Malware Analysis Report

2024-11-15 06:11

Sample ID 240407-3hk1zaaa25
Target 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk
SHA256 335857898fccba036e634cddc73ee3812929ac3a0a76045127362d21fb91917d
Tags
spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

335857898fccba036e634cddc73ee3812929ac3a0a76045127362d21fb91917d

Threat Level: Likely malicious

The file 2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk was found to be: Likely malicious.

Malicious Activity Summary

spyware stealer

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:30

Reported

2024-04-07 23:33

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Windows\system32\fxssvc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\SensorDataService.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\system32\spectrum.exe N/A
N/A N/A C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
N/A N/A C:\Windows\system32\TieringEngineService.exe N/A
N/A N/A C:\Windows\system32\AgentService.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\580b6c15822cf6b9.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000672a04b34389da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007868c1b24389da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006a3dbb24389da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dcca4b24389da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000438d06b34389da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3607bb34389da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009599b4b34389da01 C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4936 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe
PID 4936 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe
PID 4936 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe
PID 4936 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe
PID 4936 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 4936 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 4936 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
PID 4936 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe
PID 4936 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe
PID 4936 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe
PID 3528 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe
PID 3528 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe
PID 3528 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe
PID 3572 wrote to memory of 2184 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 3572 wrote to memory of 2184 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 3572 wrote to memory of 832 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 3572 wrote to memory of 832 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2c0,0x2c4,0x2c8,0x2b4,0x2cc,0x7ffb0ab87c80,0x7ffb0ab87c8c,0x7ffb0ab87c98

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe" --version

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe" --version

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x680040,0x68004c,0x680058

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
NL 82.145.216.19:443 autoupdate.geo.opera.com tcp
US 8.8.8.8:53 features.opera-api2.com udp
US 8.8.8.8:53 download.opera.com udp
NL 82.145.216.16:443 features.opera-api2.com tcp
NL 82.145.216.24:443 download.opera.com tcp
US 8.8.8.8:53 19.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 16.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 24.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 download5.operacdn.com udp
US 104.18.11.89:443 download5.operacdn.com tcp
US 8.8.8.8:53 89.11.18.104.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 34.174.78.212:80 deoci.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 gcedd.biz udp
US 8.8.8.8:53 jwkoeoqns.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 uaafd.biz udp
NL 35.204.181.10:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
ID 34.128.82.12:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
NL 34.91.32.224:80 pwlqfu.biz tcp
US 8.8.8.8:53 udp
US 34.29.71.138:80 tcp

Files

memory/4936-0-0x0000000002080000-0x00000000020E0000-memory.dmp

memory/4936-1-0x0000000140000000-0x00000001406D8000-memory.dmp

memory/4936-7-0x0000000002080000-0x00000000020E0000-memory.dmp

C:\Windows\System32\alg.exe

MD5 e811bd116844984f881605214717ffcc
SHA1 9739ec732e0a808e84c691d0df55ad5cd078470b
SHA256 7272d29ef99eb4e0ff0577e9f5e3d98bfee5f9f9d31f5d8fbe3e577d36fbcc87
SHA512 75497f4234a24bf77cdc6cfdf11727d08938f7b8cb861bd1c609a4e8d67e9519ccf71e60e96f9bdab5f4cecb072e09e99654d8cd8234c8cbf4082c8cf8371f31

memory/2836-16-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/2836-15-0x0000000000500000-0x0000000000560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404072330586624936.dll

MD5 d7d32a284a6cbaac784ab2c8c144215b
SHA1 620bb04f32e90420aa5e43124cf366505587b2dc
SHA256 b00cd59787d9356f9a70d679dccba58b4b58713b69876ccdcef4bcf0724e7b41
SHA512 e35f7d034daa1dbbcbde0c0f2979d329ae8b9367a9241af726a761414ec85666756be3b698c8c0ec354b9f76d0bd06e6c9d232de9150510ed056898936f643c7

