Analysis Overview
SHA256
069cdba46a863d640baa1a63edb508f48c1143675a29487ee5e69fdbc36e6e2b
Threat Level: Shows suspicious behavior
The file 2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: LoadsDriver
Checks processor information in registry
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 14:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 14:31
Reported
2024-06-12 14:34
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javap.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstack.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jmap.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\xjc.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsgen.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\dotnet.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f57c0f51d5bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af76e54fd5bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b65e4e50d5bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b2d7a4fd5bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eae30e4fd5bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033d46350d5bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc4c3b50d5bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6e67650d5bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e724250d5bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8243450d5bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000307734fd5bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3940 wrote to memory of 4656 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe |
| PID 3940 wrote to memory of 4656 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe |
| PID 3880 wrote to memory of 4868 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 3880 wrote to memory of 4868 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 3880 wrote to memory of 4360 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 3880 wrote to memory of 4360 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-06-12_2b8eab165be6e0ae078d28f7a36b4adc_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\BraveSoftware\Brave-Browser\User Data\Crashpad" --url=https://cr.brave.com --annotation=plat=Win64 --annotation=prod=Brave --annotation=ver=125.1.66.118 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x14032efe0,0x14032efec,0x14032eff8
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
Files
memory/3940-6-0x00000000020F0000-0x0000000002150000-memory.dmp
memory/3940-8-0x0000000140000000-0x000000014043D000-memory.dmp
memory/3940-0-0x00000000020F0000-0x0000000002150000-memory.dmp
memory/4656-18-0x0000000002000000-0x0000000002060000-memory.dmp
memory/4656-11-0x0000000002000000-0x0000000002060000-memory.dmp
memory/4656-24-0x0000000140000000-0x000000014043D000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 7a21eeccb2e0f5529f15d5fb5790d62a |
| SHA1 | 4297a366e8adcb8afbd4c2389d294c936ac78db8 |
| SHA256 | b35cda085a13e5645beb26d3b57c31dcd14b420096da4a11fb6b9d51153ce047 |
| SHA512 | 9329f1fd7a3073b3e97356c9f60fc33b98f37b57ca0bf7e06aefd19a1497c029b8cb685e4543de9a829bda04b8dff136218a633e786984a5828b0868f03ba780 |
memory/4408-35-0x00000000006C0000-0x0000000000720000-memory.dmp
memory/4408-37-0x0000000140000000-0x00000001401E9000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 39f4e0325c2c226262ba3429f4d54d77 |
| SHA1 | 92d72da789b875ba6125d0bd6b0f5a1b3b8b15a5 |
| SHA256 | 940ab43a2ed455232b87eac3ef6837475b0319a85ddb8db91c65ad48c03d94cf |
| SHA512 | d96647e979d6c81151fe435401532cc59259747dd42b70890ef1f15484e3cb15a9a740ab0a0a5ab37ccc2ba43c4948f2a7bbb08dfe97601a604e6d40f67d878d |
