Malware Analysis Report

2025-01-22 08:17

Sample ID 241026-ehxg1axmbv
Target 2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk
SHA256 8a84c07c0250fec425ba1a5aae1466cb03b0274a520e400abd5de5cf2e8021a6
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8a84c07c0250fec425ba1a5aae1466cb03b0274a520e400abd5de5cf2e8021a6

Threat Level: Shows suspicious behavior

The file 2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 03:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 03:57

Reported

2024-10-26 03:59

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bb9f1dd1674cc675.bin C:\Windows\System32\alg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75187\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e3e8c545b27db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f32414555b27db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ffb4a555b27db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a1966545b27db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8b9cb555b27db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2f7a7555b27db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a800cf545b27db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081cfa0555b27db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 172.234.222.143:80 przvgke.biz tcp
US 172.234.222.143:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
US 172.234.222.143:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
SG 47.129.31.212:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
SG 47.129.31.212:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 mnjmhp.biz udp
SG 47.129.31.212:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
SG 47.129.31.212:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 72.52.178.23:80 wxgzshna.biz tcp
US 72.52.178.23:80 wxgzshna.biz tcp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 172.234.222.138:80 htwqzczce.biz tcp
US 172.234.222.138:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
SG 47.129.31.212:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
SG 47.129.31.212:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
SG 47.129.31.212:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 44.221.84.105:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 44.221.84.105:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 35.164.78.200:80 sctmku.biz tcp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 8.8.8.8:53 qcrsp.biz udp
US 34.211.97.45:80 qcrsp.biz tcp

Files

memory/832-0-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/832-1-0x00000000020B0000-0x0000000002110000-memory.dmp

memory/832-7-0x00000000020B0000-0x0000000002110000-memory.dmp

memory/832-12-0x00000000020B0000-0x0000000002110000-memory.dmp

memory/832-13-0x0000000140000000-0x00000001401F5000-memory.dmp

C:\Windows\System32\alg.exe

MD5 88643217a3cf46b3785a1d75549408de
SHA1 c69b0a4021aab5b846181940d13b7e53260b4f59
SHA256 4916804ffd307c52fe3c43b5cf3aadff3857d7671cafc487912a4bf252144a42
SHA512 ebf1d8ff433009eec520abaf10a5dc5c72610e49f4350fdfa91ee74c1b5beb80034dbb3a1a4887033bd132b99b0725b0e38fc14c9fadb24890c5a982809de911

memory/3312-24-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/3312-16-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/3312-15-0x0000000140000000-0x0000000140191000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 23c45488665414e967b5e7715fdf36da
SHA1 4005bed3b2f0a4d51875305794f79fa2402170f4
SHA256 d7a30aac2e0086a90e5217c455a0c68c6bb72baeb8f11050eef8d94a9011d66d
SHA512 0eb8a17809ea93763ada0e49e40b3554e0c3b061ce075440c5151cc4f48c09244d2403fa4a2b39b581d8e3c9aac83d3a8da5fcbd1489db0f46b2be29f51076dc

memory/1984-28-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1984-29-0x0000000000D40000-0x0000000000DA0000-memory.dmp

memory/1984-35-0x0000000000D40000-0x0000000000DA0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 2c4a03545c6ad18545b6d70bed32afd2
SHA1 578e7755032743c714ea60ccba5babb057ab3fd7
SHA256 be43bc420cf01ab9d077387a6741ccda46dda472b5529073f071e126dd989623
SHA512 0a9d83c7d834865c9c6a21788dfe6628a64f8c1056c3872537a8ee6bd128071d41eb5af71f6573856160e425ebd2f70df387a5188392d915322fab3043827e6c

memory/4224-45-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/4224-47-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4224-39-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 589f57f15ed7cf4157f08fbd2ceb48f4
SHA1 a92aa2d00875941f50fb021a2b3eb67d8f9054f9
SHA256 a71a32469646fcbdd003032cb369725377b244577683c5289bff9b709fd20e8f
SHA512 f3c0e58fb9c8defd1467f1c4800c67ec3b1a02d69a69c23a4e62a7a39c57862491f63340926c04842cb16681e98b193a95cc4e87e91ac307459b59cae65aabe8

memory/4748-50-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/4748-51-0x0000000002240000-0x00000000022A0000-memory.dmp