memory/4340-20-0x0000000140000000-0x00000001406D8000-memory.dmp

memory/4340-22-0x0000000001EF0000-0x0000000001F50000-memory.dmp

memory/2836-25-0x0000000000500000-0x0000000000560000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 de1e71f4ca501d43c9acafb78af3d1df
SHA1 ae40766aa0a3727f0700daf3180ecf7de8c865f1
SHA256 315ca445d87e8d51375783ded5045757683ae4e8ccf72a426ec282368a267296
SHA512 164a60289616ba0eec12d4036f853dea933e54d0c2106af877ca1f0c75f5168403e4436c3a43c69b1caa2caf782dc678a8d88704d11051a96d5bc95349e9969d

memory/4340-36-0x0000000001EF0000-0x0000000001F50000-memory.dmp

memory/216-35-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/216-37-0x0000000140000000-0x00000001401E8000-memory.dmp

memory/216-50-0x0000000000690000-0x00000000006F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2024-04-07_67b2a42e5719bae4aa2cdbda7aa533bb_ryuk.exe

MD5 67b2a42e5719bae4aa2cdbda7aa533bb
SHA1 32019709338b0b4edd4f9047a78ab1f7f39de3cd
SHA256 335857898fccba036e634cddc73ee3812929ac3a0a76045127362d21fb91917d
SHA512 3f6a84bcbce6d427d9b2e0b7df91694a79da3337872c9c250cd72537bd7bf366e5da5391ef3c0f0522d8774ed6f2ec86474cd29c2f2bf209f7c91c2156721382

memory/1424-54-0x0000000000520000-0x0000000000580000-memory.dmp

memory/1424-55-0x0000000140000000-0x00000001406D8000-memory.dmp

memory/4128-60-0x0000000000EA0000-0x0000000000F00000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 252bd8d874fa9008be65984c75a497d2
SHA1 da05a06c390a76522a2c24d37069d1e3530d82c4
SHA256 85b27c2afcd2a592ad3ea8867c4f33f91e09a620d2526ff9e96d93b6c140aa7f
SHA512 e6f032fbc5e888887f398fbb011f6d0a38fd72c99c53b18a9fcc3cbeecc1fcce5c867646d199e869fb51a747525cd6a62a532c0b34f8cd835f975f817a391530

memory/4128-64-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1424-70-0x0000000000520000-0x0000000000580000-memory.dmp

memory/4128-74-0x0000000000EA0000-0x0000000000F00000-memory.dmp

memory/1424-78-0x0000000000520000-0x0000000000580000-memory.dmp

memory/4936-79-0x0000000140000000-0x00000001406D8000-memory.dmp

memory/1424-82-0x0000000140000000-0x00000001406D8000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 8fbeda2d582f7203fa64c9adb93eab43
SHA1 46cd45617a6c114db6f53d4ef005d5167ac72218
SHA256 29e6e0570937250427af08e38b43eab83e974dd76929b9a9ddb327e49112f7fd
SHA512 5470839d3b51484b067d26ebbf60fdf530eed6471d53ecbd664fb7aa97c4db5c8129ec9388f87705da49e56756cae1b1f4a020171bc746e27be2c8c75cb56c0a

memory/760-87-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/760-86-0x0000000140000000-0x0000000140237000-memory.dmp

memory/760-94-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/2836-93-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/4128-96-0x0000000000EA0000-0x0000000000F00000-memory.dmp

memory/4128-98-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 4831437bef5966334380c18e870ace88
SHA1 36b4d51a26ae54b5f103d85de19d48fb871392b4
SHA256 1fe7b52ae4290b55898d09eb4650f8a16a8991021bac634071b2cbe8c44e9dde
SHA512 c6015b7578a8cf267c0e3a7bca40feb2733379d12d946eb3c658b8c8e46cbe2ff40b74ddae0dd13c94d93afd68645495cbb62dae736d1e06eadbb3723edf63e0

memory/4340-101-0x0000000140000000-0x00000001406D8000-memory.dmp

memory/1108-103-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/1108-102-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1108-111-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 a6a7c43d4ee787b7ad001343c51d150a
SHA1 df3d92f3142512768ef3d61871f3eebb8bef354d
SHA256 21b226b8df3ab71bd7a168bd763be20816e35059e15bc0f376280ad852a652a3
SHA512 5ae1ca6537ff7fecc37aba9773aa014c4a2ae8a45ba87b9dcf444ad063c213f334d5e45cdfbeb58755481c1cfdb28749a5294d78898ecafd6446c3402c564079

