efc2d067cd9e2464db4cda9b055f2b786e25b64967eca89fd3a1f9d8fbc43cb7

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 22:55 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
Size

1.1MB
MD5

d80b31adb3afafb3ea37c0fcec9cdd2f
SHA1

aa61e2ff504f24cd26211afbf4c7a651ae377565
SHA256

efc2d067cd9e2464db4cda9b055f2b786e25b64967eca89fd3a1f9d8fbc43cb7
SHA512

5b7c03dd52a14b2a3ca1fca7f3e91705f71f143be9c7f90e483fa7be69275fc834f0cbe44190682410e6eb398381df8b71081a54004d8639094e847e25cc808e
SSDEEP

24576:DSi1SoCU5qJSr1eWPSCsP0MugC6eTu8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:TS7PLjeTugDUYmvFur31yAipQCtXxc0H

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4360	alg.exe
2084	DiagnosticsHub.StandardCollector.Service.exe
1368	fxssvc.exe
3504	elevation_service.exe
3696	elevation_service.exe
2792	maintenanceservice.exe
2080	msdtc.exe
3496	OSE.EXE
2288	PerceptionSimulationService.exe
3692	perfhost.exe
1968	locator.exe
1628	SensorDataService.exe
1184	snmptrap.exe
2652	spectrum.exe
2020	ssh-agent.exe
4916	TieringEngineService.exe
3244	AgentService.exe
4144	vds.exe
3216	vssvc.exe
3060	wbengine.exe
2076	WmiApSrv.exe
2196	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\50859b1a92be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d64f64d1bb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050c7f84d1bb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061e87b4e1bb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c76284e1bb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091bf934e1bb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044d90b4e1bb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2084	DiagnosticsHub.StandardCollector.Service.exe
2084	DiagnosticsHub.StandardCollector.Service.exe
2084	DiagnosticsHub.StandardCollector.Service.exe
2084	DiagnosticsHub.StandardCollector.Service.exe
2084	DiagnosticsHub.StandardCollector.Service.exe
2084	DiagnosticsHub.StandardCollector.Service.exe
2084	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3624	2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
Token: SeAuditPrivilege	1368	fxssvc.exe
Token: SeRestorePrivilege	4916	TieringEngineService.exe
Token: SeManageVolumePrivilege	4916	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3244	AgentService.exe
Token: SeBackupPrivilege	3216	vssvc.exe
Token: SeRestorePrivilege	3216	vssvc.exe
Token: SeAuditPrivilege	3216	vssvc.exe
Token: SeBackupPrivilege	3060	wbengine.exe
Token: SeRestorePrivilege	3060	wbengine.exe
Token: SeSecurityPrivilege	3060	wbengine.exe
Token: 33	2196	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2196	SearchIndexer.exe
Token: SeDebugPrivilege	4360	alg.exe
Token: SeDebugPrivilege	4360	alg.exe
Token: SeDebugPrivilege	4360	alg.exe
Token: SeDebugPrivilege	2084	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 392	2196	SearchIndexer.exe	111
PID 2196 wrote to memory of 392	2196	SearchIndexer.exe	111
PID 2196 wrote to memory of 640	2196	SearchIndexer.exe	112
PID 2196 wrote to memory of 640	2196	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2120

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3696

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2080

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2288

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1968

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2652

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2388

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:392
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:640

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response

pywolwnvd.biz

IN A

54.244.188.177
POST

http://pywolwnvd.biz/judxmrfuihgyerw

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

Remote address:

54.244.188.177:80

Request

POST /judxmrfuihgyerw HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: pywolwnvd.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 906

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:55:26 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=8a358f9f8f9af8b81f2122e72fcc6672|191.101.209.39|1717023326|1717023326|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response
DNS

pywolwnvd.biz

alg.exe

Remote address:

8.8.8.8:53

Request

pywolwnvd.biz

IN A

Response

pywolwnvd.biz

IN A

54.244.188.177
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

177.188.244.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

177.188.244.54.in-addr.arpa

IN PTR

Response

177.188.244.54.in-addr.arpa

IN PTR

ec2-54-244-188-177 us-west-2compute amazonawscom
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A

Response

ssbzmoy.biz

IN A

18.141.10.107
POST

http://ssbzmoy.biz/hxwsmerjepmvy

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

Remote address:

18.141.10.107:80

Request

POST /hxwsmerjepmvy HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ssbzmoy.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 906

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:55:27 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=6b094ac05aa650328c5e44ab4d329676|191.101.209.39|1717023327|1717023327|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A

Response

ssbzmoy.biz

IN A

18.141.10.107
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A

Response
DNS

ssbzmoy.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ssbzmoy.biz

IN A
DNS

20.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

20.160.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

107.10.141.18.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.10.141.18.in-addr.arpa

IN PTR

Response

107.10.141.18.in-addr.arpa

IN PTR

ec2-18-141-10-107ap-southeast-1compute amazonawscom
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A

Response

cvgrf.biz

IN A

54.244.188.177
POST

http://cvgrf.biz/nx

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

Remote address:

54.244.188.177:80

Request

POST /nx HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: cvgrf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 906

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:55:28 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=28a56a5dab104cd51351f89479a7cebf|191.101.209.39|1717023328|1717023328|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A

Response

npukfztj.biz

IN A

44.221.84.105
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A

Response

npukfztj.biz

IN A

44.221.84.105
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A

Response
POST

http://ssbzmoy.biz/jyp

alg.exe

Remote address:

18.141.10.107:80

Request

POST /jyp HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ssbzmoy.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:55:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=092fefd284e3076a2da9705715c964be|191.101.209.39|1717023332|1717023332|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
POST

http://npukfztj.biz/wvyrbymrgey

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

Remote address:

44.221.84.105:80

Request

POST /wvyrbymrgey HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: npukfztj.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 906

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:55:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=d929cff6f80f5310b3d36eb809904d2f|191.101.209.39|1717023330|1717023330|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A

Response

przvgke.biz

IN A

44.208.124.139

przvgke.biz

IN A

54.157.24.8

przvgke.biz

IN A

34.193.97.35
DNS

105.84.221.44.in-addr.arpa

Remote address:

8.8.8.8:53

Request

105.84.221.44.in-addr.arpa

IN PTR

Response

105.84.221.44.in-addr.arpa

IN PTR

ec2-44-221-84-105 compute-1 amazonawscom
DNS

105.84.221.44.in-addr.arpa

Remote address:

8.8.8.8:53

Request

105.84.221.44.in-addr.arpa

IN PTR
POST

http://przvgke.biz/bq

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

Remote address:

44.208.124.139:80

Request

POST /bq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: przvgke.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 906
POST

http://przvgke.biz/sdwgitlnnqkdekf

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

Remote address:

44.208.124.139:80

Request

POST /sdwgitlnnqkdekf HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: przvgke.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 906
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A

Response
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A

Response

knjghuig.biz

IN A

18.141.10.107
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A

Response
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A

Response
DNS

139.124.208.44.in-addr.arpa

Remote address:

8.8.8.8:53

Request

139.124.208.44.in-addr.arpa

IN PTR

Response

139.124.208.44.in-addr.arpa

IN PTR

ec2-44-208-124-139 compute-1 amazonawscom
DNS

cvgrf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

cvgrf.biz

IN A

Response

cvgrf.biz

IN A

54.244.188.177
POST

http://cvgrf.biz/uogldkngehoeqmyh

alg.exe

Remote address:

