Malware Analysis Report

2024-11-30 06:37

Sample ID 240612-wpaegsyaqk
Target 2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk
SHA256 08909d3e08bc0376cc16e1c8cce0b223c9edf445f9e4458b2bb10e335192796f
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

08909d3e08bc0376cc16e1c8cce0b223c9edf445f9e4458b2bb10e335192796f

Threat Level: Shows suspicious behavior

The file 2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 18:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 18:05

Reported

2024-06-12 18:07

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\76c6fb8985dff9a7.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Windows\System32\alg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4532,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.89:443 www.bing.com tcp
US 204.79.197.237:443 tse1.mm.bing.net tcp
US 204.79.197.237:443 tse1.mm.bing.net tcp
US 204.79.197.237:443 tse1.mm.bing.net tcp
US 204.79.197.237:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 przvgke.biz udp
US 34.193.97.35:80 przvgke.biz tcp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
GB 52.123.242.9:443 tcp
GB 52.123.242.49:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 209.197.17.2.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 udp
US 34.218.204.173:80 tcp
US 8.8.8.8:53 udp
US 44.221.84.105:80 tcp

Files

memory/2492-0-0x0000000000510000-0x0000000000570000-memory.dmp

memory/2492-9-0x0000000000510000-0x0000000000570000-memory.dmp

memory/2492-8-0x0000000140000000-0x0000000140248000-memory.dmp

C:\Windows\System32\alg.exe

MD5 63ed9bb41e12843a6608f4e0b60ae8b6
SHA1 b90bad15d9d3fb3e2fefbe8062e493eac07e1779
SHA256 ac1c79eed62b0d0d99f2c8a568c543079d5e353858df9f83d3d3514cc1222973
SHA512 76c9c93412b07be90731787e0083c436da8ac4af17e788c5ff361b8f9fc231aeffe6ac47f2288eff1c2a7dc46680a0c4435f18dda50bcb0d84a36843d4aa3118

memory/4136-23-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/4136-22-0x0000000140000000-0x000000014019B000-memory.dmp

memory/4136-13-0x00000000006F0000-0x0000000000750000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 4b6675d68e2b69cf987d0821ae7045ac
SHA1 89501c5f1a3f453ccf9ee2a214d5baa3a2ba255d
SHA256 2284a4ec4d820561cd973801c373383683019c66fa416472e1b89c492f400bef
SHA512 fb6c945b3f1ceead2fff5ca81b0cd41e628e6bb84f192f21052aee044aa95671697208b934722f01ce30e7209f7e514fa383a9d7935106b26442a7e467fbe6b2

memory/4984-27-0x0000000000710000-0x0000000000770000-memory.dmp

memory/4984-36-0x0000000000710000-0x0000000000770000-memory.dmp

memory/4984-35-0x0000000140000000-0x000000014019A000-memory.dmp

memory/2492-42-0x0000000140000000-0x0000000140248000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 13067c2fbb118211a09d62fdf36278ea
SHA1 880bac1c213bcd5b3350cccace0d2ce8e531d272
SHA256 f0969422c8ff2d54330c607eecef532cb2b96c21b7b7da4c7167b4ec5aa1ea0d
SHA512 851dd2f7cf8d0ba3fc15b88ee5d877764db5130dcc6186a220c9b3dbe29356e6d39d3f56552b8c8e6674050e849e2dc36b0f3b0d6e3f17720239096a8bade7f0

C:\Windows\system32\fxssvc.exe

MD5 8f33582905e0e248c1353c6e213b2faf
SHA1 464f62236dd67e11781b33507473648f1fe9cdfc
SHA256 29c382190f0ffa6cee2e5508103814c88eb15f128bbb3ad4d7e799aa6d563db3
SHA512 1eb2e451c260ddc462dd626fe0d0aad0878e6ca06f74973d97dab53ebd13bd766df47e04f6963e9fa60bf923e7136b9873e8dea16c600efc4135eb5c05311ed0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 5e3c66886eabbea40723c4cf3702f0ee
SHA1 f29f80269ae445028c6c18f2af5e65e04fa47359
SHA256 1d8481ac01896e7d8f3d91a3cf98d420fade2a1102b2ce3781188e4448899cc0
SHA512 56548d93e51f6d388ee8ad5b90f8be484977a88bb28bca5b7496e9ab588577bb5981c7ad8035082f3c795399598b4e9fb2955843c8079ed2c8a25767ebf03e28