memory/216-120-0x0000000140000000-0x00000001401E8000-memory.dmp

memory/4188-122-0x0000000140000000-0x0000000140209000-memory.dmp

memory/4188-128-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/4492-137-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/4188-139-0x0000000140000000-0x0000000140209000-memory.dmp

memory/4188-141-0x0000000000CD0000-0x0000000000D30000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 c741e47ef58c68c1c7b87f5d266d2d7e
SHA1 ef490d0378453acaa666ee6f4b7bfbba5449a2fa
SHA256 1dfddbe7cbdc869bdda9d9c2067b1e12a774f4b7fbee20e4ca46a3700d89a96b
SHA512 7f905ed245ef2f7673a79a47a981c490dbbe1ad4300fed0d88ed8e3c5621d82826dacac523c8002dd8b8e4191f885e745a92bfd3df747448cbfcf13359975a7b

memory/4492-147-0x0000000000D80000-0x0000000000DE0000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 9f0bff7ec74abad929fe1dfb40971af9
SHA1 67dd18f616335244c22ba1306a497caf77dd5297
SHA256 1345b98e7f87549339212f79ae7bbea0cd548f977e3157b72c71570dfa8b9a54
SHA512 44f148dc125fa2cfbb79ac7d4d34f2577912c58c39c43f563f5c521e09b32c84516944dcc698c8951ccf8997c8da75e93c6566e0fc599343820e2eb935593e16

memory/764-155-0x0000000140000000-0x000000014020E000-memory.dmp

memory/764-160-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/760-171-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 407b6fa2d0f954147d02c26d5dedb657
SHA1 eec152bc13a10ebc156cf4b70703f6cefc7c0ded
SHA256 ede792d912bd1d7b193bc5a1cd0e1791c8f6125fd98957f646eebc3c381ba360
SHA512 a77c9a4831dcf4d667e607383d935d98b2926e6c4a2402cbefaf6d557f07da4a0d03e5ea19f1035c83214607d21c4a9bad2ce50ef0c3c4280af01dd0ce820353

memory/2396-173-0x0000000140000000-0x00000001401EA000-memory.dmp

memory/2396-184-0x0000000000680000-0x00000000006E0000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 f03d63f5141bfc516ed06583681999b3
SHA1 3e84741d8f49d9882b279fd4792f856fc56099d1
SHA256 39f421c3043e8ce5f4f0366dda202524c670fd0bb27d789a230ce66094d0fd59
SHA512 20fdb240855947ceda4e71ab5cfd343c64adbd12e728c57a472b4f426a6481a50bf2cb7775d48eb5edae97ee118c8832ee5b57244f8eb5d0567977acaf9d7671

memory/1108-186-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1020-187-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/1020-194-0x0000000000720000-0x0000000000787000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 b4370d312df642f768a1b68e921ca21b
SHA1 9f85a10cf76566f12d25dc7c561261774c85bbf6
SHA256 da745ee7ef21855d2f415538e108de88966a70424c17bf617fe99977c6aee823
SHA512 ff0f893b2a1cf333b87f0e110976982c6669ac4260dfe3a348d002bbd5ff7423d1f55eb2d6b57316a33c83584ac8046369194b91b796f5950e10de281fd9ccdb

memory/4480-199-0x0000000140000000-0x00000001401D4000-memory.dmp

memory/4480-207-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 4a86f6778aeb577d7340953eddf59c66
SHA1 c2aa935a5b1b8ec918bac29ad88cef3fa5193838
SHA256 d92cff7b15c3303795a164108354b7d0b2032f586b7193306fdaa2beea432fa3
SHA512 cd58898bb47c7732010d08905c2aa827b387372fc522485b05390d25eb86c4f0c7c97e67c0ca2e59e4a02a9591bfba71601972500c964381e7080cb853c54848