54.244.188.177:80

Request

POST /uogldkngehoeqmyh HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: cvgrf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:55:32 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=ef9b164b7e8f7fe8aef51e968b2dda56|191.101.209.39|1717023332|1717023332|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

npukfztj.biz

alg.exe

Remote address:

8.8.8.8:53

Request

npukfztj.biz

IN A

Response

npukfztj.biz

IN A

44.221.84.105
POST

http://npukfztj.biz/wjtpwqrxh

alg.exe

Remote address:

44.221.84.105:80

Request

POST /wjtpwqrxh HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: npukfztj.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:55:33 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=abe92712cbdfc052eb98bb9084bed87d|191.101.209.39|1717023333|1717023333|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

przvgke.biz

alg.exe

Remote address:

8.8.8.8:53

Request

przvgke.biz

IN A

Response

przvgke.biz

IN A

44.208.124.139

przvgke.biz

IN A

54.157.24.8

przvgke.biz

IN A

34.193.97.35
POST

http://przvgke.biz/l

alg.exe

Remote address:

44.208.124.139:80

Request

POST /l HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: przvgke.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782
POST

http://przvgke.biz/labhmwymft

alg.exe

Remote address:

44.208.124.139:80

Request

POST /labhmwymft HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: przvgke.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782
DNS

zlenh.biz

alg.exe

Remote address:

8.8.8.8:53

Request

zlenh.biz

IN A

Response
DNS

knjghuig.biz

alg.exe

Remote address:

8.8.8.8:53

Request

knjghuig.biz

IN A

Response

knjghuig.biz

IN A

18.141.10.107
POST

http://knjghuig.biz/qhkdpt

alg.exe

Remote address:

18.141.10.107:80

Request

POST /qhkdpt HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: knjghuig.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:55:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=66352b9bd819bb3ee5481cbaaeed9e79|191.101.209.39|1717023335|1717023335|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

uhxqin.biz

alg.exe

Remote address:

8.8.8.8:53

Request

uhxqin.biz

IN A

Response
DNS

anpmnmxo.biz

alg.exe

Remote address:

8.8.8.8:53

Request

anpmnmxo.biz

IN A

Response
DNS

lpuegx.biz

alg.exe

Remote address:

8.8.8.8:53

Request

lpuegx.biz

IN A

Response

lpuegx.biz

IN A

82.112.184.197
DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

vjaxhpbji.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vjaxhpbji.biz

IN A

Response

vjaxhpbji.biz

IN A

82.112.184.197
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response
DNS

xlfhhhm.biz

alg.exe

Remote address:

8.8.8.8:53

Request

xlfhhhm.biz

IN A

Response

xlfhhhm.biz

IN A

44.200.43.61
POST

http://xlfhhhm.biz/lq

alg.exe

Remote address:

44.200.43.61:80

Request

POST /lq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: xlfhhhm.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:57:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=1e16deda5d9dd9fc8190aa02aab0b1d4|191.101.209.39|1717023420|1717023420|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

ifsaia.biz

alg.exe

Remote address:

8.8.8.8:53

Request

ifsaia.biz

IN A

Response

ifsaia.biz

IN A

13.251.16.150
POST

http://ifsaia.biz/lcwihkuoqfwb

alg.exe

Remote address:

13.251.16.150:80

Request

POST /lcwihkuoqfwb HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: ifsaia.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:57:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=cb910bd02471393ca8665958fc0fcf9d|191.101.209.39|1717023421|1717023421|0|1|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

saytjshyf.biz

alg.exe

Remote address:

8.8.8.8:53

Request

saytjshyf.biz

IN A

Response

saytjshyf.biz

IN A

3.237.86.197
POST

http://saytjshyf.biz/gjvwvftcqyjarge

alg.exe

Remote address:

3.237.86.197:80

Request

POST /gjvwvftcqyjarge HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: saytjshyf.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:57:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=c14e0daa1ab4a6942aad7a6ab6f8592c|191.101.209.39|1717023421|1717023421|0|1|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

61.43.200.44.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.43.200.44.in-addr.arpa

IN PTR

Response

61.43.200.44.in-addr.arpa

IN PTR

ec2-44-200-43-61 compute-1 amazonawscom
DNS

vcddkls.biz

alg.exe

Remote address:

8.8.8.8:53

Request

vcddkls.biz

IN A

Response

vcddkls.biz

IN A

18.141.10.107
POST

http://vcddkls.biz/ctlqu

alg.exe

Remote address:

18.141.10.107:80

Request

POST /ctlqu HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: vcddkls.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:57:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=2fa3ccf8cd17b406dcbe20ed144384ec|191.101.209.39|1717023422|1717023422|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

150.16.251.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

150.16.251.13.in-addr.arpa

IN PTR

Response

150.16.251.13.in-addr.arpa

IN PTR

ec2-13-251-16-150ap-southeast-1compute amazonawscom
DNS

197.86.237.3.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.86.237.3.in-addr.arpa

IN PTR

Response

197.86.237.3.in-addr.arpa

IN PTR

ec2-3-237-86-197 compute-1 amazonawscom
DNS

fwiwk.biz

alg.exe

Remote address:

8.8.8.8:53

Request

fwiwk.biz

IN A

Response

fwiwk.biz

IN CNAME

77980.bodis.com

77980.bodis.com

IN A

199.59.243.225
DNS

tbjrpv.biz

alg.exe

Remote address:

8.8.8.8:53

Request

tbjrpv.biz

IN A

Response

tbjrpv.biz

IN A

34.246.200.160
POST

http://tbjrpv.biz/fuqfinxkqnac

alg.exe

Remote address:

34.246.200.160:80

Request

POST /fuqfinxkqnac HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: tbjrpv.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:57:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=8718a182ef7df035e3c14388e332bfbc|191.101.209.39|1717023465|1717023465|0|1|0; path=/; domain=.tbjrpv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

deoci.biz

alg.exe

Remote address:

8.8.8.8:53

Request

deoci.biz

IN A

Response

deoci.biz

IN A

54.80.154.23
POST

http://deoci.biz/bf

alg.exe

Remote address:

54.80.154.23:80

Request

POST /bf HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: deoci.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:57:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=d93e27fd101439a7affb0a42a7c424f0|191.101.209.39|1717023465|1717023465|0|1|0; path=/; domain=.deoci.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

gytujflc.biz

alg.exe

Remote address:

8.8.8.8:53

Request

gytujflc.biz

IN A

Response

gytujflc.biz

IN A

208.100.26.245
POST

http://gytujflc.biz/cwdabtrxmvf

alg.exe

Remote address:

208.100.26.245:80

Request

POST /cwdabtrxmvf HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: gytujflc.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 404 Not Found

Server: nginx/1.14.0 (Ubuntu)
Date: Wed, 29 May 2024 22:57:45 GMT
Content-Type: text/html
Content-Length: 580
Connection: keep-alive
POST

http://gytujflc.biz/osvaiswaytde

alg.exe

Remote address:

208.100.26.245:80

Request

POST /osvaiswaytde HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: gytujflc.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 404 Not Found

