Analysis Overview
SHA256
f20991ed2a4ac1589ee48df5901f66ee96e7d01a741c07b001ae640029143554
Threat Level: Shows suspicious behavior
The file 2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:37
Reported
2024-04-07 23:40
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmic.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jjs.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\policytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstack.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\xjc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\idlj.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jconsole.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\kinit.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000928297ea4489da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abfdb7eb4489da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000619107eb4489da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cacf4bec4489da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4688 wrote to memory of 2160 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 4688 wrote to memory of 2160 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 4688 wrote to memory of 2856 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 4688 wrote to memory of 2856 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 8.8.8.8:53 | 12.82.128.34.in-addr.arpa | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.61.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | 138.71.29.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | 6.218.225.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.32.91.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.78.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | 245.229.41.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | 7.206.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.15.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | 46.225.168.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.94.160.21:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 34.143.166.163:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | 21.160.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.168.225.46:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 34.174.206.7:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 34.162.170.92:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| US | 8.8.8.8:53 | 92.170.162.34.in-addr.arpa | udp |
| NL | 35.204.181.10:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 34.29.71.138:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 8.8.8.8:53 | 10.181.204.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 34.168.225.46:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 34.29.71.138:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 34.29.71.138:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 34.143.166.163:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| NL | 34.91.32.224:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| ID | 34.128.82.12:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 34.143.166.163:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 34.41.229.245:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 34.162.170.92:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 34.174.61.199:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| NL | 35.204.181.10:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| ID | 34.128.82.12:80 | eufxebus.biz | tcp |
| US | 8.8.8.8:53 | pwlqfu.biz | udp |
| NL | 34.91.32.224:80 | pwlqfu.biz | tcp |
| US | 8.8.8.8:53 | rrqafepng.biz | udp |
| US | 34.29.71.138:80 | rrqafepng.biz | tcp |
| US | 8.8.8.8:53 | ctdtgwag.biz | udp |
| US | 34.174.206.7:80 | ctdtgwag.biz | tcp |
| US | 8.8.8.8:53 | tnevuluw.biz | udp |
| US | 34.94.245.237:80 | tnevuluw.biz | tcp |
| US | 8.8.8.8:53 | whjovd.biz | udp |
| ID | 34.128.82.12:80 | whjovd.biz | tcp |