memory/4816-45-0x0000000000730000-0x0000000000790000-memory.dmp

memory/4816-54-0x0000000000730000-0x0000000000790000-memory.dmp

memory/116-63-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/4240-74-0x0000000000730000-0x0000000000790000-memory.dmp

memory/1080-84-0x0000000001A90000-0x0000000001AF0000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 e7e2e8afbf712c1cd615a13625411e7b
SHA1 8e3fa54c5c19bb356e4a6c8d4aa62d2bfcbfdf0c
SHA256 dd49bf5844b41b977ca54ba27dca64db0e92692b744388e5bbe5152840d4e4f9
SHA512 56cb12154df8aab20d6f7a4ceca85e7b466cc667994c0aa3200ef8268b60b16f6367600562738627ec28fe2ddf4e90a86d42940cfcf4e3094e95e45d6771c7f0

memory/1448-90-0x0000000000800000-0x0000000000860000-memory.dmp

memory/1448-100-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1080-88-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1080-78-0x0000000001A90000-0x0000000001AF0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 04d8225ce44b26c85e8e4943df328116
SHA1 5e6748832f2242c3426cafd8249d630288a34b6e
SHA256 6112ac6b3df2c0ec60964e8dc43e8142e41e898ae9b901d96021174aab9c54c4
SHA512 9a3a4ec0276be3b6b5beaad705aef895270ba5997836c5a6ef31e843cf386d799c36c6df20141ba5f91920930fe2ea57918cc81a5e49673a334721a060b8868e

memory/4240-112-0x0000000140000000-0x0000000140135000-memory.dmp

memory/116-67-0x0000000140000000-0x000000014026E000-memory.dmp

memory/4240-76-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

MD5 be8c3d0ef30636485875532cd10e3310
SHA1 98b75993528fa91ca5cb8f3725a3906c3e30426f
SHA256 d6b99094b89d1b9e3d558b02e2aa79f2a341ad3c6e0561a23f664249974fb7ec
SHA512 9cbb7e83790ae42da9ef7ce373322fd542a4402663255fb449f6caefb8b278658eacfdbb19b57d8a098b7cae6f81b7db126601f5d64d9773d1bdcfd153ee6dbd

memory/116-57-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/1080-139-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/4816-53-0x0000000140000000-0x000000014024B000-memory.dmp

memory/4136-263-0x0000000140000000-0x000000014019B000-memory.dmp

memory/4984-264-0x0000000140000000-0x000000014019A000-memory.dmp

memory/4816-267-0x0000000140000000-0x000000014024B000-memory.dmp

memory/116-268-0x0000000140000000-0x000000014026E000-memory.dmp

memory/1448-269-0x0000000140000000-0x00000001401C1000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 085a6462cd8b760fa4b1d358bb130dd3
SHA1 a872de1bc57f2a7288f6e217413e92e7145e8eee
SHA256 2e2b97d07ccddaee8e867d18925a0d6eccd20e00633abbb06e282c6b6064438b
SHA512 43bc59cc12ed7884c1622c50751baa65c36370cb96a16da83776839758a3da1c2d1e480430914d64976e334782370ed397c2f0ebf213fe3c2dfa3229ef5a0772

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 2a0d50ecc21c2c4590001738ec70aba4
SHA1 3e7d7c7a6a7419d7548205f40dbe9178a53232c6
SHA256 3e6a6436b8d1665f3e2d21ab26bf2ae51a956ff36e8be804e9c8109d64462b23
SHA512 02d3b58a016c9242bb454037156113a04c5c3257300834aa2019261dc6d944484f9f3a9d743ec069724a678d78645d6eb32c66eaf6fc3dfa68df2db9952ff880

C:\Program Files\Java\jdk-1.8\bin\pack200.exe

MD5 e091faad6fe4ec5a098b6874d654fa01
SHA1 73f6c9475bf6ce3974bad2d02315c8571301c890
SHA256 c576ae63c4745c57c4db1b013c976be32d8abdf52ce9b7d59366b7b8eb1e7337
SHA512 4595b643f12c7146bdae7a3d687cefcabeefef684cbbc480d1202ccbcd74ed09b74441030b20843ae8e241fb9c0379bdc7a72011493794cb536abd9327c0b807