memory/1540-48-0x00000000006B0000-0x0000000000710000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | e33f9e024c03fad206a136ee1f3cf71c |
| SHA1 | 416ab16a52305e2d1caf86d2d4704beaac8fbfb0 |
| SHA256 | 3f045f25f5553668f63f730af26344275eeafff9c1c0d9e2588d2caaa6f96f52 |
| SHA512 | 5785c887dafc4cf4c1f2097a4e71313134dce83c2f4685884868cce1070211c63334b46617386c4025cdf681801d3f5d1187d34eb4cb8a7c5778ded1862a8399 |
memory/1540-42-0x00000000006B0000-0x0000000000710000-memory.dmp
memory/2792-58-0x0000000000530000-0x0000000000590000-memory.dmp
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
| MD5 | 44fadc925417ad7078a691e448a488ea |
| SHA1 | 719b58508e9b0e80e9b889792fd4c58f1a867f8c |
| SHA256 | 093d81aff91a5560c492f31eeef17ae1f9c39f0b196f5802cafce1e5eaad2b15 |
| SHA512 | 2ce46e79d5de175d52f69fd6b5b58c6d63b793d9c9e8202631b0c3f89fbe693122b40f1ff54e9c535bae8aaf3f3c9bbceae5a90301d6dbb7f0e277045105f7c8 |
memory/2792-71-0x0000000000530000-0x0000000000590000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | 5938695d24be775bcf2878f2fabe4e54 |
| SHA1 | eb0af2009ef2e5601cf9d35ddc7abc1494550c39 |
| SHA256 | 7d8d356969290150d27e966ac7072e037549908f8e3ca826706b1e42100164aa |
| SHA512 | 6c108e31a1e471e669d896d20ac521f2756c4403fc1d96ba879734736ad5f8b12f06b8d09ba981bce4237ee9e6a555d9026b7cbdfbb14818ba2c3e40041fda48 |
memory/548-84-0x0000000140000000-0x000000014024B000-memory.dmp
memory/1540-83-0x0000000140000000-0x00000001401E8000-memory.dmp
memory/2300-81-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/2300-75-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/2792-73-0x0000000140000000-0x0000000140135000-memory.dmp
memory/548-68-0x0000000000510000-0x0000000000570000-memory.dmp
memory/548-62-0x0000000000510000-0x0000000000570000-memory.dmp
memory/2792-52-0x0000000000530000-0x0000000000590000-memory.dmp
memory/3940-34-0x0000000140000000-0x000000014043D000-memory.dmp
memory/4408-28-0x00000000006C0000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Roaming\7316487e293b476c.bin
| MD5 | 10494d0d60766adbcfddee72eda43fa9 |
| SHA1 | ebde2c941d5f542f9b7f9a6066fa05c30bc12c6e |
| SHA256 | 647bfcd322380c67300e71a102bbdfe15bf2e49c2d4c74aaaa0e36150fbfbb22 |
| SHA512 | d30345ae812683072b84638facfa3702c628523caa848bdb9f7141ef0fa4c7af07be51732d4ad27fa90bb12ad4897cabd086c6237ebda0def7caf8ed6f29cd6e |
memory/2300-85-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 383bc5e32a9798add4091abd819fb455 |
| SHA1 | e33cbda928b420d9aa455d86444dfbb72f9ac65b |
| SHA256 | 2236b01651900abfc82bc40ae08ceff1b7dbdbd0e74bd4ecbac3d64c076550b2 |
| SHA512 | f141b9a98c6cb532ee018f11144b66522cc424f933354b1e486434c80de23f64e67a5a2aac7665abd2f5ea005511d2060c495300b0084a1a748a8cb7e9759d61 |
memory/3184-88-0x0000000002240000-0x00000000022A0000-memory.dmp
memory/3184-97-0x0000000140000000-0x000000014020E000-memory.dmp
memory/3184-101-0x0000000140000000-0x000000014020E000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 89ceb2b59cfb1e75bd34d152e176497d |
| SHA1 | 1d6d2b6beddaed30cf2b12c4b9280b6fb0759ec6 |
| SHA256 | ac8201739b1be54b83c2676378aad9197806279cb30229fce40af8cfcabf5771 |
| SHA512 | e69585b9c9c6589f29a9595337bf69b5a04d19a7ba9518dc053f4245b6d3eac86d226f0ef392a4ad96dd0e10797f44f6162b2ab746fe7b619b3b93268cbb392a |
memory/4028-103-0x0000000140000000-0x00000001401F8000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 776a36fda0040c241e762604338070dc |
| SHA1 | be5756cdf32d946f694bff8be8d2c412232f885f |
| SHA256 | 735100af7d49730c93c6e5c8d71e20d3f7bf2cec430372bfe20329889dc5a7d9 |