| US | 8.8.8.8:53 | gjogvvpsf.biz | udp |
Files
memory/2724-1-0x0000000140000000-0x00000001401DB000-memory.dmp
memory/2724-0-0x00000000020B0000-0x0000000002110000-memory.dmp
memory/2724-8-0x00000000020B0000-0x0000000002110000-memory.dmp
memory/2724-12-0x00000000020B0000-0x0000000002110000-memory.dmp
memory/2724-14-0x0000000140000000-0x00000001401DB000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 2548fc9a72ca449ae4865d3bf6910f2b |
| SHA1 | cc32482fbaeafc5fd27f2ea4c4738e69fd5578e4 |
| SHA256 | 7979069ff3887309bbae5d359aa6b8ab5ccc041a5f48bfc40b2523e5aa5fea93 |
| SHA512 | 49f1c9cf28efffd4b73bcc95de57189a24c2beaf145a42c5ae34ba3e8908ceb630201a8eeda86bbf29a6ec62f2f8d129b0860493bd2811a0889515b874714606 |
memory/4024-17-0x0000000140000000-0x00000001401E9000-memory.dmp
memory/4024-16-0x0000000000780000-0x00000000007E0000-memory.dmp
memory/4024-23-0x0000000000780000-0x00000000007E0000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 77008b2527329952a1adbf409c92cbcf |
| SHA1 | 675e548fcf081ff4949b83c19f3c5316c72e7475 |
| SHA256 | f23afd323b4d4aa65ca67fc3633b7dd0d5071e933b8b5d13e1c878fcad5f98d0 |
| SHA512 | 2377bc710b6e0fb6aa771c812c005c4bc20d78603a0767a30ee2ed0ef4a192a2cb8dc2dae8278ac5e036321fe6e42adde4fe9637c1db1afc2ce7b7fe3d183e33 |
memory/1988-28-0x0000000000720000-0x0000000000780000-memory.dmp
memory/1988-29-0x0000000140000000-0x0000000140237000-memory.dmp
memory/1988-36-0x0000000000720000-0x0000000000780000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
| MD5 | 52b20f5797fb0ab153294a85346b86ce |
| SHA1 | 15825f329be3c728de5e7ff4c3caed572ab1176d |
| SHA256 | 5cdcef482f462a4f6145120f58c09c02173dafe647390852a143390de18264cf |
| SHA512 | 4900e30a6d52c56077733234b5e5aa135967cd65125eabfc3f314ac0b1a3614cf19e724cd9dcb53aa5cabef8fafe6055a4ef1de1b445d2e79408595b40dc64b9 |
memory/3864-41-0x0000000140000000-0x0000000140245000-memory.dmp
memory/3864-40-0x0000000000890000-0x00000000008F0000-memory.dmp
memory/3864-47-0x0000000000890000-0x00000000008F0000-memory.dmp
memory/3864-48-0x0000000000890000-0x00000000008F0000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | baf221b94a2f663a1e61568c086bb055 |
| SHA1 | d7ac0997a713864bb4001ee36dfc1951e029640d |
| SHA256 | 4f100279d35c45965ef345af24ae475557db34101e0b2c27872b6e59223d169c |
| SHA512 | 574353e323cf9cfcec9c3e809f99f6d3235d60d7900672961d565072a1357165dae9f0602b10b909b87e6540a42a4d91955b83a2357699eb129dde15ea192a96 |
memory/2424-52-0x0000000140000000-0x0000000140209000-memory.dmp
memory/2424-53-0x0000000002260000-0x00000000022C0000-memory.dmp
memory/2424-60-0x0000000002260000-0x00000000022C0000-memory.dmp
memory/2424-63-0x0000000002260000-0x00000000022C0000-memory.dmp
memory/2424-66-0x0000000140000000-0x0000000140209000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 5c5f15d3b057dc20c5ac0db620dbaa33 |
| SHA1 | f67f32376db1802a264a618403fddc550e018530 |
| SHA256 | 92d100a8c8270bb7336cea2c5e2ceff8c9f36ae0bb956397372703cdee6d8205 |
| SHA512 | 4460c762fa5074d4218d8c9e64493cec9931e52fee91445d36d87e4f1b501c7ac7f76d4f2a76774e6ee0c7fb1f57b26d6cad30a8ebaef266e91de89fc2027715 |
memory/3580-69-0x00000000007E0000-0x0000000000840000-memory.dmp
memory/3580-68-0x0000000140000000-0x000000014020E000-memory.dmp
memory/3580-75-0x00000000007E0000-0x0000000000840000-memory.dmp
memory/3580-76-0x00000000007E0000-0x0000000000840000-memory.dmp
memory/4024-203-0x0000000140000000-0x00000001401E9000-memory.dmp
memory/1988-232-0x0000000140000000-0x0000000140237000-memory.dmp
memory/3864-233-0x0000000140000000-0x0000000140245000-memory.dmp
memory/3580-234-0x0000000140000000-0x000000014020E000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | c84622f2c135489beae20357a1a7bb9d |
| SHA1 | fb22dad56d331daa5dbda339d783cc75f72f580d |
| SHA256 | e388675558d4d2312d88573ca0ae94a7ece89455bbbef553862bf95650c78d39 |
| SHA512 | 0a4a418925cfab07bbf1b34987fa00b3607164c79208f4573b16e78ba950c39791fdeedb0b1e54c3f2c1e9fa4ed47891184addcc9c320d5cdcd4610a3a2b51f8 |