Server: nginx/1.14.0 (Ubuntu)
Date: Wed, 29 May 2024 22:57:45 GMT
Content-Type: text/html
Content-Length: 580
Connection: keep-alive
DNS

qaynky.biz

alg.exe

Remote address:

8.8.8.8:53

Request

qaynky.biz

IN A

Response

qaynky.biz

IN A

13.251.16.150
DNS

160.200.246.34.in-addr.arpa

Remote address:

8.8.8.8:53

Request

160.200.246.34.in-addr.arpa

IN PTR

Response

160.200.246.34.in-addr.arpa

IN PTR

ec2-34-246-200-160 eu-west-1compute amazonawscom
DNS

23.154.80.54.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.154.80.54.in-addr.arpa

IN PTR

Response

23.154.80.54.in-addr.arpa

IN PTR

ec2-54-80-154-23 compute-1 amazonawscom
DNS

245.26.100.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

245.26.100.208.in-addr.arpa

IN PTR

Response

245.26.100.208.in-addr.arpa

IN PTR

ip245 208-100-26staticsteadfastdnsnet
POST

http://qaynky.biz/hnskvesdhwldgi

alg.exe

Remote address:

13.251.16.150:80

Request

POST /hnskvesdhwldgi HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: qaynky.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:57:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=970ae900131a518aef2423fab1210036|191.101.209.39|1717023466|1717023466|0|1|0; path=/; domain=.qaynky.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

bumxkqgxu.biz

alg.exe

Remote address:

8.8.8.8:53

Request

bumxkqgxu.biz

IN A

Response

bumxkqgxu.biz

IN A

44.221.84.105
DNS

bumxkqgxu.biz

alg.exe

Remote address:

8.8.8.8:53

Request

bumxkqgxu.biz

IN A

Response

bumxkqgxu.biz

IN A

44.221.84.105
DNS

bumxkqgxu.biz

alg.exe

Remote address:

8.8.8.8:53

Request

bumxkqgxu.biz

IN A

Response
POST

http://bumxkqgxu.biz/ipmfkq

alg.exe

Remote address:

44.221.84.105:80

Request

POST /ipmfkq HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: bumxkqgxu.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

Response

HTTP/1.1 200 OK

Server: nginx
Date: Wed, 29 May 2024 22:57:48 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=30987c6b3ec835604082b824c3953739|191.101.209.39|1717023468|1717023468|0|1|0; path=/; domain=.bumxkqgxu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=191.101.209.39; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
DNS

dwrqljrr.biz

alg.exe

Remote address:

8.8.8.8:53

Request

dwrqljrr.biz

IN A

Response

dwrqljrr.biz

IN A

54.244.188.177
POST

http://dwrqljrr.biz/kopnkrrvslxpxxl

alg.exe

Remote address:

54.244.188.177:80

Request

POST /kopnkrrvslxpxxl HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: dwrqljrr.biz
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
Content-Length: 782