C:\Program Files\Java\jdk-1.8\bin\orbd.exe

MD5 fee094c98c5f7a97ee9190b29ef9f2f7
SHA1 246d6c09bbe08f262a815d3162ec3d4e47486bec
SHA256 09fc9e0d504248800b75e79bb67945556ccebd05476f286e58e9e6a821bc3d55
SHA512 94208a6e0045ad6f9b2e0fa108088872fb69eb773b2c3c72a8ad8c3bbaec22a6673d8131c3a81cb3b58e5d41f22d528e0eeae8db3c537cb47d8bf18b2f9a98a6

C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe

MD5 c46ab15b1d8fc8b598a4dda5ece27a19
SHA1 b5bf44464eb0ab3824c29af989915fca9c6ff84f
SHA256 e3b51120c5c4a76e52c83076b4b889d8722124ea70b319d56c4fb05c9a15d8b3
SHA512 fa9325ac2182e016baf9637e96ef7cc8ff1d5e76923753519de68b0f9eafd50a2b9a4e02800eea768bfb7b0f2c490b4f19458951979589d60ab89f46aa7eae0e

C:\Program Files\Java\jdk-1.8\bin\ktab.exe

MD5 fb0a5ec09b79b7da35af8803e7f91289
SHA1 740810221d951cc325576589dc99fcceb4ace1d1
SHA256 4108e8c75dd78e878fc4cfec990ca22822e144806dc467adeb90497cc5c481ca
SHA512 67443b956d76024099d6eb4ad500c2699de86a97a2238f9428f2da88bb09cac9c1df5c45fc0f57ce2eace4de03607222dbedc20348006a4f49c9a72c17a6b02d

C:\Program Files\Java\jdk-1.8\bin\klist.exe

MD5 3f39a4b483df63cbf5b2a1cb2e624b21
SHA1 b2ee97a84d25940b6a72d4dac563719db9b6fbd6
SHA256 7b67856cfee0cdc8594282467e5fd474853b8f5115f2cbce1271f8151fb1596a
SHA512 213c7eff57fc979a17e6b354ff4d237598aee77dd49c89f686409e2d71fc31921a6463c06cdd96ace47d7588570943f54aebe13180b81c0d4ae012d743248163

C:\Program Files\Java\jdk-1.8\bin\kinit.exe

MD5 644afef0c26e4be1f2c9dc1042690c87
SHA1 faa7ace87855c2b12ff2a3b18117e76650246b61
SHA256 af036d2c30e2ff8859f98b8219183e592d23fce8ec9daaba7d25963e561ee91d
SHA512 2714223bddb9aa89eb9970132a1521a3d2ed1069a5338255029555b418292cb0305d2bd6c9c453ee6d39a205c26b860284a99d3ecc5f4afb1dc6bd0d023b17d0

C:\Program Files\Java\jdk-1.8\bin\keytool.exe

MD5 63e626eea5fefd93f095d5dd95e5f85f
SHA1 bf7103e8f20b4e14ad30b4b69185de21fb394ebb
SHA256 c2b73a323838d40ea2414a8b298d6bf641d7dd500f2ee03dd3760073d69430de
SHA512 444bee17292a0032a907fb011461bd65eee47ab8a1914939ea8ce8f52bb9a437b776716628d2a146f7211348a8f55a12351edf9a3a71ba8a0c5491a12e7fcb79

C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

MD5 d32c9dc977afd496df7a342442d16806
SHA1 a0298e94a73bd8139cf9b05f380e6a935be0cf43
SHA256 6d7b4a4e9db4216233801cdbac84200daef06fca3afa72def474ebcf9e8d500c
SHA512 5cf7715c041794d2d2415b0df469d2b31dd8dfd71893f1717845024b3df8382a501f0d1365be8cdee377cdd625a8c2f555702f881e1155744907e0e0e997e176

C:\Program Files\Java\jdk-1.8\bin\jstat.exe

MD5 ce2fb37470c8426f87238b76c98229f6
SHA1 5f8d6bfc9e0db1219a1a9d42803e577bad6c15a5
SHA256 d4b537fbae56f1b4adb67548d8a83dfe1ebdd55ef6475e30abc18dbe749c6b97
SHA512 10c256a80fccbffa00ad00d3446e652a1bed8b410e9857d1122ebce96248d1799cf13d8eed49cbe4dbe54f5d23d562f8ae8f5c9f72ae60a3240efa7f37fb842d