memory/1348-248-0x0000000140000000-0x00000001401E8000-memory.dmp
memory/1348-247-0x00000000006A0000-0x0000000000700000-memory.dmp
memory/1348-255-0x00000000006A0000-0x0000000000700000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | 5efe3ac1306a6fbe7e34cb4fbf9bb334 |
| SHA1 | ab5c8a890d2506e91a87e16eaa7cce03ddfcb624 |
| SHA256 | 9b73e29ca69923f50989646f7a0923d6a30f9aab0961e498c86744b4954ab081 |
| SHA512 | 1ba3066978f5542bd21c2ce68abd2fbc8021b66b5f5d2bec4ce5c6052e0b554571992b3d879424fe47aa2cdfe0e7c848bea7d09149287f8d58a6faf36475e47d |
memory/1108-259-0x0000000140000000-0x0000000140135000-memory.dmp
memory/1108-260-0x0000000000EC0000-0x0000000000F20000-memory.dmp
memory/1108-268-0x0000000000EC0000-0x0000000000F20000-memory.dmp
memory/1108-274-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 24feb8d3e8d76e54bf32886b52fcc688 |
| SHA1 | f58fb925b06e7035a80e13b76167e20d8f30bb88 |
| SHA256 | 3bdb1cbbd90cbd2f30e74dc2ae42c4d60f6ddcbe58ada5b359c147d4335348e2 |
| SHA512 | 34cdb459cb421970daa5c170eccdf5fd0537602d7ccc65a82fda51152b8ce982478525ee0106f61c467259ad99a80015e2c18a01265abcedebb525debba8accc |
memory/1108-275-0x0000000000EC0000-0x0000000000F20000-memory.dmp
memory/4124-276-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/4124-283-0x0000000000DA0000-0x0000000000E00000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 2dfcfb54cbc71dc5dc3ac9e2bac82839 |
| SHA1 | a3eb5a456d8a6059b7f28c8491659e8f6d486fe9 |
| SHA256 | 10f364d4fa760f86e829fe369d4c71196ae77f3062635c3618b8ad64e96d9fd6 |
| SHA512 | 9c7ac14d1a8799bb13ba371b3c71951eea21cc6ad994b1bfacd0eaabfff6c391d502c24d6662316eb81ec23ac2680f19ec50e042d8a4f95ddbec2d01f96a7149 |
memory/4248-289-0x0000000140000000-0x00000001401EA000-memory.dmp
memory/4248-300-0x0000000000BD0000-0x0000000000C30000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 0fd297721e160019706cd5e93394399d |
| SHA1 | 70320f463c1dfc2b08826af85f54afafbb4f538e |
| SHA256 | a1447348ad07602be9452967b9c06fa02150b89a0dbc082967c6467314987a96 |
| SHA512 | 6d859a61a6d86b35ba5791fc01a60277d180c019f5fe1132dbf66e7cf345fe09d26bdd56a3770998f469f6f69e4911d317252dd647ec7a3b6b6d296aa2378a5a |
memory/4964-304-0x0000000000400000-0x00000000005D6000-memory.dmp
memory/4964-310-0x00000000006B0000-0x0000000000717000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | c9b9f3a06dac785759d8c526c33f5d3d |
| SHA1 | 7439ae1b6be327e283ca00ff13d7b48925858d90 |
| SHA256 | dd792e985406880236862990ea6a6efae51537127cb7d168a132d86130e499b5 |
| SHA512 | 0611bc8fcdfaf242fd9e1418f83b0af0aee88475b648b509b33965df481fc06bcbb332606dc53bed06b8d0468042784e4739703c24bac6b8725b744116a3fb04 |
memory/1348-315-0x0000000140000000-0x00000001401E8000-memory.dmp
memory/5076-317-0x0000000140000000-0x00000001401D4000-memory.dmp
memory/5076-325-0x0000000000620000-0x0000000000680000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | d400b8d5a7244150368e7fed3eabefbc |
| SHA1 | 710869a4a22abb7437e59f9b80da6c38151df7f9 |
| SHA256 | a9f8b60b5e5b244df3387d643eee8f46fe421b5b6dbaa575ff9df0107966cf98 |
| SHA512 | fccb111544cd674813bfdd539f18ef7bc0639fcb22cc6e29ed82d2bd6dfcadbfef2ee4be2fa2f7d6084e85154c4b181a32398102537d2092a227aeefe36f9baa |
memory/4560-328-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4560-337-0x00000000006A0000-0x0000000000700000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | a1ecb72019fb9600a2bc085c66fb410d |
| SHA1 | 984faee3d94d9377e12ed9fdfa8ce165c07a409e |
| SHA256 | a2aa189fc032c0ef49904a7ab4a091f3f29c186ec6e2e72c7d451d7a90a6fdab |
| SHA512 | dbc8465108c66023424c938873f42f990c49f2a9f99390f75f2815d833d5dbf6d63f63491b33a8761ba4c7a79673a22d6cb652b549654040a84de761e640247f |
memory/4124-342-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1160-344-0x0000000140000000-0x00000001401D5000-memory.dmp
memory/1160-352-0x00000000006F0000-0x0000000000750000-memory.dmp