54.244.188.177:80

http://pywolwnvd.biz/judxmrfuihgyerw

http

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

1.5kB
669 B
6
6

HTTP Request

POST http://pywolwnvd.biz/judxmrfuihgyerw

HTTP Response

200
18.141.10.107:80

http://ssbzmoy.biz/hxwsmerjepmvy

http

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

1.5kB
667 B
6
6

HTTP Request

POST http://ssbzmoy.biz/hxwsmerjepmvy

HTTP Response

200
54.244.188.177:80

http://cvgrf.biz/nx

http

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

1.5kB
665 B
6
6

HTTP Request

POST http://cvgrf.biz/nx

HTTP Response

200
18.141.10.107:80

http://ssbzmoy.biz/jyp

http

alg.exe

1.4kB
667 B
7
6

HTTP Request

POST http://ssbzmoy.biz/jyp

HTTP Response

200
44.221.84.105:80

http://npukfztj.biz/wvyrbymrgey

http

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

1.6kB
668 B
7
6

HTTP Request

POST http://npukfztj.biz/wvyrbymrgey

HTTP Response

200
44.208.124.139:80

http://przvgke.biz/bq

http

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

1.4kB
172 B
4
4

HTTP Request

POST http://przvgke.biz/bq
44.208.124.139:80

http://przvgke.biz/sdwgitlnnqkdekf

http

2024-05-29_d80b31adb3afafb3ea37c0fcec9cdd2f_ryuk.exe

1.4kB
172 B
4
4

HTTP Request

POST http://przvgke.biz/sdwgitlnnqkdekf
54.244.188.177:80

http://cvgrf.biz/uogldkngehoeqmyh

http

alg.exe

1.4kB
665 B
6
6

HTTP Request

POST http://cvgrf.biz/uogldkngehoeqmyh

HTTP Response

200
44.221.84.105:80

http://npukfztj.biz/wjtpwqrxh

http

alg.exe

1.4kB
668 B
6
6

HTTP Request

POST http://npukfztj.biz/wjtpwqrxh

HTTP Response

200
44.208.124.139:80

http://przvgke.biz/l

http

alg.exe

1.3kB
172 B
4
4

HTTP Request

POST http://przvgke.biz/l
44.208.124.139:80

http://przvgke.biz/labhmwymft

http

alg.exe

1.4kB
172 B
6
4

HTTP Request

POST http://przvgke.biz/labhmwymft
18.141.10.107:80

http://knjghuig.biz/qhkdpt

http

alg.exe

1.4kB
668 B
6
6

HTTP Request

POST http://knjghuig.biz/qhkdpt

HTTP Response

200
82.112.184.197:80

lpuegx.biz

alg.exe

260 B
5
82.112.184.197:80

lpuegx.biz

alg.exe

260 B
5
82.112.184.197:80

vjaxhpbji.biz

alg.exe

260 B
5
82.112.184.197:80

vjaxhpbji.biz

alg.exe

260 B
5
44.200.43.61:80

http://xlfhhhm.biz/lq

http

alg.exe

1.4kB
659 B
6
6

HTTP Request

POST http://xlfhhhm.biz/lq

HTTP Response

200
13.251.16.150:80

http://ifsaia.biz/lcwihkuoqfwb

http

alg.exe

1.4kB
658 B
6
6

HTTP Request

POST http://ifsaia.biz/lcwihkuoqfwb

HTTP Response

200
3.237.86.197:80

http://saytjshyf.biz/gjvwvftcqyjarge

http

alg.exe

1.4kB
661 B
6
6

HTTP Request

POST http://saytjshyf.biz/gjvwvftcqyjarge

HTTP Response

200
18.141.10.107:80

http://vcddkls.biz/ctlqu

http

alg.exe

1.4kB
667 B
6
6

HTTP Request

POST http://vcddkls.biz/ctlqu

HTTP Response

200
128.232.96.0:80

alg.exe

260 B
5
128.232.96.0:80

alg.exe

260 B
5
34.246.200.160:80

http://tbjrpv.biz/fuqfinxkqnac

http

alg.exe

1.4kB
666 B
6
6

HTTP Request

POST http://tbjrpv.biz/fuqfinxkqnac

HTTP Response

200
54.80.154.23:80

http://deoci.biz/bf

http

alg.exe

1.4kB
665 B
6
6

HTTP Request

POST http://deoci.biz/bf

HTTP Response

200
208.100.26.245:80

http://gytujflc.biz/osvaiswaytde

http

alg.exe

2.6kB
1.7kB
7
6

HTTP Request

POST http://gytujflc.biz/cwdabtrxmvf

HTTP Response

404

HTTP Request

POST http://gytujflc.biz/osvaiswaytde

HTTP Response

404
13.251.16.150:80

http://qaynky.biz/hnskvesdhwldgi

http

alg.exe

1.4kB
658 B
6
6

HTTP Request

POST http://qaynky.biz/hnskvesdhwldgi

HTTP Response

200
44.221.84.105:80

http://bumxkqgxu.biz/ipmfkq

http

alg.exe

1.4kB
669 B
7
6

HTTP Request

POST http://bumxkqgxu.biz/ipmfkq

HTTP Response

200
54.244.188.177:80

http://dwrqljrr.biz/kopnkrrvslxpxxl

http

alg.exe

1.4kB
92 B
6
2

HTTP Request

POST http://dwrqljrr.biz/kopnkrrvslxpxxl
35.164.78.200:80

alg.exe

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

pywolwnvd.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

pywolwnvd.biz

DNS Response

54.244.188.177
8.8.8.8:53

pywolwnvd.biz

dns

alg.exe

118 B
193 B
2
2

DNS Request

pywolwnvd.biz

DNS Request

pywolwnvd.biz

DNS Response

54.244.188.177
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

177.188.244.54.in-addr.arpa

dns

73 B
137 B
1
1

DNS Request

177.188.244.54.in-addr.arpa
8.8.8.8:53

ssbzmoy.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

ssbzmoy.biz

DNS Response

18.141.10.107
8.8.8.8:53

ssbzmoy.biz

dns

alg.exe

171 B
130 B
3
2

DNS Request

ssbzmoy.biz

DNS Request

ssbzmoy.biz

DNS Request

ssbzmoy.biz

DNS Response

18.141.10.107
8.8.8.8:53

20.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

20.160.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

107.10.141.18.in-addr.arpa

dns

72 B
140 B
1
1

DNS Request

107.10.141.18.in-addr.arpa
8.8.8.8:53

cvgrf.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

cvgrf.biz

DNS Response

54.244.188.177
8.8.8.8:53

npukfztj.biz

dns

alg.exe

174 B
206 B
3
3

DNS Request

npukfztj.biz

DNS Request

npukfztj.biz

DNS Request

npukfztj.biz

DNS Response

44.221.84.105

DNS Response

44.221.84.105
8.8.8.8:53

przvgke.biz

dns

alg.exe

57 B
105 B
1
1

DNS Request

przvgke.biz

DNS Response

44.208.124.139

54.157.24.8

34.193.97.35
8.8.8.8:53

105.84.221.44.in-addr.arpa

dns

144 B
127 B
2
1

DNS Request

105.84.221.44.in-addr.arpa

DNS Request

105.84.221.44.in-addr.arpa
8.8.8.8:53

zlenh.biz

dns

alg.exe

55 B
117 B
1
1

DNS Request

zlenh.biz
8.8.8.8:53

knjghuig.biz

dns

alg.exe

174 B
190 B
3
3

DNS Request

knjghuig.biz

DNS Request

knjghuig.biz

DNS Request

knjghuig.biz

DNS Response

18.141.10.107
8.8.8.8:53

139.124.208.44.in-addr.arpa

dns

73 B
129 B
1
1

DNS Request

139.124.208.44.in-addr.arpa
8.8.8.8:53

cvgrf.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

cvgrf.biz

DNS Response

54.244.188.177
8.8.8.8:53

npukfztj.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

npukfztj.biz

DNS Response

44.221.84.105
8.8.8.8:53

przvgke.biz

dns

alg.exe

57 B
105 B
1
1

DNS Request

przvgke.biz

DNS Response

44.208.124.139

54.157.24.8

34.193.97.35
8.8.8.8:53

zlenh.biz

dns

alg.exe

55 B
117 B
1
1

DNS Request

zlenh.biz
8.8.8.8:53

knjghuig.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

knjghuig.biz

DNS Response

18.141.10.107
8.8.8.8:53

uhxqin.biz

dns

alg.exe

56 B
118 B
1
1

DNS Request

uhxqin.biz
8.8.8.8:53

anpmnmxo.biz

dns

alg.exe

58 B
120 B
1
1

DNS Request

anpmnmxo.biz
8.8.8.8:53

lpuegx.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

lpuegx.biz

DNS Response

82.112.184.197
8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

vjaxhpbji.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

vjaxhpbji.biz

DNS Response

82.112.184.197
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa
8.8.8.8:53

xlfhhhm.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

xlfhhhm.biz

DNS Response

44.200.43.61
8.8.8.8:53

ifsaia.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

ifsaia.biz

DNS Response

13.251.16.150
8.8.8.8:53

saytjshyf.biz

dns

alg.exe

59 B
75 B
1
1

DNS Request

saytjshyf.biz

DNS Response

3.237.86.197
8.8.8.8:53

61.43.200.44.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

61.43.200.44.in-addr.arpa
8.8.8.8:53

vcddkls.biz

dns

alg.exe

57 B
73 B
1
1

DNS Request

vcddkls.biz

DNS Response

18.141.10.107
8.8.8.8:53

150.16.251.13.in-addr.arpa

dns

72 B
140 B
1
1

DNS Request

150.16.251.13.in-addr.arpa
8.8.8.8:53

197.86.237.3.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

197.86.237.3.in-addr.arpa
8.8.8.8:53

fwiwk.biz

dns

alg.exe

55 B
100 B
1
1

DNS Request

fwiwk.biz

DNS Response

199.59.243.225
8.8.8.8:53

tbjrpv.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

tbjrpv.biz

DNS Response

34.246.200.160
8.8.8.8:53

deoci.biz

dns

alg.exe

55 B
71 B
1
1

DNS Request

deoci.biz

DNS Response

54.80.154.23
8.8.8.8:53

gytujflc.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

gytujflc.biz

DNS Response

208.100.26.245
8.8.8.8:53

qaynky.biz

dns

alg.exe

56 B
72 B
1
1

DNS Request

qaynky.biz

DNS Response

13.251.16.150
8.8.8.8:53

160.200.246.34.in-addr.arpa

dns

73 B
137 B
1
1

DNS Request

160.200.246.34.in-addr.arpa
8.8.8.8:53

23.154.80.54.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

23.154.80.54.in-addr.arpa
8.8.8.8:53

245.26.100.208.in-addr.arpa

dns

73 B
127 B
1
1

DNS Request

245.26.100.208.in-addr.arpa
8.8.8.8:53

bumxkqgxu.biz

dns

alg.exe

177 B
209 B
3
3

DNS Request

bumxkqgxu.biz

DNS Request

bumxkqgxu.biz

DNS Request

bumxkqgxu.biz

DNS Response

44.221.84.105

DNS Response

44.221.84.105
8.8.8.8:53

dwrqljrr.biz

dns

alg.exe

58 B
74 B
1
1

DNS Request

dwrqljrr.biz

DNS Response

54.244.188.177
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7bf5db34baa57687974ecb08f0f63e08

SHA1
9250ee040e67a96d02ebb26e68753d236c16c971

SHA256
9a092d44e24428c9f1c86fa15092103179730998832f1fe7d4740ad934f2d28a

SHA512
cd050142a8893d36eb2bdc5eb8250e274a9a7d5eb0033c25cbe39b64282eea6b2a183b93e6fef69378ae39a44d7b352329b42d4d5c3aa67ba874672e00b190ea