C:\Program Files\Java\jdk-1.8\bin\jstack.exe

MD5 c5af4b93152a6a33b356112acaf48505
SHA1 0ddf67d7190cefbe723502934807782d0e44102d
SHA256 6055975bb7cd1c5dcfa3ba6b73a9a3d7d1ac0f815e77c447700e93b7d7e935d3
SHA512 86b5f1752b24bdbccf87c27516f6581768ced854b58c505553c537199cedbdc6a8c277fef128e38f817ae069d76917a5a1f40c43bf87ee6d114ec09ee1abb92d

C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe

MD5 7f31df1cdc9aad2f43cad099d1f35a0f
SHA1 8422eb14a4c88d1b17f8c7c2d9adba06da47328e
SHA256 70c3c9bd025efde87bcec7a6280175750b76de84bc641757bc3698f95ca5ee79
SHA512 4b473a2817b2abbf0b457321d2165042eeaef4f599b9d29c6e84b40f8a63744b7a07e381fbef966b801a8eee8e37805497c616e07c615763fe1aabe413ab5824

C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

MD5 1639f1b8e6345014662227413ce4e1b1
SHA1 76dcda092062572d81586083890356d99e752bb5
SHA256 13e8c4e04d7683a7bb07cb68dd8864a00828b701beceb235e51e5de235815c58
SHA512 42a2473627ec26a7873ffc82a4c0f2f63a53e84a303edbd8606aab0d61059e4cdc7ce4c830f8fd9d1bc3ff515f7fe32494f212fcad284515671f350b1d759c98

C:\Program Files\Java\jdk-1.8\bin\jps.exe

MD5 8fcb20a6e78591e7eec3c7360d174d8c
SHA1 59fe1ec815da93569ae88cdeb8874d38acdb5db8
SHA256 47c2aa464ea17c415a52297febfea420a2cf40bfbdf452819528747c85614075
SHA512 973cd8ef2bcc44b136a95ed6fa029df3b6fa27056afda3c8f6b65b568b1c165985296bfbc8d3a25c0d598e8ff095409811de78a7655d4b819c1769c33eabb9e4

C:\Program Files\Java\jdk-1.8\bin\jmap.exe

MD5 7ce3d38089af5dea8112af6a487d4d32
SHA1 b792815efa4bccd18641f1c906db760ce70c1c02
SHA256 203f51a38bee8e10c0db063d6c420384d596d2f4a6cdcdd33fe64b88f294dab0
SHA512 4e1bc73c5faba039328adf8e5fa45ce3b6455a11ace9d85a5472f079aa35ccad0cbf96057887c921058ec405e3615c529b3b0c6f4b9bf8d5ac6d79cb1d771b80

C:\Program Files\Java\jdk-1.8\bin\jjs.exe

MD5 6835c0a5ef9dc1a6d62501c65cce53f3
SHA1 5ac6b198513de0abf064c82deabc54a489497156
SHA256 31add48f5b9b458ced51dd7f5985d6d50520a4dc9a4e3a03cc5a792007259dd2
SHA512 2349afc531b91838f2c73ef8f66e448c18dd2efb5fa288b5156c3edbfd786680abb6e6d0d7bd827ea676e9132a2a72103a7554a99e54d3cf74d5ef1920ca6e4f

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 fab1b2f9996f81e9f6291ac9b0bf6d61
SHA1 6273906b59b4b3305a087dcd5df9a9d809542a92
SHA256 d1a8bbef9e7a55ee82c90a0c8ea445f97ba8c82633da1c260d78bbe264bec438
SHA512 bf99fd4748a280e78da1b30acb4049e380de3ef43d1cab6d4a88cf82dfd74f6bc95c85a6f97721c71aad7e57061dee848a94d4b60b86616bb1fee2d04445fc9f

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 6616f7b3d935776431ab89695239e4fe
SHA1 479622b22f979b2bfa7e060ca912e614170a66c0
SHA256 26cac56f0ae935985184d9290261aef7b4ad8a830da27376508594c581255657
SHA512 c271b49a031cf0f4fe17163275118f74c854ed44c94a3c676e19d773b740848deba966c6cfd476561de2055b956463ec127252691effc1c391beca20d1b84d82