memory/4124-351-0x0000000000DA0000-0x0000000000E00000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | b59aabc2775a204a60f9f4e041057c80 |
| SHA1 | 376d6b6c52ddd97efa00dc68597d986b21c30864 |
| SHA256 | 84569469f1728a5f45f2722a5af14d34a7238ddc1b78e2199c61e4e948c301a6 |
| SHA512 | 7a5642498752928cf07842e9f4b916bf99d33ccc8edd32a95f1580cddae9d19cb08211b662a6099ff54fdb446da3040c2ffc294a5262b19c2818b5a59e69ef47 |
memory/4248-355-0x0000000140000000-0x00000001401EA000-memory.dmp
memory/392-356-0x0000000140000000-0x0000000140169000-memory.dmp
memory/392-364-0x0000000000760000-0x00000000007C0000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | aa7cca2ad59d68d3281b20dd79d507bb |
| SHA1 | 4552aa58d15b9cdfbcc7c582c081b823b05efec7 |
| SHA256 | f6afd030a7bd7f9b5cf1ed0957fee1a4d8f72fc0e202356f44ae318e3d411f3c |
| SHA512 | 26263d1606871617392bbcfdc582dbdbcf0cc3deda6fb050b82cab418e387a88aac48be495b50c8bc5f4a40d28d7b865367c26abfd05add22c923163662693d4 |
memory/4964-369-0x0000000000400000-0x00000000005D6000-memory.dmp
memory/800-370-0x0000000140000000-0x0000000140241000-memory.dmp
memory/4964-379-0x00000000006B0000-0x0000000000717000-memory.dmp
memory/800-380-0x0000000000D60000-0x0000000000DC0000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | cce9dc0a0104638b6775982adf8770b7 |
| SHA1 | b56baced38847ba7a8cb35089cc471dee9de9056 |
| SHA256 | 630d84568542b078ddede441f1b5fcb68ba080278f745f8b9d1669a973903d44 |
| SHA512 | 0d888983a6e79f889ab2e5dcbfcf2a2d02bf23ff8034946d5253f640c3dc4528304611f11587621ae37b45a17f714fecd93891ada469eb88ba5b58f592641fc9 |
memory/5076-383-0x0000000140000000-0x00000001401D4000-memory.dmp
memory/1340-384-0x0000000140000000-0x0000000140221000-memory.dmp
memory/1340-393-0x0000000000500000-0x0000000000560000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | e1de4fa2152bc7f781273f498b30bea0 |
| SHA1 | 3ab7d63e014c2b96edb98f80168c96e23b896f8c |
| SHA256 | 9462a8f7329e2a73e195aa343a271d253ee5c77c4fcaa9c74bd1a5f0445a97b7 |
| SHA512 | 95db2dc3839cad23c260ac4868c5f1b02e4e46b9e547a1d1bb345515b86e4712df23bcc37a4355df10356ecd218d9a2472c536781032c60633f3182b574eaf23 |
memory/4560-396-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/1648-399-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/1648-405-0x00000000006D0000-0x0000000000730000-memory.dmp
memory/1648-409-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/1648-411-0x00000000006D0000-0x0000000000730000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | 09b5400fa05a28c0b3a92e4d119eea2e |
| SHA1 | 5d902fbbb1c69073fa6d3d80187e6efb3a69b67c |
| SHA256 | 661448acc9449c9b3086110e1f03593d256299071c5e00259b470ab576e87e47 |
| SHA512 | d5268e567f120ee431397427d2e6bdefc7f784033bc0a244bd44e5facdc10abe98cc881307a1a4fba93e0b71303a06a3af1dae4621581ef8ecedcf38d0302d85 |
memory/1160-413-0x0000000140000000-0x00000001401D5000-memory.dmp
memory/3240-416-0x0000000140000000-0x0000000140147000-memory.dmp
memory/3240-423-0x0000000000BC0000-0x0000000000C20000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 59404d3731c17e90dfbced5a83478e04 |
| SHA1 | 73de4a4f68b6bc65ddef44efda05db4454af38c4 |
| SHA256 | ebb2ee55bf540d9542158372e5dbd71f97741f27ced868af3a7ff04e4e276dd6 |
| SHA512 | 985387e198e21b8960811e59da32872988ee94b9188cc0c9ea49ed38be80536a5232ca6ad0641134d22319848416d9d481413136aef592c9e8d0e41b9e3ac2c0 |
memory/392-426-0x0000000140000000-0x0000000140169000-memory.dmp
memory/2440-427-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/2440-435-0x0000000000710000-0x0000000000770000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 667b23ede5cdfb8cd533ab3b7281f3ca |
| SHA1 | 5faacf5165d8c909e28a0ee724c778ac983708c6 |
| SHA256 | 069de07dac68bf474a47291e186ab216df2e7708bf7ad718ae63ee919c78988e |
| SHA512 | cfc4fd080d96a0f685a45d49756a32cca7184d1da1c1e8257a4dd61ae3691229825a5316bc0447908a56bede8dd5bc747aa8569ad4f14de5e552eb2255bbb7f9 |
memory/800-439-0x0000000140000000-0x0000000140241000-memory.dmp
memory/4784-441-0x0000000140000000-0x0000000140216000-memory.dmp