memory/4492-211-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1712-213-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1712-219-0x0000000000560000-0x00000000005C0000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 3223d663fbae607eed4b076fe39f6fd5
SHA1 82b8400fa5849a8da57a2bd72a6524461df2a44d
SHA256 cc6de0e152426e1b9e326cddaefd73ffe5cc66ca639c518ac11e9b8a87fb958d
SHA512 31710eb5197f5770783d59cad6ca828ac2372c70e9133bc4ca6fcf2201875ce1da572142805cb1245d8c222c746de41e6940c6cfdd2ba025c26b01970802134a

memory/764-232-0x0000000140000000-0x000000014020E000-memory.dmp

memory/2456-234-0x0000000140000000-0x00000001401D5000-memory.dmp

memory/2456-235-0x0000000000550000-0x00000000005B0000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 be9e77328c180fdd88de227d6d9e7960
SHA1 37a4ca60a708148a18b00121931f6ebeaf682a93
SHA256 9f5d2f10a292c04e4791ce1aaf70d21034f4ee74d0435102bca0b35a2d3fdada
SHA512 717e5e11583d00cb704bc82f4a5d151c394ace8f67ede33723ab66ac97fdad2401e72d42381875c75980fda8d911dce72a78dd04c4a2bcc7a97398071e652031

memory/1412-240-0x0000000140000000-0x0000000140169000-memory.dmp

memory/764-237-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/2396-247-0x0000000140000000-0x00000001401EA000-memory.dmp

memory/1412-248-0x00000000006A0000-0x0000000000700000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 95c43c2cc3a4f5b94c9bf28f3d127d9f
SHA1 922926d24b5c503d6422e5174fbb9144cc6b422f
SHA256 4898da28a4d7c9e21ee5fd67558f2a46ff0078314821520304b93ac71d60aa7e
SHA512 2f4604fa244376bbc1e6e7b6aa011bd7a2dd35cdb8c33be43100080026315d9ef377a2fcbab0ca56d33111d2e7460406dfde21c6f5cebc94adb79e69ddef6851

memory/4656-253-0x0000000140000000-0x0000000140241000-memory.dmp

memory/4656-262-0x0000000000D60000-0x0000000000DC0000-memory.dmp

memory/1020-261-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 1872b399e33ff8f7bfcbd5e0559afe0d
SHA1 2d07f42485333af73a90769530b2b7d08c23f8f2
SHA256 2591a1924b4d57ad09427667f8dc49cead81d7bb856da20605e2dcc7dfec6938
SHA512 2e3c5ed21d75d2e9b92c8b3588a2e5e96221f9027d12a64b107921d273abd041776beb2d23eb61f59a4491ee8ed9efd1765a84fd46cc1f98a368ef0cda768ead

memory/4852-268-0x0000000140000000-0x0000000140221000-memory.dmp

memory/4480-274-0x0000000140000000-0x00000001401D4000-memory.dmp

memory/4852-276-0x00000000007F0000-0x0000000000850000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 0a8056809e4be1eab72fa307d2fe1aba
SHA1 e061a2d7053243b3979f1701e93109658b427df3
SHA256 ed83c762a5e575e6d592b9f935986f8db11171837f70b76ae54a9332deda7d39
SHA512 77419e4d3dface63a3ea3568729ea8afa436ea26126cdd4e8f258a56a02d3cd0788819e7a864b477c55f6ccd285f2fc1b914b8c2091f1b24988a8e48ddebcb02

memory/2256-279-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1712-286-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2256-288-0x0000000000BB0000-0x0000000000C10000-memory.dmp

memory/2256-292-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/2256-293-0x0000000000BB0000-0x0000000000C10000-memory.dmp

C:\Windows\System32\vds.exe

MD5 2d6d2fec3256ee84344cd880c37bceb7
SHA1 23b32c2f3814aae0cadfabfaa680a3a150607899
SHA256 c5db62e4ad1c176a45994936be8f61723fd8cd78861e342b93bff574045b57cd
SHA512 f56c6e3ec9b6c94246b3eae43b70bfcacb6f8ae1dbfcc46bd7b36b117e65cd071aa2ccc3f65572694458b873914d489fe318f8933b4d6744c450fc8f47ccd36e