| SHA512 | f970c9b62384eba57214ae50d38ea73af12c96caaa97b2b98d1f4e4ad64176035bb713ab0f29815a9c224d906ea1e77d42b3adcc1389ef499e4a5d01fa993f23 |
memory/840-115-0x0000000140000000-0x000000014020E000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 0b8b32e3b72b84d8a962a0d312bff6ab |
| SHA1 | 46e1de6018d643381ec87724a29e579db2344738 |
| SHA256 | 6e835f78b17f334c82b2a2f60c67768400c6ba75c1c6ab9c7643454ae3dee0cf |
| SHA512 | 9f64c446e576290e6b2290cd1f39bba6039737838fe5cbb377d5f42ee7860cb041fcc7df6492323ef00b06adf0a7b4ba86f8a6ee216821bc0911a1349e8a3d65 |
memory/4252-137-0x0000000140000000-0x00000001401EA000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 5a9887d66413a5a74b7acd2fd0f00f88 |
| SHA1 | 2f866a6dcfbb6ea82aedc738ba23f73b501edfd6 |
| SHA256 | e1e20f9a21c75b3a78b5e386e87e8f411aba772196776b075be3c10294619b21 |
| SHA512 | c934b83eedd42976cf549bba42d569ebeba855ce100634fdad6985324c291d9ed0ef4301396aeebaff048d2c5036615e2e754c69b0aa7e7a46e3785a54a397ab |
C:\Windows\System32\Locator.exe
| MD5 | 73d2fff7525dc0d154a94c6ca9ee7679 |
| SHA1 | fc9f2667780c6f2a0112bac5d2ef6bb515bd3bfe |
| SHA256 | e065fbf8b8d764800693285dd9a0e11fa7a8cc492801636c23cfefa1abd927d8 |
| SHA512 | f9d08d3c5b399a3ee38fc636e6ced778fed9d30e107bcfd0ab254db7319e5582072a89fc2f6f360d5bc435056e06a4dea731e2b81025ea56fd23c5ee1d96c606 |
memory/4828-141-0x0000000000400000-0x00000000005D6000-memory.dmp
memory/1256-151-0x0000000140000000-0x00000001401D4000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | 89f888d5eec18f7c8161382e8cb0d854 |
| SHA1 | 1674de60e4200c368176a980664e1edc9266c546 |
| SHA256 | 3d6ca0c1d8c022761903b6dd8ab7da7e566b743f150da2a6ed3d363ecb864855 |
| SHA512 | 82d223b88eb83824021f623c4e428616ede387e46ea10e578e1be1b096ecbe8dc8739ccf2da239d692b95543f69467ea6acbb166e961091404fa39ddfae10f8d |
memory/2708-155-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4656-154-0x0000000140000000-0x000000014043D000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | 0d3e2acfda60dbc92ee20e37d66ce7bb |
| SHA1 | 7272fc2ede9a5fbab6f7b91452983772769f690f |
| SHA256 | 9071b6965015b2f9cf4e25a327aaca9e40a566a2156d835213b9b02fe63eb0b3 |
| SHA512 | 12794dc2456b8ddd4f618d2e27e3f47610bd45265eeb311b90f12630978eec6f7f1c2d31ee568a8f86913fd93e93e86741e48ef80e49c66a621c029f99a39957 |
memory/4408-167-0x0000000140000000-0x00000001401E9000-memory.dmp
memory/3340-176-0x0000000140000000-0x00000001401D5000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | d1023bf12208012c03fea1dec934ad49 |
| SHA1 | 9a06cfde38ac4409f66f850c4b845cf5828eab9f |
| SHA256 | 6f8ae560c6d10bbcdc0b20d26b9bd6bd50cb7a051eb9261e44195886ec5de673 |
| SHA512 | 02d86f13768140edb683daa08ab8a5d03f2e46a131b7c287d545d7fa140f1ac2db9270ebc1e16857722fe5998dd26db05ad2e6de6e3cf4c0fbccc5cc2e38e214 |
memory/1968-179-0x0000000140000000-0x0000000140169000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | 71b6ced4a02250ccaee7fffd8ffb1430 |
| SHA1 | 33dc8798b390261c1717fe7faf1da06a4014b73f |
| SHA256 | 635dfdf0d5de43f4e60454d8b2fd5d4311c2220821c8d9663d889f58b9492e39 |
| SHA512 | 17526a0ddc1a78c08b97ff395e17c8f2690d3e36db6a40064f275901e1f554ee34238c2a23ac2e2128358dcee541ebc8d0fb84d4d25ea0511d2a65770a498565 |
memory/3660-192-0x0000000140000000-0x0000000140241000-memory.dmp
memory/2300-191-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | a6e2c0f61b9d19c9ff397e6101b05771 |
| SHA1 | 99a36e2a49a526c0ec3c48234467d690168e4e39 |
| SHA256 | 87ea595ba970f643f88c54ce34c8e90f76804920b6c2a1b6992e22766b6dd213 |
| SHA512 | 50e65f4a6746b1d056d55979166757d2ddfbfeb09f64e498d76415378ac4b8babc4997bc2220843fc090dfd0f4ba00b15ffa9cbe6a71a1b33e43109d8f9944c1 |