memory/4784-448-0x0000000000C20000-0x0000000000C80000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 24f6889bae9356117a73383a5faa634b |
| SHA1 | f80250d145ae66fc66a8c285cee40f3acc1fbd6d |
| SHA256 | 1a01f86f0a166a879488537533f5e83996814d86af01ab738ca55cae11ccb3d9 |
| SHA512 | 54879001ccd51929a4d71d53192356f0cbd74d5b4dfb75e1a15863d18665d8b028655e349fbefe1d7dc30a2e027edd4b0ae8abeed7dd7fd4fec1a78f4b6de909 |
memory/1340-452-0x0000000140000000-0x0000000140221000-memory.dmp
memory/1052-455-0x0000000140000000-0x0000000140205000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | 128d25e7c6e5a09e19ecb1094fee05c7 |
| SHA1 | 1f563322e19bf6016e011e62ec701b66618e6a24 |
| SHA256 | 93270ce1562f1ae0eacb3a79973a464c5b3450227b8473668786cf88f20bf5a5 |
| SHA512 | 258ddac605f7e9a77ad084017e2cb5d0770f1a6a1904d37a18a04ae59a23648eef5bd49dbb2302b53d70190d33d8996dece75172034acb59397e4ba15d0dc13e |
C:\odt\office2016setup.exe
| MD5 | 183c96f86e445d47c261894773be9be5 |
| SHA1 | bacb43ef76055936f2ea2766c099205ce1ba7861 |
| SHA256 | a8b3cf92544911ed8896369d7a4301e32dd49edb044f908013eecc819a46835e |
| SHA512 | a2e1f9149de70b5cc5ff1b9ad372844a1d7c69fc9c0be2824c0bfa7c656275520b00ae24f2faa4b52b2d55e21921314371d4bf061b276490dd28dee404e68232 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | fe06c1906c59620f49f128b89c80e290 |
| SHA1 | bd9f5e5681fed04116a9ad09f6a2258fc3985195 |
| SHA256 | 4cfc2a4982fb33f2f17409ff28cf3f4e64bab291cfff00095fde3682e5ca2c8d |
| SHA512 | 03f6e293ee87369d1bba9c5e9f90d40d65fd4f318d790319469721250404e552e18157d9c2dd28aa1240dbe548b6a06c7d7c272ca30636e009551af06dc30730 |
C:\Program Files\7-Zip\7z.exe
| MD5 | dfeeef40811e5aefaca381d4b65f50db |
| SHA1 | 326725bc1b460d7903dc63142c5a2ac63a6d5595 |
| SHA256 | f1eed2133d4fab7c3364f1d5242e72092d699eef658bd38e13ac085afe25c422 |
| SHA512 | 1f5697808869125c7bd315c3a2f7591250804ebd9137cc5b154bdbddb2292ae9db96908e9664cd746ea3e509477b34fc9830db15b19230a66d180a63047e5cf8 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | 41f745a9c1812741ce98190be5e90a3a |
| SHA1 | 34486164ae7928cc10b6e2d181175dffa4bf0ec9 |
| SHA256 | b0b1ffc7f492ece071c51e254ab5781cd95256af8ea437aa3678a53d635b63f8 |
| SHA512 | eba40a77df69fc71b3c56833694ac6d9d8c57e270a3929982247aa903998501ae26f688fb23cbb16efba30e19a4c9e14e6a8fa94519a1b6e8db0de05a6d3422f |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
| MD5 | 06807a9193bdb8a50135863076864e2f |
| SHA1 | 97bb63a2cf8e31d7564632391b25ea460eb32385 |
| SHA256 | 20cf6329bac2378fed0501efa4415e338ad41b7f59f3303658a8b5ba8a861c61 |
| SHA512 | f913f126baa5fe25a535fd15d4b628540d99123eccd5fe8bc00c47b98b18c6ce2ea08e205498a52d055b8f0ea7dc1bb8abe6e11ff0575f0611b0ae48fc80efe7 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | 85f93569fc8026d88415661d5b2e37f8 |
| SHA1 | 529f0163912995bfb4b5ca8ebdeeee9f73be8711 |
| SHA256 | d3e11e9dcb7fa3505c7c072ec2725b0b4d1085016e151427288acddbcb103df0 |
| SHA512 | 8a8765460ca3ab34317f2dbfb648aff8ae8129246590e879e8ce4771c41484c3252a43782970c8e37a06f6295fa860ba502b94f40c5743b1f9c76148d4aebd93 |
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
| MD5 | 725bef764b8ec73375e884aea76158d3 |
| SHA1 | 00fceb7b6f6df87020262f35c9407cbf4e6692f5 |
| SHA256 | db88f49c7ce68a659669f9d94376d13e9b744dcb6c45e410ca51b5a4ce9eebdc |
| SHA512 | 3455633e84e08fe336d0848c8f6cdec05c9eda72d6da125a87f3c15d64175206c4804ac6d04675ac23de9c7dc00b65c70670f1676d9f640fc5f81e68ec46deed |
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
| MD5 | 599f005aa45a718e1880a1524a1e32ca |
| SHA1 | 4294882f1383c101166af803f716042d94cfc00b |
| SHA256 | e0829dec137361aace7d474abc2e13324e0989504991ec9174af5f8883dd3a70 |
| SHA512 | b809c7bab997653dc10b746de139f791ae2998cad201b13618980900755e9c328ca3c95c8f08447bb638586d67bbd39e2d1ced9b04629e64972dbbb6b1b1f52f |
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
| MD5 | c6a25ff4bce27eef3c39dfc199e594ea |
| SHA1 | dc97350217abc8804cfba61c1884f5d45ec0435d |