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
202a65f191aa0b13cb982dea30b6517e

SHA1
1a085b9b306223ff47b6712b5ef84c8512663e2c

SHA256
1a1b61354c436fcb19f6eff10b4708aa17722b9e80340a2b340087efde988e76

SHA512
eb6cb9c12e68c0d7b81359194197a963e61c8447dbee34953cc920e3c907971e3fe0e726842c663b69c71885beaf38b63fa450faee3a65fef9ca7ed6d27820ad

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c333c932a468d3f16bae4a270b75d5e2

SHA1
75fc1b2529bcef4bc1bdf257707bac19c1b6fd6b

SHA256
583e9f08f376237b2b047e8e1e45e86496ccda5ac59278cd7c7b0fbdd4de94fb

SHA512
efe877f521da9556cbd09e2cfdfa8b4b90714a0a8ed422848499f28623b1f125c7f2ef085988dbaf045924881dac73f6d4a0cf02386b12ec39b98a02dbacf41c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
33f202f35e4819db922264f744e0ebe9

SHA1
147c2d24d2dcc3d536089c48ddd4999bfac44fc0

SHA256
50582974ec901874dcd6a1de2d085eacceaf5b62a5e3dd780a6211dc74eb7d8b

SHA512
14f8176c722dc6986bb9812a5af67456df78eef3a78c5a2e1ec8772af2b406b64a639622d4a7c30ce16eb9045e6f477a8b20df2b96047f3b253a0bc28ef86d1d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
eb837ec00769745dbb68c234d65b57de

SHA1
c7419874e14370d41523448dce7eb1b61c837622

SHA256
f78d53f8cbee82951df047a5fb0ec387069d5e5284aeac3cdec014adcec2ac7a

SHA512
630ee3772297c441a3c0bec90cb4c23c931bc158f002acf8a25c0436043f23703ce52dbad945aabfb0ab277632220c24ce61e17a2b103bb4ff7e7644208a0080

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
cc81d6cade3c0b2e0a1ceee726047d4d

SHA1
82c271245be028c089026418a5881d5e71a7961f

SHA256
f6062df0af7299773065d14031c8e1afa5498239f886846dda9ed598fab44f7f

SHA512
c2a2cc617832f259336477e62a602026fc61ddedb39139f99d1b4a4a557cd7dccdb5fa85a180e502d1ef0b655f1b011e19c03a4c9edd6b33950cbd29fd363343

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5889fc5dfe3dca0a32131a6ce025c996

SHA1
47171d6259dfad06d6b45d5f6bd6cabe3f4a62e2

SHA256
c1dc750bb348aa2ff7c2f04d8cb51253e2bf51e69be9ad252b42a0496f2eaa89

SHA512
16a373f1bece1533f1da37cce074c834532db9003f41c1bb318f912544603cfa89cc35ab7b1bb37c9f8a4390321d7e5abd840c0578f988d6e775e5c110858c30

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7d4fa3b862d085901ed64ffce96e3a1b

SHA1
849919639e50d223ebfa6703f3dc922c257e3b68

SHA256
4ee00b166264762498876b6484f53c5f7024376885315432818749a73aca5810

SHA512
6c7f2c5f69078652255fa3f2fd50c45d3e97fb069e5495bb36f8a518a07afac21d7b8651c0283fc7841539720b6fea59dc083d92ad2d242bd7fe348bedf4bdd5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
48f92b6150da0740a45c8989adce3652

SHA1
bcde3f106808727f8761d5a66b633d4995a7cf71

SHA256
2cf6c8d7847c40b3216a9a124e501a1db2b845d58055d29a5e0aafb619b1786f

SHA512
370c94a9e77fc20bd6bcd9c1a153c3b3c6875fc3d6db2bff8cf3e894fb2dd9fa023c1a2daae65edeac83f005e337c7401f25455de05ab5d93747c8a9e926dad1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
42637b57abe346b269a57cd049484ef1

SHA1
4ba6523ae78f814e7e56fed06638fc617794d61f

SHA256
ef18cf3e4c14d98ea7892b63838256a6260b77774787bc80b54901298676f9b0

SHA512
84b45e6c0f2cfd8cc352bca79b117fa869fe676fd14b5a730f7a768211253e65da2d070849632e73d7f9b8aa143f7c243beda460e533afdea36285d4450db8e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
071ceb1307ba3d32b5a19362a7f262ab

SHA1
9c91aadfa767278bc6b1514ab6bb7ed2411c4761

SHA256
d14dfc1faae86ee00c8e5ec1ca5f644dd25ba8b595a379ce183c7a6b3899adaf

SHA512
04b54090f735d0fc87ee1ec1173e2d585684c819e5a8875733bf88ec85fa35ceee1a40c7b7c47698608f0c462ffe8b4ddda568c8b142ea002297733efcf40ee5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fcb972da6f588c7accb7cc52938c3978

SHA1
621ce926b7bee0386aa6da4aab8a4deb2f086c26

SHA256
7c059c6982ce3dff8a528df50567501930f97e8ecb58b9a56e886eb65359da03

SHA512
5c4701e9fcf2006a3795e257b0002b5dced1f6d70ec7308a3bcd30aff47f08d7826f07ea17b58f8a131540a9c4d60098e89bbdda2cb2c0449eb710f14bf42717

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
3455b62e1711474ad802e86ad01d5d33

SHA1
6629a88fcf9b26b077565afc2311e24b91bff078

SHA256
93c2acfef6105de70c8d00e16ff00aa1b3a5e0a803c7b082464fe38936fac4f2

SHA512
312bc64d53f9f77939b8d57e359e70aab024b7e2bad7698a2517705c54e8888bb90dba7348a155cddf794af624dbf56a455056e8d2a8274e1964c9426b40ae8d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b769483c2e14e7c713a1b35c1f37060d

SHA1
aebc1fd00d550dba0d0e6efe9493eb1f1bd304f8

SHA256
35359fcd6ebfaa2052757d946f51d7edce57ebe40dbb4fba505b02391294b4b2

SHA512
6decb1f9b38e4e3d8607b201ac2713404952a7b860d55c71eb7866127fd612812d076943412255e2622f55f3764bbe84c02faeab562e32a16c03f3d58ea2a8b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a9bea635627f83455f9d1f1c59c5ebba

SHA1
d65965eff77a7cc5a2cef5f6161b04e01fcec1b6

SHA256
8483c9704686b50e4ac2ef838a55834fdbe5a20b66388c69e7665fb12045e772

SHA512
01a5395754ec9ffef2f448b8f08eec8883978089fdb3c0817eb560c77c5cd275db37e14b6ee02e190ac26ce3dc1900ad0037c3f519e80d745cca27d6ceaa32e1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9fbc011c1243f9cb8150afc1fc09ec75

SHA1
240832fcda15d747b400f1248890e7d31374a400

SHA256
77934ca9977c814c4184c34bc2f92adbe65d9e28d09a393de18f70d16717c732

SHA512
c179312551362b7d8e1fb4b20af49694b6649eed032a12d6a85a319a7b87e9569f4d03e0c471f2204967d819c863fa33b2e49b5a7591e157412a344b1da30a40

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
315a01e2ee16141f199e08d2eead8d08