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 6ecbddbe8e5f8b22e2fa3958dec6a10f
SHA1 a2ce865e0ce5ea471b735741743cd0e61669ac88
SHA256 3a737f97a9d44cdd6322481ed98cf51c9059ea0cf3316050d1a9511c3b20f22b
SHA512 a6102e6c371e49ec5a0277cfc80b2c5cc8203e02b903169248300ba2a8b596dd10176f6a2b2e909227b172ef36a50122b2df95d12c31f47f17f6ba007d0e2fce

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 4cc49d4b8d8b057bd293cb9373b62f8b
SHA1 191706168ed157a64bb6863b98b441d5d0a53a6e
SHA256 ecbf3f03855367a203d627ec82522d7b480ff48af0415173674059653010d1c7
SHA512 cccb8120d36285963b27fc198df8220771e5a2afcb730b9a63ba74390e49a784edbf68ad9fe17e0ca0c4842c794c4f2fe3bf89f2e020416902c1726dba1187c3

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 fd664966000a7010faafb44c20d92629
SHA1 ae92028a65fc1a01fa73078dcc23612e6880ec9e
SHA256 5e077f7b2c276ffbe5910818f7b375752f21268c8c35c1be26b54b8efc02b7c8
SHA512 6f254f9cdba3b30e3274054a28bdec9bb75cae7c55430c96fd3802d90303063381ab3454cbf3d2e515f52b284a0cd3989f5f59ab82148ee51c9ba569b0068a9e

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 e70fd6024fd8e5909ebbb200b2e8657f
SHA1 4a87fd2554f228fa4e920cb095468975e9a5bcd2
SHA256 2036615ffef91512c276a5093e3f4104ee2867ff04caf354e4c15805badeeb3e
SHA512 20aa826a4723b94b6013cd0f7f4287bbf6856f35f4a7fb86666dd732647da07239212934630dde53e5b5c32ec7f94aa38f017c430e7facb97068ea9792a77205

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 6d41a70bc22b426bc06bcea7fad4f9a5
SHA1 d0558f437496d40c231990a07abd3b1d54e41bb5
SHA256 6007630d566982344ca43b81c3267bcf9b7b3c4d5139fe20f4cc9e6f92f4cd97
SHA512 74b1fa03b633949d15af1644d0d326c48372a7f72f7f6cfed8b69ec04c67cf1e9e83e6dc082fb59613a208b54e1d115289b19276a99bc09f149c7a8a643f5084

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 f333fe38c0247cf66216df21e5ef9c57
SHA1 a545c7206537cbfe059502f5f6f0c75647de35d3
SHA256 b3136da01a855194b94ef9db32b6e7479316140f3c51c2809276140da8244bad
SHA512 4842b91cf34be55952982dc5cc4ddd41669f17058db1be9beb1fdc6be2fae9114de01da48e2fd6b33102d9ff9af20cf76e8bb82c2c8740fa247d073ad53f4138

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 be71edac4c97e955717c6ee11e2ff299
SHA1 34024a93e751f699fc8fdd2a3227df3af7bef408
SHA256 5c6a7e164acba5071e7121b95102f137bd5e020f5d011821c76da447a4ccd60e
SHA512 1a1e9272bb79b1a62cfa3acee1d770a09cb53e662ca6c9140e8590fa945762b3964854f2b5b23e6c98ac88624d1a86b20b546a0055dc8ce7e09d14a116ebd1ac

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 43bedfc3eaa1841b4912d452650a5f91
SHA1 3c8e28f9d44a4c074d9cb6c6f10bd662f142a542
SHA256 cde310407e4a9c7f5321c05fd11eef45511fc7151e40f961e65d1a9c7fb3926d
SHA512 69b90fec6f0f6ac253e764e80d174b9fe099f9651ad661c84300ac0168d0d8e54a8bfc6e558ed9add2dc6f7b4d69ae6b7da7c78870cbbe7001bdac0e5cf19266

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 a88b340c879d8debcf9bb66c7b2adaaa
SHA1 109193d1f7a9ebd95d27483ef1fc36ef7c65d23d
SHA256 1d8cdb68302ed0219c688de554f4fef614be391f3a7a5948555980da47613c7b
SHA512 9ab3a73845fef395c875f37019a5be844680cb29a747e02e2630fd774e3f74fac91a7a9c6bbf56d74a0ce9ef6aedf84f09b936e7bbe45bed0de7be092992fd89