C:\Windows\System32\VSSVC.exe

MD5 420939406a640b9d297e6e1f9f8f3b82
SHA1 ff49b1fa00515f80a28f6a07cffcb91acabbdc61
SHA256 151fb9d877d2c63b26accc7f4c60edd4e51baa2a4c3bede235cb50424ccbe55e
SHA512 b8f40c34989409d7f80c52a87ea3ff15c7621acd47823864fcb1403e23166083ea1fa885fa03fefae59c0a52e051a8e6a0c3d3be59195dea05575ba0d7d17b5e

C:\Windows\System32\wbengine.exe

MD5 a015f36a7e0865e4fb4a18605ded0065
SHA1 6af60465fd1255b3abe725135fc37e5a22f84c1b
SHA256 98d00c3030a2e81ac63810985adb73ed3b7aadf7b98c6f45f76cfdaccb334f33
SHA512 e52dcffbbacbe7765e907ac16d08c2e562f3d71f12eecf11080ac370f3258b1c3f3ca9b611ddb8f8e2549479bd3d8b294bd19ac99b292a178eafd66124cf54ab

memory/4804-318-0x0000000140000000-0x0000000140147000-memory.dmp

memory/5092-322-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3400-326-0x0000000140000000-0x0000000140216000-memory.dmp

memory/2456-328-0x0000000140000000-0x00000001401D5000-memory.dmp

memory/3400-329-0x0000000000B70000-0x0000000000BD0000-memory.dmp

memory/5092-324-0x00000000006F0000-0x0000000000750000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 ad733b52a8cc7eb6efc603e2f88e26a8
SHA1 7682daf13bfd48f9f9fbba6f9c71d4163986a40c
SHA256 fba2bdf95acd008fc96e0b2d428d710a7071a1641be78e5081e676c051410b61
SHA512 367d784d3e122e38253181946a14cf4885c41867deb9eda88b43f55407547654480019611a9bacbea6ba9f075c6336df51a4acabcc1dd4a2cf40e44196752236

memory/4804-320-0x0000000000C20000-0x0000000000C80000-memory.dmp

memory/1412-334-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1772-336-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1772-341-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/4656-347-0x0000000140000000-0x0000000140241000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 0e1c10a59db3082c3d78e44c3d201036
SHA1 5b82d1bb7ebb4876cdfa29c9f6364399b794a697
SHA256 9ece7bfa22fafc2d0f9204b24cbd66a985de47415a8bf5318b9e9d0eaabe9a12
SHA512 2bc51158a1ed37e3e3d38f5c4b2c323cfc5befc1cf3f0b867b5da90ca1343f8dfb86c3369143f32ba03b1cea482bc4188a82fd5b4d7145680343180fef0f0551

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\opera_package

MD5 f9172d1f7a8316c593bdddc47f403b06
SHA1 ed1e5a40b040af2c60ed6c2536b3bf7ee55e0e52
SHA256 473f0d4b886db8cd39b900b92bdc0625a3fcec8addd43f71179696bdf186ec3b
SHA512 f51ab2bdf29ca6839e4f7cf1fac1bdfc03ba2da4569a8f21e5d2ee13e6519097c3da40bf0b4ca7642286ed033d0126bbd14ef7842eb9f2db1d6e503849521b02

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\additional_file0.tmp

MD5 20d293b9bf23403179ca48086ba88867
SHA1 dedf311108f607a387d486d812514a2defbd1b9e
SHA256 fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348
SHA512 5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\dbgcore.dll

MD5 8b6f64e5d3a608b434079e50a1277913
SHA1 03f431fabf1c99a48b449099455c1575893d9f32
SHA256 926d444ffca166e006920412677c4ed2ef159cf0efc0578cb45b824f428f5eb2
SHA512 c9aeac62ece564ac64a894300fb9d41d13f22951ead73421854c23c506760d984dff0af92bef2d80f3a66e782f0075832e9c24a50ae6110d27a25c14e065b41c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\assistant_installer.exe

MD5 b3f05009b53af6435e86cfd939717e82
SHA1 770877e7c5f03e8d684984fe430bdfcc2cf41b26
SHA256 3ea8d40fcede1fc03e5603246d75d13e8d44d7229d4c390c39a55534053027f7
SHA512 d2dee80aaa79b19f1eb1db85079a05f621780e06bfea9e838b62d757ba29399f9090ec7c6ff553377c9b712f3ba8dd812cdff39f3e28829928e86746a8ac6b27

