668b57cd649e2224064229fd58fdb5c
SHA1 77cea69cf7deed916964044e1873ea8110dd2b47
SHA256 280ee67a02d0a7bc5fcbc25563ffc438734c4d601a4db808bf8558fb5026ef20
SHA512 d3d60c26e47d823e82b8a31ce0ebc409d50839c4eda1bd5aae455adbf8fdbbb3028455eca2efb903f522d82e2c5f444bb4ec04c2fe06e60fe8852a466ec06634

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 d6902412e2332734a0461ca9430f785a
SHA1 9717c634c0eb18daacb0f1b4716ea0cf87b1f205
SHA256 f50dff7ad040478a23f9a3b99a5ddf7cf63c4db3a79c8f44cfe1c8723c3c9f12
SHA512 94814ac6fd41a172f912452f4ad677295d788059622e1c4f2441c173e8856af1724324dbedca889ec3ebe27d0f43ced3b9d854ed6324ad514e656740e0502c13

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 f66b65000f51646a229b8198b36074e7
SHA1 b7a39659145ec5c3637954b14a44e433c51441e4
SHA256 e6a796e42a68cc3e926033b093cb7f640b120aa9804d2f9b6ffd44313159f265
SHA512 67a1cf26aebb2e276914e87532fd522e830ccce2e29843ec8f956e5eefe20af0a837b4df251c432636aae119b40a4b41567f163daeeba860a576f99bc7b9a120

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 fad7b133ca64352ac291b93e230b970a
SHA1 064e2ba4a5a10d0042a4c3e1d45031bd7e28e03d
SHA256 78e1aed88a89394e7dbfd21f7f66cfd2d51b5bfc2034e3be89ecd0be92a22039
SHA512 5e93c3d37b149393395a7ede0e483f92b6cca8e164ae4abb83b1f1c5eac37228232d25c1c6e5d88e3fb6f2468fd85cb7828e8705a9f8aee32175fac9f938b7f7

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 0d402dc4bd03e14df4e09119b4fc4281
SHA1 7038c1ab9864006532b6b0b8a439b26b9f59fc83
SHA256 5fcdcfa4f842ecf577057f343ebd5fc06ff030ddd449fe3ebfe8f4762b4f7d99
SHA512 0bb907ed3e246259824cbcc1c619ad1d6669eaa6d3d70c50584e3d1dd3fa63161b9a209aa88387d71468b7db92e99935a875ae6834d19e0556e4b1f892ba4c04

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 15a824618587785ffc257f39d4e22598
SHA1 462c0a92ef75b40d51c5c8ef08b379db113c155e
SHA256 bac2e5be72621917d2b2a6048df99134b4591781a0b5aafa49546fad202b973d
SHA512 b40e3d0d0b11b8daee1da110747025aa99432301d6a450784d496a7058867531092ad464464c724d197adc697237e9d09ed609d1ad694ca89fb8d6eee9d23773

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 1ae7e4598a16b07706b77578d22b6b6b
SHA1 a07a0ab75c1a77a73b53d24897f8168cff383f9d
SHA256 920d1bb9fcadbb8f8035b0f051ed9f2f3625d07db441275807fa24f8144e8254
SHA512 5e60f94d5fc1dbd00b631f5162f3ea0ee0b1dc9ad11403d68131b59840aef89890b3e5d26b706a02f6b6375180b84aa9009f7881b45e12c9f28ef0686a48c6c2

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 f929d5423e7dfaa057cfa588ac1bed57
SHA1 20a58ac2913d2e602ae733ed696772431f2d7d4a
SHA256 93ef1826bff1a4e798442a30be809f35cdb9c45fc33172b0ae5647dea5f591f1
SHA512 9011ac9baa6fc0f9166065c8616fe1d7876defa57e32af67ee866b4448b5d00124e6c16b76c23fd3ef863f24b6b84b3fa950db8fdc6676c6e671c739e91cd9c4

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 3ff67a9b6008d52c98dc6ff9a477d240
SHA1 79737b57d85b52c79f6890a863a5e4ec3d9afe39
SHA256 0c6a6dfcb3761da53800784e0adce7a3b91b1a8ec0a99fa29ad16f7f59f37b24
SHA512 52fabd906c34192d7a656ec6214c70b36b197cbceeab8bf006ac74e48ac76734553af048245b5857330ad10c072197d844a6d9c6d7f436d235c3687b0e4fedf9

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 f62e1ec0ac7bd6a5e6030d6f53c42a8b
SHA1 899c8a56acbaede56bc52cd2b77321643316fd03
SHA256 31a673773fe9eeb1a24a2c1a42d8d51777934605f48bb323f06df45b9308c072
SHA512 f25c91b11cfc85739c97bd2e9729a97fb2d2daea36c14b78ed337cf4a5c3e127274e5e5eedf7fde4580c3d8b7d9cd2b9ffacbf83c303ada907cbb8f7d08199df