| SHA256 | f118b01c0db6233206d4adc82cb12890017cb319a1c956abfdbdecd5e8959aa3 |
| SHA512 | efafc200bcb0a1ea39931af495fc1b2ce0048b2515fbddc0ee834ca2bbb7821be4cc6fe96d75653bf793049ce2b05bb9214acaf307e48417a18216286b20c02e |
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
| MD5 | 344d7ea57796b4b7308b53ac4d601c8f |
| SHA1 | 9d2709793e465ca1c9e7d46890c26bb00def654f |
| SHA256 | efb8163d147c0499a385e9c1abd657882c718718989eecaf5d36b5f78df2c5ab |
| SHA512 | eabcc6da190981e15671059717cfe84664b01dfb5b9284c4e3f477a476acc9b6dd076aeeb2a733364ffb034d2d3b1abbcf9e493c27968180227ffdc825429f4e |
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
| MD5 | 381816dbda903fe02fa56db09b3321b5 |
| SHA1 | 7dfd598e8e3c9bf9c66eac25a64deefe78577d56 |
| SHA256 | 374d0447243c6b23c94214eac62c6f2a67b5d6cebc788e18325c168e6a36b4fa |
| SHA512 | 38e01f0f8b4f4dfd5ab9f81865d6c7446c83a37113064d71bfe992b304248a09ccecbb867e50d6ca335b2525adc642011601a802df0bab0b757626d314ff3902 |
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
| MD5 | 4cd613e35be071e5e31165d8d885d3ec |
| SHA1 | 59f48ee4e2bbf8d17ba8318968a93c86745d8b50 |
| SHA256 | 8b62e4b141f504b98f5f5ccd636b0d0b1be896f4fe3149c92e4b10894a9aa645 |
| SHA512 | 533134f6396f834982c3c2156f776f5bcf4dfe8b262f82fd825a75e1e2cbce77c9f0b46142efc41ec2fe885b1ba803c384454b288b3a492725747d5901b42866 |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | b29d1ffbb1b088b9eba20fee5cde4d4e |
| SHA1 | 736084121bf2d9bd68b436b485362467ef44433c |
| SHA256 | 64c057b40c56fa74faa9c1c21ea740c31d62ff548a54b8f5f619b90cecac5c15 |
| SHA512 | f81e738a2675ecc08853bbd95fea86822ed9b917fd65239ffb885a3e1853eab710dc3bb1ac20926c5a92b4921307862ce2ceafe8519b3403280b1607558d2aed |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | 507710c16508f38eb80215cf7b23bc2f |
| SHA1 | a690c388dd2eb0e8d1ddde9dbc8ae353a908ce1d |
| SHA256 | 484d4abea3b2386ff1da5baaccd918b302b679ece1b9bfdda1e14e1dc923f63a |
| SHA512 | 2d9d39cb5aeeb38b60e19b694642f49188a53d1fad0d80b850e1b9decc6525ad97646819a2f0f797b89c2c13a533f5e99ab22b91d788acd2a8aff254ebae0267 |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | 527bfd870a4ada030f6422da9a2fd0ad |
| SHA1 | 8c6f14c0c6fb06262d5813e95cb844d9d6a205f1 |
| SHA256 | 3efbdff06f6e302e43ab8d4b1cf76404c6c7953bf03b324407f3e9e40a0e9f5a |
| SHA512 | 74123d74f4e0121114431821730d611f0ba6bf8e52ae81aed32008d0d0ca554b3438eadd27d213de8cd344eecdba4771369379f5a2be647d78bff36ca3b52294 |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | 45f8df0b8d249c967491942f734b5d2f |
| SHA1 | 0c32701063588a28501a67e00c3c40e1e0eeac2f |
| SHA256 | a2bc8e306fd71c40cb2ba30134e1105a006e2a7abbc29784d166c9f3948c0944 |
| SHA512 | 14d17e427b53507d136649ea12a182aaa1f797deadbe246c523bf3d6698b1336849e632763a4d8cef932a664ad30795ced821e5114f6cdbe24a75ca55495d608 |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | caa111eca59e05f4d439be101888f47f |
| SHA1 | 95a3abc3d7f65d91987d0f868e921cc21c93d10c |
| SHA256 | 5abdc5d218be12b94a737c5ff4c59b689b2e1ceabad4dad1fc19c068b795eb2b |
| SHA512 | c5f1c4efea634de399ad5ec8ce2073668581a0fdb26e31724302e66895fff135bc055295d55e15836c145d38b49cbbf5589bf1795cb6c571749c4767225cf14d |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | 8bb38d0ca4afaa44d3f35b75a4a8d8ab |
| SHA1 | aafaddb36bc85e81e03ea8018d5e062e3d14e882 |
| SHA256 | b70bac41ae9bd60c13dee35d9e39ea4e69397c5411103acc7f4da04209405cdb |
| SHA512 | a0745c186a8b2ebb76a371b3a7f52d95729985a0b5f9a269bc1301e64bdc545b2ea5ed84f7d5929fc2c7275075d88b6c857ea0abfbd302d7b8460e0cbd8c2ced |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | b0456daab9c5c9264033652d7d6624f5 |
| SHA1 | 24c2663ec0a5e92163ab02469d21f001e93f5bfa |
| SHA256 | 8e76f2f04a9a8b7fd3c64e5593c360d1cc07e1adcbb5153c99d3663e039df830 |
| SHA512 | 8732bffecb8716d44be304e6bd4bfc1aef2798e94cd189b6d6ebee516683a4d9ca73b4b72f8611b287cd4ec77d36aff901990027d328e7004bce793e540f53f5 |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | 823bcca9c935ea800696ed77173e2ff0 |