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 864e9135e180d706d9defaa936416565
SHA1 40dd09973a7cb767fe9b6f42e05183d2e891629f
SHA256 8ea2cc15d82eb55d1f3e4a6324975ac6489f6467b8100f21b9d82d2fd44e513a
SHA512 d5bddeb61add304abbebdfcde090610b00e5c36c92cc17d714d09abb9ad554780aa58b36dc4364ada07e4f5ad1550a0c9257e1635c22bdb3d28cacc76dd4203f

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 20ae021772832012933016f79a6a33db
SHA1 79154afff7d9e63cf14abae5127c6babba65e15b
SHA256 0e21b06ed50d7d28f04c5daa88c99cd29430deea5ce7e7be7acd8f116ff1fd71
SHA512 f920ef6eb3d1b2abe2c6de53f0028107f21e883fcf33c8a93999b33f1d09bef1427b35a853f3808c7a52b5a888435d3ed81988650713cf2130eb83f10bbb7bc0

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 81f961ddfd9fdd3d99091d2dcd6daee1
SHA1 dbefa40424ce04a5889cee99a5d6013bf5ae1b72
SHA256 b6d0171cc16d02d0c5fca032423f4ef1be0071bcdb6b786d3ba683997c7faaf1
SHA512 45402bea79b1fa70c3e2ec803d34a011c10cbd1fdf81a41c1139a2338a7ec035f580783a43c6f71967999e18bb440e942c365b3e50f98821cc7cb25fd3a35f2f

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 0f439496484266cee99c369e0fc3d55e
SHA1 7916182a4bd69c0c2158fc00a09a934f5bde756e
SHA256 3e21ffca5273a456ce500d138a979c7f271453eaa30ce6a0634b055779d0c52d
SHA512 e602e47876ef9dd4470dcbb3ef05a514d6de1d772f65eb3e5bc8d9bd9b6bb8bf98e3c96153aa5eb1efc454f8481cdeb21e957452c13387368d0594f0ced05e3d

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 32b439486366a512fd9c958302a8dace
SHA1 15f5f3808478bd65588af8679945cdfa598acbbb
SHA256 30463e7f029e5b92d81a4f7f33881d7b4d9bd5269cf54eea79dcd31bd41bc8bf
SHA512 e033513870cc71633b1bbd40de350888452b1fcf1f5ca55d8b3864e4fc3fc6adbf1d3e3f1d6ab7eeca1d15bc8f0f9b0f51aa7d1592f8882c790c8d92ac734cd1

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 d42e23dcfbc93ddb9e2cb92ba8f5ab9a
SHA1 5573678054ebff46d65ecb23b8038ec034163bf4
SHA256 e0e7431e30d9b3c46d19ac1394286f313be53ecba16c9728e6ea24efce8bc1f3
SHA512 fe4560eb620212388b6153721674f0fabeeef5b45bb65ed54ca6ea220c9fb6bf04dd383c9fadf6c5f1d3601975729d9a4926427f5489950a7d93c0dc47e514c2

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 b01440a0e1d604eed7fa936bf2869168
SHA1 a9a1d53936a896c2b179d844b714445a6c88e7cf
SHA256 af265f54292f38b58d9837fd9c3b26ebee1609a7ce9376d37cd1263e7133e9c1
SHA512 ef5ab1269fc022343078e7af8152a525e1fc9c5d6c08dd1343b0e081d39864f738c5ee14d89b9e4f9e25893f699dcea776d0cab164d6575db68fe124035110c0

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 dfe6ba7f6125cb09670fbd7a2c81d91e
SHA1 9083674091a11324a514334b50c3fc3eaa0f7c39
SHA256 f5e314351c12d03e3f1c29ca3bd62bfc68482b0cc7c8e86babd5903143fb4163
SHA512 00ee675448850133ed5e5746a88d93294866c6f5b66a59ee5f10ac6dddb42441471b2923c831a42648854a9a8510270bed4ff442c1f0a4e89bdde38f5556c2d2

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 691c79dded6ef8f83760672a1a44f028
SHA1 b21a0bd9484f3d25a0c21e8a0aafa8896c405f57
SHA256 1d47f40db00ad734b82959ed1cdb6ad841b8e4f2a5142376cf4199d018499fc2
SHA512 57996601bb3805112a75a842e665a1d8e611a940ceeb80cfef23c7c84badbece62e1db4869444abeee9ced033ea1584422c3e330072c9eb26199775d1b5f0741