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 2578b6100a8669b6476ace48ae8a4dda
SHA1 a807bfba7bea8db828c2a274f4ce7b12f879993a
SHA256 69ff54bf67079f1c382ff8b93809103e5fe72fd76141c2ca135a692d7e2b8c35
SHA512 78c5f67faf115e25076e8f97a919d024a3722d528c9c81c2fb56177cf546a60797a70e22ffc00a1340325daeeaf4d8ea1a1dc1c18a8c7a3f98d72a8217d72c12

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 c8ee85b597f051001e01ae246046bab9
SHA1 50e286729709c7207cf72665e0c75fd1647dc32f
SHA256 d7b5e62a76f0bd56880964dd7896223936af3d3873f78173a038693cf0f53ed9
SHA512 848c1d91780939e206485321f3c5ee0afbc447bbfa0d77bb5e77cff935b26817dcdef66878b0929b3017c46079b33b61487989336eb1d0f8e950cd9c8087ddbc

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 df3dc19ba72f94f6eb254def29f61b5a
SHA1 a7c99e76a519ff23886418c647b3bdfc34e70761
SHA256 ad77bb02b799e741e4c2eb28114bbede06c908cf6e22adca193e9c5620d9a588
SHA512 ed3465f3835f57d429ac75232a394a220fbf124103fa23cdf098529e551a374e804b7fd8a6768a60707adeb49e0e3006dee682b88c4b13a745b4da1933becbcd

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 3bc844b7b0ce27f8e0ca8428fa56ffea
SHA1 9de54ff43c3bdcb9b14ce953b2a37949483c669c
SHA256 d7558169b19d97ea9f77aaac6f11d7c519bb8b25b4e5da0d527671fb1f1686cc
SHA512 661ae49d656d0b8e957b26b947a89c1c5af6b05c12f96281abb7ba859912d69f2ea66842e5dacf4011b361f5fb2f52a2960a20a7d8cf8f2fe96b60896d2067df

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 3ad0fc5083e0210caf934df875de5337
SHA1 e52c26812af98d14ce1f841114a8758ae1b0d380
SHA256 55075a8bf5efdb2f5caaa1f8e98e004436d05c5dc4cca59b81b220a5efda27ca
SHA512 4e21f166850758b885e515d9cd271bf834197f2055f9c1c514649eb8562a5cdd0e70ac6a2c2c85a441dd0a1d2c69a82ec919487f2f4e9a5a1486d0192378c7bc

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 9ae5818ebdfb0ccf7803ae7026147dc0
SHA1 890b0e084670ecd48d139fd6d7705cc64a3172c7
SHA256 61e49a2086ec47b20b5a0e34cfd576e6165b4f4efd33108dc7fea93ee4d05c72
SHA512 ccfbdd0d131f67126233d8c648c77f89a71e33ccf268a27d3e710b48323c3dbab4bc297c8085e9e724c3a0678435df8c48fefa9e9c0bc7bb6f6209b36624d230

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 38c799e1be97bd48e7fc9360e23de008
SHA1 39f64fba9aec24b1d5cdce8dbcd877fed8e501f3
SHA256 a802db4a53c24506fe05130fa6df281d4270e6fd9ebd1a3c9c50fab3216f1aa3
SHA512 49e6cd566cbd064fca320ba7795348b7cf224db2aa6caa228ba78706992893e6a8fba4eca3dd216cc9f9afd7400672d04097518a435da4f44d1f217ab3540188

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 715900b6c28666a1eb7062a5660e7af4
SHA1 570400224c9020257dbceb23f3e4cc12122d200b
SHA256 ca4415f3d5ae41495ff054222cb72272e3e711e7d7f720f389dd4229fcff8160
SHA512 86baa34af6ec4bc3cc5ef9f7305d3fa0555a44b5b96c474d9edacba5383ff45f27eeabe66d739a634e3d09692862955c04892661910e6233afb54e50e618ac29

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 9c1727919fa1a30af8383ccf9f091516
SHA1 fac0cef68c8e820a8ed1e4825952c98581db1834
SHA256 0292bb93db2c5beba3178c543e5ddb37c2166170182f9e7f14a81741c0e035cc
SHA512 3a2957faacec66704d2c52fe0225174f12c55af7277fff8ef46ec1a38357f04501ad29a85a9d3347fedbb144d2e030cf2abc892687890e8f4b55347fb6a97c77