SHA1
03e7549ed9ec287a82f909f476dac63b363f9c1e

SHA256
1c340fafd9987cd57237e8ee0204c800e614fa76ec26d1d82e981f204297b2e0

SHA512
5ec17bd3195e928b6d7ddcb9f1d6e6dfa3af38b258f83fcd757814ba97f1b9312edb96cfcc31379dfb16ffc487235b64bd6128c1fbf92bfceb1729bef011075c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
03a101dec5d3f73ac14dfddf7c04b998

SHA1
359db748ec62946b0f1532b2268ca3c9dbbbd0ae

SHA256
42c7c6d618282100a0f2c08d47836d4543000217658a07be10b3e038bb378da0

SHA512
f26857af4c6f74ee1ea63dfb4065d83705ec0590e9b6f858b91ffaf8f220aa346529216590ca1264edc930eab1ebaeb053746c73494ab99966728c4a37fe66ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
994b8bc7f8c4e00a5866ec02b1dfb434

SHA1
13f59b996ae148ac08020c961f7113879afd700d

SHA256
5ad045649a6691aab67895de8d371c22b715dfe1561e33ba2b122d091e75c4a3

SHA512
d30a03000b47b93aca8ef396794b6e7db3b270a7df7abce3e2e04546e0040834a9f1a2b4df570c86886ee00c5dcf7e83dc536e1874cd3ea24c706efab35ad549

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
7b244689975ad9c628af5a073970a1cf

SHA1
21f225d1a0ec9d934bf092a2b60dae050c20b4a0

SHA256
cc09f9123e420217d7ba5fed9b505e77a319f91d1eb792bafec054a4aa625c3f

SHA512
988bc5838bbc24fcd43987ce99fd5f8e8ffe1fbc1a5d9ed3afaff71be0953d7bc7896a49250b7dc2b9f45e3c9e255ffc2b15a3d3827446d9d71a10702c4e5a5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2fb39a6f593da37d990ce830ffbea6ee

SHA1
17c14cbd80bb0c7a407ea9580632144b0e73bf8b

SHA256
82fa01fac04334cd4529b89306c2bd4c809d7bded1001639519d9701cd4ee29a

SHA512
4e605cf607c1e051f73990a5d4f2dd856afc9b0001837047d002e935f1fd57739c29bd0f4802958c1249ba1923a7e8b41104ff976335baaa70cca5375915e1ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
86446e0aa83983a015538c3abc7fa1bc

SHA1
7b8ab5fcdd8a0fda3c8c3875908066d691bc9b24

SHA256
dd7c7a2144edb5d35de6aff4363d403158d9982d0e923c15d9be4515018768b0

SHA512
2935e49aef25395209de3a86694c1484d183afcb988b22ddd0faa34d34fbc19de843b06245ab72b29848f1ea6e9c8c4120f8c25a528d433ef010fd429855206e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
82bbf7d114b97ec1251bca86d4f9d3c4

SHA1
a181fac367dd7e54a05443c391a29cd871810a39

SHA256
956fbbadac3bb72eb7d493ef72867492a7463335a12b279e9fda319a96fdfbe3

SHA512
4d4e67361e4d61f6bf28c0f04ce42af96a103266b66acbf4d183e11924a8b06cd8167cced10105d1c2f247219701f775b3d8d040f8244319855e9d50577e7ed1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2ce6e8e8e2e8c23b14c492c97aedf8fb

SHA1
d9c9ebc9371d67e0e802d7538b9f5dfd87601571

SHA256
7301aa62315e61d944507ec5e36630c4c7cfbed0a827af31ac23267dc3ae9811

SHA512
e59851199f080eb084145301929c97c3fe0ee95c2d0ba224928a8191a27e10882bcaebd9602b08f5fc8e37f4a48025cb933a5e600fb0133af8308075ed208ca6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2b750aadf1cae44c62bb202c92fbc7c5

SHA1
ee5051f881f34f072e675c469f19203e7d641053

SHA256
dade7633f6530ac5b6132818e5b39f6dfa121ab345cb44346b2728e9e37ea684

SHA512
af5fd4c466cc17dcdc236d69b0729be77bf7557d997aa1ea69c64e815bdf1d16e574eb62cedcdc4d28fbe1219e174ab9beba2de2186d1e294c2092f0bfb0b21a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4874b81c70b3d6d567993534b331c856

SHA1
c7f66654d0064608a3973b7f1446b026a1647d90

SHA256
fb1f4b8801b51c2aacbd86a238c33e781ac7b57e5fa40b5c07742c1e2a4c3f91

SHA512
3aebab85ab645ea3c985918aa0d9a6e38f87385121fa013d831bcff6f482dcce16c69b41cc23489275d521c582a3a57d65dc24520ba316fd239f3d491ff27826

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
37fc808c1e60479d8c329650bab6f35d

SHA1
a03c09251cbb7153aa006b16b40ca9dca375d9d9

SHA256
aee98e36807e06542e91040ad7f3df9ac6fc5f9d3c3bc06809678b60c9dc6b0d

SHA512
4107661b3691cafbcee05e4c053b0146cacbb705a580830d7d2ffa52d3c61b195061fb6b908389a69e7df33bbf10a4b320d30027b711f0581fbcccb9cc259c6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
59403f1ab01153e6695ee351e200e3b8

SHA1
b9e17e16c4e187e59acf7a6cb241b314e5952665

SHA256
3a7f44653b912717bfeb35e716ce72085044ee7c7c84caa900edbfb8ca19920a

SHA512
a68dcaa374087ea623fa58b88cc42243cbe8d702d807dac9bceea6ab27bf9bf1fdc2bfb8e0a17948ec1d12651cc497a468eeccc10acc4943d7680e6b2931f06e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
2d12eb1405489a3d979e05d9acdb30ff

SHA1
ebe30a848763dae990ce0e752f9574b6cd939ba2

SHA256
b1543fd3cf8bc3cca327b79953ad98dbae63af2453f1c9754ef3cac8ebe6328a

SHA512
c0d27c67d9a4f023afffb211b6b9c109e2a56a0f33367783dc5ce8a865d64fe6ea48053cbd430627f836389d1b7709ecb061f870e59825f9109bdc061937c8ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
811a21e961f3a0465062620659d45f79

SHA1
3018238fa64453e150e79b1dd1bf5ad86827ad06

SHA256
a976517c11080efbaa683cd49d828b4b87a2fa36f3f7227ae27834e534c07997

SHA512
676f8d2841540592e1be025a0cc2faf8bf7d1028e151b1e0ea5ab25640a30e280e2936adb6d04b48b5ea62b0659ddac6de636f0afaf96b473567cab0a6366d9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
33e03a99dc71642b09049913f2a629ca

SHA1
8bf202491158f13d938d2ac96316b1fbb684fd95

SHA256
169d3fea0689af7228fbe3a7457515588512a37d6d9458739b86b813b1bf0319

SHA512
3bf56435b44719005e82973001d29dad479bf8536ee780979d28b6f52976fc7b62f309137e297487ec06fa2e6f645dd848b842333dcb3dab3592ac7d31f64c64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
06554cd970cae21181896332475ad72c