memory/808-203-0x0000000140000000-0x0000000140221000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | 82ef78a308ffc0a372baaf213eb488f0 |
| SHA1 | 7c2561bbbdafc9ca4709a418fd0db2a3cba538a1 |
| SHA256 | 9b4eabcdce5b6780d82c25e12944e1d5095487f0832b96affdb63824ed7f2f6a |
| SHA512 | 48e6e954c142bed21133b1310ab198d8258fc3ab6fa0639f5be3bf6178142b8d1b05a8332a7c072a7fe50e491da22d1f316ef096e86ce8dc89f4801654046964 |
memory/4028-214-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/688-215-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/688-227-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | c7778077dbac88366d54f4dd7628b32b |
| SHA1 | 87e75f7057c0290f983812283a5db3e168237ce0 |
| SHA256 | 2fd1394e35e8d2e8632a2f1042e48c193abe35ccc6c4e3dd6cd94d8ccfe2b647 |
| SHA512 | 835360fc76be0972673565671792d61812487b66ff4f0774b635bdbdf2d82c06ebef347e81678d625682ac0edd4cba01c2a05994a4540b664aaf759a27aee08e |
memory/3944-230-0x0000000140000000-0x0000000140147000-memory.dmp
memory/840-229-0x0000000140000000-0x000000014020E000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | b664d37b473f8e0207172c79abd26f8a |
| SHA1 | 20a5bbc400af84ef6c3af402673016ffcc591b27 |
| SHA256 | 4861586f879684e2601ee1df233f43f4c4cee6ff8ff85dfdd3264bf70e7742f6 |
| SHA512 | a5b78fe5526004f440935798dbe07c34834cca824b075e2e4b28371bebaf3c3779ab080f7197a93468c04dc49be205eec31ea43a608a6ab56c2214e87d195a03 |
memory/4092-242-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/4252-241-0x0000000140000000-0x00000001401EA000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | be1df6b6d7c86edcee7d1b2d90e73890 |
| SHA1 | b84a51a1fb1b0fe14a2067664933812bb5c5c2b6 |
| SHA256 | d77788b3e9567dd12499de4fef012013193bbd973f1ad02d9414a87f02aa576f |
| SHA512 | 1a881e0916f77cebdbd0d9a718a4cd3d4e13a93be67122d3f402695109cdb1615ebd980a3d69e820b6e2a97133e8d5452bdf7058d2aa525c1693b0dcf09d3801 |
memory/1192-253-0x0000000140000000-0x0000000140216000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | f823fbe59b15ee64be2a34d3c2fb0e58 |
| SHA1 | 120226ac5145f3d6c06b89b8c8c869ef10c08608 |
| SHA256 | 9873fa4be237f275c69ca44faadce545c4a19db3a0cb0008169e82e62b7c559c |
| SHA512 | ea68142ea70e10ba3cc07c98986edd850ef37faccde214936b7fb6785ddb822d6dd554308da7e7fc106d9e488804bb6def4dd949bb4775ab5cea1781a001a523 |
memory/3184-273-0x0000000140000000-0x0000000140205000-memory.dmp
memory/1256-264-0x0000000140000000-0x00000001401D4000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | 1c08b1c27191bd905604594148eea597 |
| SHA1 | 6382a8720c9347bda4d7160e69919c4e0b443b18 |
| SHA256 | 6f0f47c99c89df9246204dd11e5e9aef09570e484c4fa83e1bf322d3e452d4b3 |
| SHA512 | 64d853823ad5cde6a7c41a38fc18dfc5073af2e88a07159d04d4dd16f025b8a8e92366c7deaac609379d589d94359f4edfd6ce8952224a9dff41bd3fe393f635 |
memory/2708-277-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/3880-278-0x0000000140000000-0x0000000140179000-memory.dmp
memory/3340-456-0x0000000140000000-0x00000001401D5000-memory.dmp
memory/1968-514-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3660-598-0x0000000140000000-0x0000000140241000-memory.dmp
memory/2708-597-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/808-601-0x0000000140000000-0x0000000140221000-memory.dmp
memory/3944-602-0x0000000140000000-0x0000000140147000-memory.dmp
memory/4092-603-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1192-604-0x0000000140000000-0x0000000140216000-memory.dmp
memory/3184-605-0x0000000140000000-0x0000000140205000-memory.dmp
memory/3880-606-0x0000000140000000-0x0000000140179000-memory.dmp