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 ec1189eda7e376b97a90c62c00e4fd8d
SHA1 bc890a8ffa994248fc7a5f28ac5f7a833d62c86a
SHA256 43c8bae99e69a5de1c886a4b22a9a6c3b5c5d640c6e55b4ceb937a8358e0d295
SHA512 f496fe27e7b35cbe8a279347ae666b7c135e0f0bb35da15a6b5379fad682f8503fe3ef92e3219a32e6ddac0f63503c0173027c1726472e812e45db2cbf7d0f47

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 101c0c6a3dbed968d6cd494dce4b755d
SHA1 cc2fd76e45c4483ed87a546b143b56f1c83e447b
SHA256 a414cdde16f6c39d20071164378329a37fdf91b54da7cd744f51330f481fa69e
SHA512 69b050e29eed25d53b156107f8fb87dda41162e5d09369056e26a6586ee4a75025179eaf41e21efb9a9331f10ec6c1cbe3571ccb6b1246cf4d501f910811d801

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 2f3bc25e8aacffcb3575364a851bf343
SHA1 7ac570f1daa4a10d90b6508d40388ce5312f7ffa
SHA256 c3aca7615c55f5cd23346848d8c2f9fdeea6d3a1c53540de3f7c00ce0639c4d3
SHA512 fcb56c7eff505d74618f987e0309923247ac1c8afd130495b28dfb2ea2a205ac75950061a36eca7cdff990c2b76c98cc33fe2a372d4a8ca8a4f7ee727274c657

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 6399468b4681fbe53e0904cc09aa968c
SHA1 56df68083c15974f2f83a492f0953df449844db3
SHA256 dcd90f7f9a40a0aa030952ec6fee72e9375bd234afd43ff154cdca9d43c557a3
SHA512 7001eb711e095ad75ce6e3009b697ccd93be78a25be36f5b641b134c39dcaaf56db80665502ce014d382185e0eec9c887a40a2341c86d781995650dccbeffda8

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 e952b8d4136ee2393b410f165657aa5c
SHA1 6bf34d2bf1aacda7ae3535efdd1daa859d84eb33
SHA256 999603ca82160310a455ed48153949fef289ea482e3e3f22c7f3767e49833ff9
SHA512 8c6dd4fcc31775921b7c11155a29bf4d04223a7bb8e07552e72394e0375d4a3c54334a59f6a435004250a9a48637c7813e439d1c3d1652015a0877fe9620caaf

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 ece2c8c8ffe952eb3a346c38e5d56bd0
SHA1 64a89faae10e1028550b71612d0061585fbbc4fc
SHA256 0d24e8c4120a0bdf6bfed5866f26f404e3be767a92eeedeed8f82ad26cc8cf12
SHA512 896f0b30ba2551fd55ab01f6827df44a1578fd3aaa121383c1c246bef8a931b2e5f78825fa506f123c4ecdf2fba196a8bfb165f71643742fec6e7fe25c562f64

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 55abc28cb200a2b80935697efe61ff8f
SHA1 177819d406f758f06b0678fcedb06f7ef4b70f0d
SHA256 3ceafac2d806dbeccc370e5e249285264d086b405da00ec8c960a82b7b253bf6
SHA512 601071dd05a216fa3a5c9e590ea2cea11d4dcb20a71597e0c0a25a0b5657c8d1d1387d7deedef5ef443b93912bb72d9c3cde9c8f98d6ea725f449a56af590a5a

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 acfb76ef9854d712ec00f98627eb28bd
SHA1 ea576c86a55235a9c85121c06705269ea582ccec
SHA256 8d38c1cc79479c0449ba071e1e78fdf2996b953950310024e6edb0764d4bfbbc
SHA512 39084120e7edd306de1c94fd65b6c42042034611b4b845adf883077be998692f0f7ec32b323d6ff06b96ff9933f08f1f70c1cba216cc68d40da56f88cc20d6a9

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 a6683233a99bd3b01d35a46a9294ecc0
SHA1 14922471f6f0aba4d3abf5c9c2deb1759bceb9f6
SHA256 93b6a880b1fecbefb44ab624dc6a18f8598801e828aee600d8f0e6e9799a0322
SHA512 673ae3921a8f4ddf10c18569eb637da38893a2fa6e172d3b8000aad7b7e310ca47407ed32e4de3fba713a534dafa185b90af742decc851fae543fc892c597470

C:\Program Files\dotnet\dotnet.exe

MD5 6ea9522f871d839d3c526bfdd77223f4
SHA1 d6f804589ba1475595c39e6676118f9aa883ab33
SHA256 a03dda779bb812522acbb8f28ba2cc7b881da36de5a99925628eae928ad93ce5
SHA512 4fdde2f0a57a7c344ed8b9ef60414354819dc192e025a606020a9bd05ee75129406dff9385334658dc1e8c868302609ba9e243f6afd8b34dd803291b744b2937