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\dbghelp.dll

MD5 925ea07f594d3fce3f73ede370d92ef7
SHA1 f67ea921368c288a9d3728158c3f80213d89d7c2
SHA256 6d02ebd4ec9a6093f21cd8ccefb9445fa0ab7b1f69ac868a5cfc5d28ed8d2de9
SHA512 a809851da820d9fdd8fb860a8f549311dcc2579df2c6f6fba74f50d5d8bf94baa834b09fb5476ac248f18d1deb6b47d4fdd6d658889d5d45ca8774a9264483d2

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 26dbf1cc6f1e1e758766cf725cfff5a6
SHA1 3310dbefdbb4e8d127e199a6947aa4f5cb9c1306
SHA256 59f7c4207e5715ff2614f3f88194c13bbd437780c86198056ef9f9b96149e97b
SHA512 ac7922c21738ebc09be4fa564723a133059a7ac2816019579c55b6b1b6acb3d3a73c83dded06183bb7205ae1fa6920b573aeecbc35ce35abdebfc9a8644a8ff1

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\browser_assistant.exe

MD5 e08001a17d420cde24580722d0cb7504
SHA1 795ee052fb424b55895a68fd5411769cd0b68446
SHA256 b8fec0b2731065076b3103c628a59a0f38b242aa7659bafa3bde57aa7fee7603
SHA512 7262709eed4fd5359af69c4058b37bdea980a52036a874d5ee196b8289f1cfcd382a1712f4510734fdadf4dbddef5627416cec130d679e4b25a351f4815e8bb4

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404072331001\assistant\launcher.exe

MD5 6b4e7f64ad78b87801c683e80d9da951
SHA1 14ee0af80a1e63a7e2dee5448b26f07e6559dffb
SHA256 4bf13400e417ee0dcadabbe8c568b0e5de65976f31363a81dc1c075ef5826ed6
SHA512 87b77795875945fd155d0b69d5dd0e2068ad43cc422b00d6b1eb84240d145924eedc8bddf1bbab622caba4f1e28c2e5b423132df32fbde355ed00f23f3b0d9f6

C:\Windows\system32\AppVClient.exe

MD5 5c4c3799569662e968af2a713bd7c9e4
SHA1 a3c237522d468f800249ef137bd3ef4ff42c4cd3
SHA256 ce276d0caa0d0919bb866aeb64dbedf3d6a79b9846a50305d8dff27c854280a7
SHA512 383037e0845b66eb0883a2eb93e90ddf35ff523f7e58d0c10322faa94cd94feccb39fcb6e664ddeeaa17eccc82de5948c4b938aab52c69df0ea4d3474f20aa79

C:\Windows\system32\msiexec.exe

MD5 fa2e14149f7aa427ae7b914b6fb9146f
SHA1 51a70833b32666b3ec692d0d54922a64954de822
SHA256 9c4cb4801c76c3061fa0dc69600986b1389d118b09a2a0f1c294a701f387b93a
SHA512 a0e777e463173fe7e5728d1766ed3b2408c439e6724c18d85b7ff82d15b8a095a725bcc6e930e1e67274470f2bed52c899919c2c779da3ce0b78164b47832191

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 e2477df0bd81b6a7339d16992447b5c0
SHA1 0ca6516ab4681acd4a72945e53087890203bccdc
SHA256 ccaf7a20320eefb732564bcfbc94e62f4d20917adcd24f50465358ceb71e19d5
SHA512 e4106c3639f4cff7d8896b7d68d4a53572cb1c98732637bfb458cd69fd5b63e74d86cf151aac6e1e4ebd36d4c826959546d02e302aa637eea64dfb6137f6cda1

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 51d0af6d9915937b6d11110cff563eb1
SHA1 e5ee08b7964cb430de775867f60e97e5a9b8dd79
SHA256 4c49d6d9b8690813a269291959dec0b1464d201581f6e5a996cb7078f0e17b25
SHA512 92d11200a65f15e3fd9c9d34af7eef08991af114fff94d8916df7292be011cc25146326ecca56fee595ee74ad308b67700a74e2cc12cb89757746d19572c1a83