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 31092dfc1227468a4d616d544dd87c68
SHA1 78ee161c586c802c7a716e0cb1c2e3140cc8d7e4
SHA256 b35db2ee09e26cbe837e488b4d41e5bc1f8bcc2c067224e654155a99d5051502
SHA512 5ba7b31d22ed1d0087553137869824b21db638a9535d19892740f78bb4e5b32c066e2880d03bdd6c7ec4af9c471c72ef785be40afea0b570a755594996b0f689

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 4d418b1a929d392aebd5d487b6f285eb
SHA1 042aa1db821277cfbcc031002f2e01a01a484f7a
SHA256 e9d5ab92e1e375af82f3708d7745688e601921f1940410102b5dfc3f11565858
SHA512 d0ea9f6130d0d626dff65d63f08ebcfe04d4e630121dc86eb0bd3feedb52fddd23e568a1ebb5df1e0fa2c7736277ceddb8e4fc74a2e14935cd42714e3e9b0be7

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 d68039dd5ece04d8d3f6247838e7baf8
SHA1 3cf3419cee8c3aeaefc374e87bd8e8d42ed38609
SHA256 b03154b6ce1cdf364a0c46fddc346219e6c1ba131a1d161d1778a33248b9b6af
SHA512 7e59bb2f865251ce84c73b829894686fa982ab5a0b6d3a6180c933bc4426f6970091f6be22d7edf1e400ecf7865d4be4cdf92eff8c13a9c91e95b99cc36e6cd8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 406215f1eb6a230162b301c801e213ba
SHA1 704266374d1e800a46747a8246f24cc97cf6d966
SHA256 55f8ae78e239e564a29d5c615c4b0095934109810fb8a4353e24e25f33ff898a
SHA512 ef2c9736ffb81f7960e072583e5d4d63688486f43c0bda321e22808cbc7e571168f26f5cda584f87706e67a81bb229f0f5c93df92191ecd4d037bdc28a4ecc17

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 aae201068bdcd29fab2855e248e9f209
SHA1 805b24363b0d9ab63fa4c7ad13cc993112383b04
SHA256 b1288b55290d3a2287054e4fde18d728bd3f21ed7277821d5555ab5fff254ed4
SHA512 d611aa7a0a3ad6accc01b6474bdec9eae3b9995932a14b794ed2bce47b889b5693f21362e2fc8f00436c50ddcd1c62fab51f1c2f9b0d6ddecd6e3cd7892555cf

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 e61ba9d39bf0dbd426b82657932faa05
SHA1 eab8c480861e471046383a401aa9bbb141de1601
SHA256 03cf4b382b548a42c3e3eb396150e230a40be8a0ffede2bf813945fa31b66722
SHA512 0d62ea761149cc7e1c4fecce2eead6aa14f3ae1559ff9fcee50bbcb96b663ca6bf90924dcc97fcebcea170d8a5c9352d838d80d77bc5bb8d85129e9ad4c9b64d

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 ed11724ac5c00c799a6c4b9275d3e4a0
SHA1 b824b70a8dfd5db2e8fe82bbfd2821420a331f77
SHA256 fa63d83a849b6e1f714cdeaf8d4e948abeaebb9a32ef985818cbe14a7a043fe0
SHA512 26c780803348625f28e250c6dc60212caf64d3267bafb805e6f94b35138235d0ecbe07886e61821825ce979310be59e68e93270601d426ed06d4aebb2227b596

C:\Program Files\dotnet\dotnet.exe

MD5 d4ec7b270891f575671b6cc35f919356
SHA1 f5e2938ac0060ce2d4775ee775760a76b121eeca
SHA256 59cdaf0b18fb21dba696f80b2a0b3e17ff95f5b041c5c3a8cab0ea10816814aa
SHA512 f36b3718c3cb9806831ee2d1162c574d74440ebd46e7a3b7a4cb5adac9b40afc1c65af298b6d1bd5d267b579e4a7f5e3625610e62bb2be8b0db9bf525da7007d

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 7253508a542b0459e163876b6941e238
SHA1 347df874b7fb29a84bdc07da9cc5855fcb7f448f
SHA256 babb4ffb26ff75e62e92d67c0f01243f208675f54d844c3bc74e5a4403c651a8
SHA512 e40a54552660e266e6e8eb0f10dcd4b52ba5f7f25f4fe967d4a70a47b712157c0fd4ba75485c60798ed69b34a1a67f3b91fa6f9198d83568a3168451cd1fd68b