SHA1
16feb3d7b1f76b1da87cfbb665199448ea5234d7

SHA256
ae39d8e9323ba5787bb10c16efc253f2d5ef7c879127eb45d333d7b627da501e

SHA512
8c2a2706e5d4f359968272fd3c8c64fc82ceaa8126d64eef07ac800db3db271560a1f8e8c5030b0aca1a83780e3f889ae919ad023fdcdb81930016e18ad805e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ec11fcf2ed514f1a7db084d33919e788

SHA1
0df06b6bb4e24d1a04ae5bf2a0d40c932a480f8d

SHA256
97cb29d074678c9c3e6f76ddd2c61fbd5c46946a3cc8a9878bc776f355538059

SHA512
15ca4feee23b8aaf0b8c2561709a260f07583a06be06d19dd0cb24dafc6c5082396cab733c025c524e03f1ce11ff26566fb3af0e0bbb55c882ee3ded9605fa9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a1247a75e3a15b96247e178a11ad9239

SHA1
238755c448adc9fbb82ac9d5172636b10d931b31

SHA256
696ab87285e988670b3504ede9a38aabeef9aa3ced65b434aea395929fd0d18a

SHA512
3f4573b8a7a93adeb62642b267ce007fd2ec6b711438ac70f7a190409c6e339c7b6d0d1e956b8ba89ab4398379a0e4bb4f440bf5121b4c310301a7709ec94982

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
43e1207733dd16e0b3d07094e7e39185

SHA1
fd9e3505ac47e13eb8a19a54e7fbf36b568836ed

SHA256
9023fe82976a83b23139ece8f813a7c151e89f6ce00946f8c11071a03c4455c6

SHA512
d5b4f948556b063d25d2f2b1d6d4e839990df12cfe787d3d7a6738158d32a1a0115e9356b33e4d68c449aaf01a4bd95c2e0e5c02389150cbcbb91e6e59ab31ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e7ef5d76da466a68f722a481aa30615a

SHA1
0a5df34018ddf71ef2273f5826ac23501d46ccbf

SHA256
f573767929b6b0c0e6ee1d85f35acb15f51503d8240cd53240ea6549ba6fb600

SHA512
f9538fdec685bcdaf758693dc632425f9f8b9a72dad21c281731f6185be5d18915b8f7392f51853095501c31db51c1c913c657df64159bef26e1ae8b3a5ade49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
207cf50f97ec30be4ad72dccea7bc2bb

SHA1
59c8177b659917793ad774a5f45e556b3f5b8083

SHA256
2da5182f67615d9218ba8f5eb3fe0246506bbbaae18fc2b3914b4bbd98565b5e

SHA512
bbf4e01b8b0884a092c357d3e066f113ef866f8ff6d17c9a4729fae238694b0f13065171c8e41637d3b69c4504fb7ec1dc525de59de173e3b84a834210dc6aa8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
448b51f110ee181d42615f3aa1905e75

SHA1
1f4cad15b4333f36241f7a50cf29c562e1913085

SHA256
42e06820fc97973b0edcb2b2fc0d16a7342b20be1ff84634d4d44906d1585149

SHA512
0b492aa8866b2d6b129fad2c25d93d225b740d47e8f917a12a13ba7bead57f214ac181996f12c641c83366307060eef75819a2ae2ad662148a89b36c79143019

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
8a29ba3343555017b072af095f89ac07

SHA1
6ad33181c90c49e3a569b07c38eb8d7b64af6df6

SHA256
5e5940ef85e10367fdca0e8fd451d1a7837fc9d79abe02c324259018283d569d

SHA512
187f0b068b554cfe13746b88cacf2d23981b7b5a4ba7286a7f9ed44109f6a0269cf0da7f129836098ede4ca915d2dbb351870980aee5bbe9ad93a47505f05b39

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b6e63f737d311f7cd246f827c36e79f4

SHA1
c21097f656d75d1b2a8ddee83863357816730607

SHA256
9ac3346fe09f884ad18378906473ee8a2e4b6fe3c701aa4ab45c906657d12b35

SHA512
86f488841084dd64c58b43903b4b613977e6b8e82b087e04064807f537491bde107434247944df3964b545fd5be1eb6089a443c317a00f24ba9179609e9c77e5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
12fbff6bbf543fe89b06b2be8e1bee23

SHA1
ac3bb9f4e14a861831d1a6d0eeea1c3256774ecc

SHA256
18f336a2ba7925cba44d01195abb68ec5016ac3fdb73d4d9443b6baaae62712d

SHA512
d120863b3ca0e16bbb5747cc1317ed99bd6f127605beba14f8ca8530f3141ba98c15e54737e3cf6769cb1e54ad0ad8fc41db9317c80396e1240a29eb3cbac507

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c6ab905900095a074e1a4c3ac5dcee28

SHA1
52f8daa1207f1a77d450e0840256a6c3884cdde5

SHA256
e17e20df856fd240620a6c320c6a94b0b1eef518180e3b4e8830a96a175e0c9c

SHA512
ea7024fa74ba3f78d10b9f3c1266b37338078a5cda698378a780f9d424bd37b8e852a938db3aad7e6f412e469c66547ffb9711f07b8321d394789bbe70fc9d84

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d01dbb26f4b2846d9dac48b4c55ffd3d

SHA1
629663311d8099056ee0eec9fe91cf8cc358fbac

SHA256
553af7bb114f241f6dd14f0403db68d8372160b24f7573681c88e882e8f826de

SHA512
0afb7a0363736e87c7ae2e8286a45447d0a49abe814290e194472f4d76bd93018af3cf14fe668d30e723289ba09ab63162fc5a4ee5f604abc6b20c9a921a8d68

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
533f38f020d55d5a73dcb8adf42a223a

SHA1
3d699c2b3515e6996f55769dd0ad9070da868b36

SHA256
e9de390668e1ca1c93ff8f6d01d267b3fae0321e5e7c6b8c2a0e9b3142500f25

SHA512
95d9588bf84307f834d10534981e4e882f2999175ac1036b6882e3f3ba9c63eea687fb6a1759b12d0ed208d41ff42aca28fd65fab266b487155af90da2e82192

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7832356edf86d9d4bb7d3ff628ce3516

SHA1
7c9c2b9b34c095e5c9f4c081be642b417b1f26fb

SHA256
863410861bc2308e9d3dfea32cc91cefb889221ab2e322eae68532298c995306

SHA512
458dd9cbd5c7bddf0924ff512b06252ffc2c0649e86af5b58e8e99ab183a02eee872d6310e4038d86977a7277ede9d0913264b94e82ea82d2d51fd16abf3e1a4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
60ad3f8b9b43ba55a748d60a29ff1ce1

SHA1
c592c05ddfbfaa47292d85c3cc7624825c6da248

SHA256
7c67685c4e16fe10990b8800329a67ab353fd1e596420ad492242d4c437f5059

SHA512
2f7cdb513e833e9e51c3050c728db6b30f06a91f7b5e3de9e82a8a11527e8ddadf21f0cce0b46cf24b986a8cc3204294811f2a40a64e0b36508b131acdaf866a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ddfd78bcb7ffd8a77f93bf7cfbc5d262

SHA1
62e05a7f998f6a5602ebf6e3da096b6115523d69

SHA256
9b96fc8bb90f8430b59e5e00be9e143558c8430e833e88ee3632145031c9d6f4

SHA512
4c6a899a3a811dccf32f86fba13f1cd4f9b5bc4afe4a313017bc6e368705ea4f07b83cdfbb99b287f9b986f5d6b2439eb4b3281cb6df2f38d8417654814e113c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ba73edaa1e2b894d944d3cc85eac5a80