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 b4805f6d9e3c70c97a309e8ad7ff19bd
SHA1 cb7f3318b9d3fd2a6f29f0b671293b6f688ec8d5
SHA256 0e77bf552affe92a80900b314c7b74f3e56049651f818b2f9ec229535af77171
SHA512 e2ed03ec7e9eacf2b0009ad324580931d84c868061d5b4beb70842a7cb613c14808f418d9d84d9ee6d96ea12990fc1920e365307222dfce114920e2e54b097b6

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 aca4da56c65e6abfdd372d6f3283df22
SHA1 1b6f2a88b87534474834ecdab2ad9d379690aafb
SHA256 173817d5d64515acb0aac8713dfa9530db60c0003d28ab0fc0ce0de05491dfb1
SHA512 e9ad1ce44b2959eb73404273ea1827e4f0c4aa64b63cb32c3b9c4a22d0e0f2dd1bef116c725464cbc4b099dcf22d35fe46cdf16d8b023adb744b1bf4e94f321c

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 960a83040fc7f31797bf82df4b4bfaf0
SHA1 aed9a94882df2aba1b599d10e52531abedad058e
SHA256 90082d6fe257a99682185102b294f0f86db7554024bc9a3664b38ccea85466b4
SHA512 c063b8417eee5ff73d179a9f63d2847c9ef915f35eedec4b34e13f0692694e008476f37292d69c6e04348925ff077853d440f7a2180234959d77c6c1a139d91b

C:\Program Files\dotnet\dotnet.exe

MD5 ba63abf877af21475994095201baacd3
SHA1 d920fb4e5f3d764c7832942a26b123e988f893ce
SHA256 fa6189ed891c5ac84599318991d8465a719dae07c5a171dec0b068ab5758cd70
SHA512 0568d21991f5e8c6a4a49d526779ff2473b680b2e15fb9fe39e8ccd2792b1e252bdd0e27b288ff75fb3d3e02f65a1b403173f5a9a14cf1f0600fd4beaaa424c4

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 5fb26373f9ee2d3c14879b886480f9f2
SHA1 6c2a1db24eb758cf5f71bf4a0e861eba0d9c3c0b
SHA256 76a99420307e7816134ca3d837d90df9bb21f1d9738fa39e8855b346a36441dc
SHA512 775056fd180785ed78ab25cf0b0f90524dcc50ade938b5e657a067f14aa1e6701198eef447485b8d9173dc3761b4026e9cf793fc51ec9f74329ff36f34fcbcbb

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 111960ec1144829b4be39f398efa0d72
SHA1 6180cc666bf8e65d1e159e8575c28431e48bfd76
SHA256 1c90b8d769f5a0fab54a99e3ed4bded92f0b5327c203b4390ebd678583d3808a
SHA512 1cf77af550e169bf53532d8cafd27439953a4b232de93f6491387c68b6892235ee3ce2dd18d67d3eb39f46fbf8a80467da1bf38e3afb45be63a2fd17446e3085

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 da0c506b0256d49e4f46feaad6953d1f
SHA1 e4e951e56d23666254ceb7125d3f86f1e1d63cee
SHA256 08a510460b7d8b490b8cdf72ca16e19e0233165c559a5dcba5dd445c173445eb
SHA512 8fea841a21aedde46e2d3aa8692f8475e91cfa9bab499f3a28a00397ea6469d1b4bed89593d8d0b31f54d9f0fccc82d1951c81660b3c75b233a2bf238000479f

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 9843926263e907b0742d2b0cd94f194e
SHA1 172bdeb97d07fb59b4d022f0ddd88a094b907903
SHA256 ba52e4124b4bb433c73d440d43c58b1d0b91cd27edbafe1631aef54ec9e9dac2
SHA512 1820dece28a9a4aaf8a16b05062685d8b260b32b91522d1c2ac5f63557dc67fb8e72b76063a7461b623490caafe02a9894afdb6360a7c2158aa68ad40405c0be