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 bfb951c5a11250180a18902249d06b44
SHA1 2fdac89ca46fe51b78472a2cd02921238aa8e718
SHA256 9e0fc38e07c0fe25c7df16bbfc2fffebda070a5cb471af85a7c6cb4d31dfeda3
SHA512 18d20b5b2b2ca24ee5cefb773ebace985d7bdfd263c11eb1ec0a7b0d85bda6ea7b67281536451f324b73a2846debb85ec5e0b43d8d16af4d7b5f5e8bfeae3014

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 f3d1a224730fa52be926085084c223f3
SHA1 fba670e63f459c861a88fa50ca68006aab0e4bf7
SHA256 bc954ab7419cec9c4dfc27b8e3210a545bbdf1f0be015766f44de8b094cab176
SHA512 4f1607e44bd8ed81b3bea5dc96f97c14c7453f66278fe6a75e8809169920d832b815659855e90d17ff139e4e37938fb61f0043ab0481a0308dc468b9aa9d0017

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 7d8e1f25d76937ae3225e47974cea565
SHA1 8eb1479a7e90e32ce7cb4fc2a84d6473d791c1fc
SHA256 de76d998b4997e897601da3116020bf4f2f57f6479092585e2d3ea45610462ac
SHA512 4e19cba696671f175c00d5005c2aca395691340caf9df445f0ae0c9fc6bf198e9f40eebc1656fec54d4fcbb56f878ba7b329e9cc3e42a3cecded362a4818e2df

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 f8157451abf183b26034d5f15f2a77bf
SHA1 98db8fc37a126145c2f7111580b13b17f9235779
SHA256 7648f9c9354ae0deef784c067a7a1234d4df70f909751dc739bf95646dae035a
SHA512 498ad5305c9b59ae08260b2627980a754c7e0d30eda502aa0b062f0e41969357722e2d06a540fe794b5bafc9becf53264e30af614c1ace05ad22937f0fbb810e

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 5f24a748ea5b3d8edec2705191613229
SHA1 3cad92afa86820f6af048b0c03e97abe1eea0ad8
SHA256 30de3ecebe0705eab6dde26c67d48929d80a1554c2fc417f912eb01905b11493
SHA512 7cba551fee3bf1dd43eb04eb4925a98763df63cf84be5c2bd47b293b50cc7ec1ea53c242c3ec85fb0d107b606708c1e258a0e402bbd55f429825a172fd443158

C:\Program Files\7-Zip\Uninstall.exe

MD5 5eb525eff889ab8511968b4863321d7e
SHA1 7b9c60cd192f2f6e000b8073d7a872c1d8eb352c
SHA256 19d2643f61817b665d0c0a023a89530cfe1cd9b681f2f3edbc9e986963a86095
SHA512 7b492062e8e52a0637dad8ec1a925d7cff9457fcea6d9c0fd3b8e20c17fe9b56db6e6d92819e148d0c74a6ed4593660a57ab106d23a646efdd1aceae33ad5335

C:\Program Files\7-Zip\7zG.exe

MD5 721bfd87430d2446df4de8e9fe22df05
SHA1 cda2cd27c545e18a01d623e51d800cafefc64a5b
SHA256 df08fa8663c36882a214e5df49d684162e97352e304fbe6c79d38fda2a6553c6
SHA512 9fbd2c802932836f08965992dbbbb836db37fb19fd6421ce6c06f6183d512df82c590a4529a026a5f6a2acbcb4f02d67b96965e4408dd8002b0ecf8aa255b1b2

C:\Program Files\7-Zip\7zFM.exe

MD5 17440503b4b0c9225730326bb42b5171
SHA1 b34f85ae59eaac1167765074a030a97ab6b5d3d4
SHA256 531402ec2cd933fcd7c60b84546c5f30448a16005f8204a615a7792ddd6230bc
SHA512 9847e7083cde3e4ba5a63380be0817235245c79c0feb550e3848e596881350eaa2b76c3db7abf8c43c357bf01a255d568fc83d9537d81ccfb3b5960d2d3c3f42

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 18:05

Reported

2024-06-12 18:07

Platform

win7-20240611-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_f6715c4d8153f37d0223385ba3e02e4f_ryuk.exe"

Network

N/A

Files

memory/2412-0-0x0000000140000000-0x0000000140248000-memory.dmp