SHA1
51526eb3d97f8dbf75d7060fae12971f86dcbbda

SHA256
b19e145fd1a7b39ebdd043efb1fa34c4e8d45c311ec2c8ed5bba0ca4e0c39d36

SHA512
9bb29e464418811eb9f6ccd3bb53b3de825dacce1118317abfca35a8829ff7db72cc4b06d18561cd06da36cd2a276405ed44416d6c5cc2d16478076baf6bd986

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a3e6618bb819618dd92cb7a793c31ebc

SHA1
48324483dab5c15515d1c1f453236d5530d4a405

SHA256
80abde2761d61e5d31da7a0f1967724e876948da2fe7c025b63ec6febd9e2456

SHA512
ea79d81a2cc78e0d04c6de040d5bd08cfb4739587e263f88b1e6f63170cfcc5ddffc8f8964665af028c8f20ab4a612a3344f40a776be54ebbc11f75c40c3c3dc

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ea1555729924b3e80dd3feeb68d3ec60

SHA1
bc73b858e1194bbfe3b15f6d18758fc5c91c9cb0

SHA256
7b4abaa3c9fbdd8e97eeadc9e4626f323bb9b90c8ee76fe5a25e98bef4ab66a1

SHA512
e314897ba3240187ddc0980f360b852e265ccaf918a88cc728fed67fe234f0767571d7f485982db8040124a632e37f878b008a005ba20574e33030b3691b24bc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
537b37d1132f3324c82b1f6e3f444ef5

SHA1
807eacfeec30b692c96d310492033da009ac6abb

SHA256
33a8258af51c27b96bdfe3c65077e5be2e227bffd1241278740ed3061a9e05c6

SHA512
5b93cd88f395185c848351e190585925f4ce9b44d3639eb30dbd29fe8f9f699dc37376dde087005473d1d741b3e37c1a4d5090a9a6ac1529196ada556d211ee4

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e1dfed321c6ee7f4f3c5c63fea382255

SHA1
be7809f5189879a6361cbf9b984be96caa9bc3f0

SHA256
bc2be3d673d5d845bcc1202e5a8da45b44bb76aa83e400b6c6eba2665b40aa5d

SHA512
e0efd48829e6bb167538f1b231be6d941120a84d2a6ab4e22529af02613965cfed05103adc655ae77e139746c022ec48dce58f9afecc1053f993694ee7cf3997

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
bb07c187f48b884fc7f94b2475080213

SHA1
7a26f15e0d82592bd4558bf34aa1e99633830d91

SHA256
5ed6b872faed35307def21d64c30b7f90ff45e1f2f4cecad071cae81f4ab3144

SHA512
f8cd2b6f1496ef74b7c015e5eeaf51079214af11d8ec7ef0735606310d19957b6066a45bc50d15d210e0ae132b20de955299123777ee99010dcc040f7a2f956f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4b434fda2ce774b6a15356cf9be95b74

SHA1
64b8b343033c10f32d425db70b36244e42fe6792

SHA256
6a612bb628d36b81774f2bc65bdba5f491ee67a3e5077c0b9c02d7c0ebfdbb32

SHA512
8dc3178ebe4925d6e04a68da1c4598dad2bf4d28fe762b3217a34e00eaddff4b5d5256ce7b99a36e2ab17725740aa5a4ccbe1c57e4d9cd415ec70e364046b735

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8664ea035e4d3a90f1714cfa85e02154

SHA1
bb3a9c587bb83257555f8c27b37b127974bb36b5

SHA256
bf4a1c4a313a91618cbe8d6e6fc439e658a363209d661183046844a747498251

SHA512
b2087f4807b7e7b871f7ab6ebf4d43b3f3040dce5176a0ca9cd43a0d8326718cfd0c0d2f7e580bf78585125ee20855113e91cb8640a849b7b35661b83dc489fe

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2e2bba2ba5de202df2609fbabd3fa187

SHA1
62d3ad8be164534ad0d68be296a75d72b610907e

SHA256
6779d2c365e82748b6a4436e7986cd4ab2c6fe9a1fe7f46f1a0700566727334a

SHA512
c1f4822b1c923fc2d4344eff19fc3836842766b25cdf0645a9150cd4579fd8382e9db129c21f55f3241ee0d90f1cdce483c611d660dfd31a7e4e615e19921825

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6601bc42d4351c6c35fad6eafa7c2840

SHA1
02af699e65ae989d441daa97cea2055baa88d34e

SHA256
49670b9798b43b939f479910b7dcfcc73ff90337af9ed7aa78d84d103e1492a9

SHA512
8630eb3dd8534d186076b8f512c32caeb6eb454f47b74d56c8ac84400c0347ebee012ce1b0597c24da4eb08806a350786aaaac8b1980701ca8354f5837655d76

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1d4b65025a75591b009f88ae5223960f

SHA1
cd5c36ac05d191b0dc950ec0e36003e74f3e3bec

SHA256
20abf8aaf4ad6eff03f17f631e23781b42260cd2188ec17d48a3eb17cb70c54d

SHA512
72fe37c29099e6333f6be6d0dfdac2d4c7df77e5b753c6a88249fb988660a80cc1fee23ab2c66d895faa1df78e46afa1c6741b8544df7fb507e3f153f736ad95

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
c20e9108885a20e073e1ffc7da3d6d6a

SHA1
f296f233d30a626a95a1abcbbf1040734d6de8c9

SHA256
d8e3591c2eefcc1cd59ea1d0ebb678f559468cd8e174184ae65c9bdf3667670e

SHA512
cae2a964e1f3c4617e77585e1a20f36bd7ffa4d34ac99333c4fc4750cf0ac359a2341b6fb15341a48c73560d65a75d5f5f2b1dbf82a2d90c9318cf4a339d9ce9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ca7d7fea1014af47359b1493cdaaf50d

SHA1
44a225090b86780566f49106220a8256f3b711d5

SHA256
93b80f3d613508a1fcdc40099b4048d05b2c4286d3209e0db93770ee713fcad2

SHA512
81ec1781f0ea7ee713529e2e24f70b8332b7e4a58711eb00db7a474bb24b142e7f62e7f4e5b0f5985bed89476c76b461dbea34e1f2f40156a3cee22f4cbd1c04

Download Submit
memory/1184-471-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1184-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1368-44-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/1368-38-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/1368-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1368-48-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/1368-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1628-623-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1628-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1628-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1968-256-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1968-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2020-620-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2020-192-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2076-630-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2076-263-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2080-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2080-88-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2084-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2084-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2084-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2084-136-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2196-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2196-631-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2288-121-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2288-232-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2652-573-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2652-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2792-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2792-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2792-80-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/2792-74-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/2792-84-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/3060-629-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3060-245-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3216-626-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3216-241-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3244-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3244-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3496-120-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3504-191-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3504-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3504-51-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3504-57-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3624-580-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3624-0-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3624-6-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3624-10-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3624-578-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/3692-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3692-244-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3696-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3696-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3696-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3696-203-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4144-625-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4144-221-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4360-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4360-19-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4360-13-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4360-119-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4916-624-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4916-204-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request