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 df9cd84f4475675e638eb9b368733ee1
SHA1 6f6ea705cc245d25770265e87dfe7d6ddc3ef680
SHA256 9404769d1eb0acf1c56b77008544e38e3d3ba284e6bee98cb1ccc23bf6ef1f5b
SHA512 0d8dcff3006709695dfb486c48f32a8bd638f50cbfb81ddfa8d9eb8b94bf14129148e49b33dd8f597a3dda8025b6ca05c931f75a9335e5333d284b583e18e71c

C:\Program Files\7-Zip\Uninstall.exe

MD5 99ec59e4b2166b67e77f1ed3b1c80b6a
SHA1 6700f3e6e987c21c7a5a8a41f1a1ee1b0056884c
SHA256 e848951025e53de4a7766e3c1f7af697eb3d60a981c4eaaf08f12ca5a6e1fa67
SHA512 30b02dbf5ddadb04d96901dc89febe9f8ba668b6e76bece65d678ad4e5bb0663c77d051f88fba64e9e388ddc15406cabd2562f9bd6936c34be0593387241b15a

C:\Program Files\7-Zip\7zG.exe

MD5 bb17a64d5b2613d8786158555c307bd7
SHA1 dd2ee38bcae90b4fb699757cd911e6c688eaf2d2
SHA256 4f2432ed4c8dc03c091cfa4949246a25bddecefdd7ae16231543d1655c61df01
SHA512 a897f0ad4379a2d7b156c93ca915158d61fc848652a97a3d0c3ad4c835472c3e4363c4514a578933f0036bb2c8277b0d0005f6808017e22d6340251199e52fa9

C:\Program Files\7-Zip\7zFM.exe

MD5 f296d9f9377d72d2621a2bf16089e053
SHA1 575e093831ace821589fd5641370bcb97f375545
SHA256 4e649ef4939fd3c071a4ab68aedf126bba5c107d9d5f8e882e959a8d01aed645
SHA512 eb73b21542db15431e824d4a1bf22297a424fc8da793e0769344473fc9288ab2fb345fd9e8caad2e0853a371f7869afb371984054fb9063cdf4e37f9d78c24b2

C:\Program Files\7-Zip\7z.exe

MD5 90485497fcee079dd7600134927d30b6
SHA1 7e0d43ec8936a689b10b87c0b533e14b3e9cb835
SHA256 f009e2e4c2aeb5ea5a91e5575c19c766b086d28a11e4b8f5ee495254fbcb7c7c
SHA512 56ec45fd4f3dc21ce07da448b501a2350aa5f8161a92bf68f740b62f014d2a9598c0fbe481fe302255a543fd654e2012cb2e2ad95c3d870426ade0b644b3e07b

C:\odt\office2016setup.exe

MD5 95b7d74e6b8e6d4da5a79131ea7c69ad
SHA1 8a04a82addce4483a35dc2c96e6e905f34208a8e
SHA256 6140d494e2b320272396a0b0defaec124d0eedca86e4c41613cc36201f12da76
SHA512 d0d0ec2147072c4bf3c7f9bbd0ddf68b96ba685b4c81958b52f7a25a74845a7d03c00964e7979128978c551d7b30da041beaaf6cd5cd88544a295c4a8fc6f145

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 0211733eb6e09ff32d6c0ec85633dcdf
SHA1 a6f600fc5a7284f81e583eef6f0cf65f7beadbc2
SHA256 d44217b80e96efb080d7a9086cd76b54162756270ea5f8644711d1b0e82335c1
SHA512 e1bcab00b8232dfe0643d9bc3d0d8cb5c1c19e70140c2eaf89a9b90a06f81d0dcfe5ee92847639888e618d6a2ed0841cc14b6f59d6966a9d13b4d32c4a736751

C:\Windows\system32\SgrmBroker.exe

MD5 446c1e8c922899ca3a2be611fc9ac2c6
SHA1 9dcf12a5e9f603672322617f68b41ef803e957a7
SHA256 f577b6b7f1ce1bbc9d5e83f8bf371661f603d77e79b321a465fa2b7c3fe044f7
SHA512 2eabc8b0ebb5c33d9503e7b18e05516657e2cef0b5195cd1ace2d8421e38a4ef2a7620a2e3b2513203c97b88ae83bc19eef2652db4cfb468716aacbcbd57367e