| SHA1 | 21e3f0a25b09b8f35038396c1a3581f16348587a |
| SHA256 | 570dbb7052fb5ab62fc50c1b08b3fb70de7bb5c1c9d3a3d416eb43af5c2ee43d |
| SHA512 | 13c14c753ece276677641e20f2c570a4ec2e9eae391bd283f179967068c9c76e3f3cb3fa310d80f393a5f3453cedf463ca38b53bc951df5f56ab08706c066828 |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | 8ab967d8c9ce19137fe3dd8972145bb0 |
| SHA1 | 61cca8c6aa6cca9e13079b4e623ca3edb263f840 |
| SHA256 | 7c3a81500d6b6da929bff6063363d209583334731b61f11ea7ebc2d58a41ad1f |
| SHA512 | fcd55d7e551c853796e603cccd1617bf579aadaf74a0022e6f0e662f59ae5ae1a280f7b73f91188a2c4fa0ad5b64410b1da499f22463926c6eff1d0f0c054e23 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | 4b2f43751aaae19dd2501d7d5e58aa71 |
| SHA1 | fd1463367417db8d04df4651cb6e99f723a517b8 |
| SHA256 | 2b86503a431c7cc11f57265784f2d382bce7ae2e214e6d5e559074d547bc9482 |
| SHA512 | 28d5c55e6a88b0bb2c2b3647b14a06e45c906cdb52d8ecf6068b1f22a1c91e571bf8748443537695a9c7775a833c814a3531c4039948fd042808b3f98c83e12c |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 7622917b8c55165e26c63b519c6d14e3 |
| SHA1 | 53980c7666559101172c1d8640f6164f502b674c |
| SHA256 | c70ce4fd971e207630b11813e7795d6cea2b3cd5a2605cced5cb3bee7d906f8f |
| SHA512 | 1aa76c47272e69656a50ef9cee672d7aa8221b54d10dddea2e9c8b2c84f27537171179c8523649d66f240bb1e65343bd24645cee166441932bb64b5dab5d4dd0 |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | 718d09d242f7a7a5b310b81795a31e14 |
| SHA1 | 7b266334d8b9da834fc53cbe514db82915fad9fa |
| SHA256 | 781ff6dd3bc71fb8bf2b3bd4f5c97427bd0284e0d01ed741683979851313eb30 |
| SHA512 | ebbf7be5544635a07d0c149108c577e9888bad316f3010c91fdd528e816c49836ce9c3e8898bee4fb34767a5d0a0628277c4c34b25293b85ed9103a9edd69b69 |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | d70d2f4bf99988bfcd42a2dec2c74394 |
| SHA1 | 82858da696b9944ebeca4d1a6944c00e8ddb481e |
| SHA256 | 831af04d3271bfb737b711a977ea1a1e168e2410087d00e29c9af06f6f70d818 |
| SHA512 | b0914f32c29ae4d961d2ec2eb79acf0727b1e8f0b6fe6ceac802c0b19fd30eab8f7235235ace0dc72bc5f8baa55be1c30a9fc8af06b1fb284a4ddd417bc9cc9f |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | 10f76bd5f22a11489d508695098912d1 |
| SHA1 | ed83268acad189c77a19127e419d3880f3fbae3e |
| SHA256 | 9a9a45cb698eded6234e0a9c728912cceb5835b8e45b0c72961901143cf49ca8 |
| SHA512 | 1e774b57853fbf4115a1342ce53e5934e70a241174651a179ce5738abc232abee0016e01cf8e59d6bf73c11b8dc6ae416d9baaeffc62046447c6946f5102e483 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | 6b24563428d009801ac0f6f4d73604f8 |
| SHA1 | 2f128885525b5587625199fa0cbf80127d2da737 |
| SHA256 | d0d4ada19bce6c3585fd613cb21a8dd872a43018cbd7b44f9c0e9271214a619c |
| SHA512 | 22c2eec38e486cf4902a9a7837923510151be0b5940523e94f27e0c8d867f7bae3a0687c50d3162761d3d0399912c2a8388d2e5d7c112b2265c542a6468ffef2 |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 3e688ff60d0a6680da7636a673e178be |
| SHA1 | 22cbb994bfc9d61e5ced3adb0df6a76bbec2bfc1 |
| SHA256 | c7d58f2993d8ff3eb87a7afff79a475f77a09cb708ae2759d88994d3df1c5dce |
| SHA512 | d9a318e94616d0f8a793cf214c93a2fb4eaeba3f6ebc8a4dbd126ea8a774e2c6da25ceb537f7e03026b5564d50f9b5c49fa05bb9e703bdcb86110c54f1349cf9 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
| MD5 | ac01bbb6daf315b092ca079c2f44adaf |
| SHA1 | 6bf9c383212db44f5f3d7f59cf89b700175fb832 |
| SHA256 | 9ce2aa9fab7456a4cb688d9a8ba1691a8dcbce2413db49394e0fbf1d38830cf3 |
| SHA512 | cbada56870163730e40157f3a386429d8fe5c22bec409482cf81ebf205f6598c04454354fa41e24c673806bb596258f18c02312b868c4212be25c278a1ede0ee |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
| MD5 | ca79af515df15db0bed33fb57863854a |
| SHA1 | ea6744f0f4d77ea4518a664d21b395b3989a864d |
| SHA256 | f89b4bdfb9fefd95ae4e385ad491c063aff18b7b2e26fac427f9010d3f68c85f |
| SHA512 | 4be4ffffe64a406baf4d9460669e52f648ef1b1f074e6c901913fbc016681d8933300b42c33a37f0da021a8f66b98d98688db00b42cb0a4384ed9c6e931bd0ef |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
| MD5 | a95b0955a32538473bf12ca643c511b1 |
| SHA1 | a9885033a2ab6eaa2770052c891b8f46aced3677 |
| SHA256 | 0708ec3279ea04022fc1406241fbdd4ad6bb69c576fa35a0ecb52dd02cfc02a7 |
| SHA512 | 3d159da54c83b28b1abe47b082142d964b34b407455b143794208b2b94f69f14e556e6a3a0f134b0885ed43a55c51c39d61461158009ed906e21f85fe817a9ec |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 608ed59e8f086b4fd201cdca60d1df1e |
| SHA1 | c08a2acbf00dc478c2d760020533345063155b2f |
| SHA256 | 0f12152cc7e18cc8a84b54c9a6f197335c555ca5a05b8a49e90a037d93296433 |
| SHA512 | 511ccbd215a63a4a296cedc6ab72cbc12efee71fecb2ff65d20359379ee8260eea3d5c77539773980579dc19ffe6eb3fe666146d22597adb2968885e4db78740 |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | a6131a65afe7804eb163889581799e0d |
| SHA1 | 4edb50190f46da699c644f5a4400c6b5de8cc650 |
| SHA256 | 346681fb97f2d42858171143d1427c57a3cc6b5d5b89ec6f065cdd6f63db19d8 |
| SHA512 | 8cf4fe8db7fc536e15b8dae63cf02de3178f8ee7c6f6da5ab03fc660ddfc83228326381dbb8fbdfd02c683c9dae8f9d600f88cb4ce04c51f392dd0584afe62c9 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | 167e6ac5b68ab368e04ab53df19e5060 |
| SHA1 | 991c1f379267f585b5e492dd6dfa92c048f20112 |
| SHA256 | 70d35c68308c22c08f4fa0bcd4aade9d9a48006641610ce2cc5e2ea4a8fb4cca |
| SHA512 | 6cef79603f37921789f1e7286282f49009e4caa318df9a78a89e544881dd36204aa764c6aea26646daa0e08ec99cd35f4bb7cef612807a30a7071f5a84e20672 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 94d4cfbce2e61fac0cce4b2a20650298 |
| SHA1 | c757fa2a3caed57ce9ad7b00c9e5e2700234b3fa |
| SHA256 | 2413916238fdbf22f9b554e5426a2cb087622e60a7be1b818f59b54b01b8d5bd |
| SHA512 | 9f2ffdbde81af5cddcecb4ad1ce7c3c759563b47b5a09cd559179f57058e1ff7a061ab9ee1b1d01ae74d6ef067f1600d46af49e9994f8024823fa0d30a22f593 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | b3a17edea6d28f263eda8375d7a525a8 |
| SHA1 | 8ac6472c426218962d7832bf9198a16e415b3cb7 |
| SHA256 | ba03d529f80e7da991fc0d4b9bf8054658b1a84351d72565acaf765834f54e7e |
| SHA512 | e1b4ba5c4c89e19824fb5e1d0f953767d23c20eee2187a310e05531a8aa5f2eca26e0ed8797bb8bd7efa3efde6539f8985ad9a993769cde27c130281d1abab6c |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 50654821f564f37a995eaaa672c85604 |
| SHA1 | e68fddb1ec0321132172c9f3e1a7820db66d1778 |
| SHA256 | 8a4b205515b1a173727d1e1cf2965d45138acb59c612a3f7032c2e2d41bb90c5 |
| SHA512 | 8d089260506b05998eee16b8c760d346d6cc39d912f930ba501d6eee91eee2c19dd561527b9ce97c15a3580263a8fd94c0ce0ac5df5cf460eb5bf4a0d6f627cc |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | 7a34d676da89fec010d86e545d4c12e6 |
| SHA1 | b3279300963335aad1c62eff1b37c6ac37d42c6d |
| SHA256 | e7f70a126edfbb4752b9d75dc8c13631078af64ee65c811b943ce69349d44d69 |
| SHA512 | 7aa256b102d19a0a0357a907d6f264df089f1e1b437d968c7b5a73d0169c2e292ce026732a2f856f4b192152d8ba72de698d7dbeb6600e1b02b0e99a7e05ccb2 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | bfcac1b397163d3536ffb6cfbe93913a |
| SHA1 | 94e6256529c51e9cced24bf14d43c50e09d2b5de |
| SHA256 | ec713648fbcffcfa2c41756b6ee130d92b44957b303fa945ec59aa8abb097699 |
| SHA512 | fb2c597b2a62bb8d25ba3de58308d7dd3c1dac59af84918c71481fa1ac7fd7dcc6fd7d43d60b3ae6163ca8476492538a11a216c31f2cf23d10fab7e2a5d3f849 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 07a998e3ead9b474005b2164058eab78 |
| SHA1 | f2e52068cc3474cab4e5d8a5db39652da0d00c46 |
| SHA256 | f26064addfe60c881e57c419d36e994922e8f18fcd847fabd3def3b9b69ff3cf |
| SHA512 | 41677d408c92847bc01e26d840f7e1a5ce48890b380c1dc87550797f2a0e031da9a607543327267fccaf75959b037fdac2aaa4b9b9cb5eb2ecc807a6b07d9735 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:37
Reported
2024-04-07 23:40
Platform
win7-20240221-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-07_edc1a0695c73b670a44f388e57dfdcf9_ryuk.exe"
Network
Files
memory/2440-0-0x0000000140000000-0x00000001401DB000-memory.dmp