memory/4748-59-0x0000000002240000-0x00000000022A0000-memory.dmp

memory/4748-61-0x0000000002240000-0x00000000022A0000-memory.dmp

memory/4748-63-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2056-72-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/2056-74-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2056-66-0x00000000004F0000-0x0000000000550000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 31e99d5443ed5f43071355770300f7ba
SHA1 cd42509359ae270775df8eb95f3f0a7c4eb69d6a
SHA256 1a3ef6c5e7f372c92bcb1ab28f549863e16a6652e25d264b3fb84dd05f10a1c8
SHA512 5a368626d0918b9c05cbe5905c3e91fe8e5a1b9c66436b6b9cf9771ddd2eb9741589d05c7ff463e93e21a4a4ac29c86cd0b10c22c087bddb321ee80a4fd11837

memory/3312-124-0x0000000140000000-0x0000000140191000-memory.dmp

memory/1984-227-0x0000000140000000-0x0000000140234000-memory.dmp

memory/4224-231-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2056-233-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 9685320185f9de5786633b9568e65957
SHA1 1e7fc375470913f422516120aac49576b7b2acf8
SHA256 815b2a509b568e4071090c6b7b00b6ad1fc0ea50863a5a77566932bca32a37dd
SHA512 fd1fb422d90286e501ed1b28caef2d97ce5d0bc52f11d08064d7d6863120841043edda81c9b20465965aa4c4584523a22bf9a228eab6866220fbfb6715bcf9e5

memory/4176-240-0x0000000140000000-0x0000000140190000-memory.dmp

memory/4176-241-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/4176-247-0x0000000000690000-0x00000000006F0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 77175ac9155846b4c68f52ba3dbbf9c8
SHA1 03510838cdf6903700e09e195d53be01a28902f7
SHA256 d92b9c999702a7a4dde10060316a9f394b9580895a8b6c842aae1040857428a3
SHA512 b839c13187989bb88bbc78ff2d0f6126a80858f999c12492eac262b45d07460f09c2fe6d205056253b69b22b2d35cd26e0996387c4b6d5d7555848937944a413

memory/4236-251-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4236-252-0x0000000000530000-0x0000000000590000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 836e224b25ffb0c4fa7eb922bcd4df6a
SHA1 215070fa73ad8b404335aaf50fa6528933a2b540
SHA256 54a93b5e24ec40b2c4e0851f99ffa320a43476206352ce75436be99988939ad7
SHA512 e7d478eac2ae3e0168b7006fc93b6189c129c6581f05bd23247b142ab57ec8bef06c77c086396e24907792ffe11586bcf878023c288e242596f0103371c8d628

memory/4236-274-0x0000000140000000-0x0000000140135000-memory.dmp

memory/5016-263-0x0000000140000000-0x00000001401A0000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 44f5f90d716efc481c1642300675ae81
SHA1 2a76a28b9e2ca0a946c99c3b223f8a0dfe70f93b
SHA256 5d951ceda4f2e8024c3f750546fec3b5aa68639aa45da2c9bb70be46ebfd7bbe
SHA512 d4fbd894e748cabbaf15331b2279b371f346bdddb3187c302244df117e0005e3c3ce08c55b0e7e0f51422a9a29097ad3f9eb1b9cfe45c77c133d1d678fce9db3

memory/5116-286-0x0000000140000000-0x0000000140192000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 4ee8c3f3401c286ca037ee594b10c32f
SHA1 c513570d0e4d80958c0aa891858d9c2eb4aa33e9
SHA256 8010913a4170df34c7437b171aa22e0b1bac2c5096d232ed93974eaf9f7e6499
SHA512 55c18e155a840e7521c4e09fbe2a1ca6cec0849fe7adc93fbdc0cfb1050a72275ce0436a2a43bc7fad116a6c7ba3d73ca09f311c73f66b8e8d8709fea0d1db02

memory/2260-292-0x0000000000400000-0x000000000057E000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 0e722440205864de5473b8471127fb1d
SHA1 c6043c340ddb27c7e2d03a672851eebcf001a358
SHA256 f903c40ba9e09344b28b65fb11e0ee849e57141b241c5ed47d958184c2decca3
SHA512 f990b6dfd0dc15efa0e4ee41658ac4deb58dee319f1273ffd83102910356065ad204b6790434c74d47521d8af10cd7fca0c682a96babf89f7f2e77ac1c355804

memory/4712-295-0x0000000140000000-0x000000014017C000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 ebc0890d79e19a301c26d24f2b429740
SHA1 43cab3ab75d1458302f82f932125a32116410f2e
SHA256 e082a94f60e8b106be6dfe7cea30360b8e04360a63024c426487c6f6047d9565
SHA512 231d0f61977ba900cf99f23210e850343d0404926d0b7e3f96a889685bf2c16eae660ac78bc66d350b98bcc25288d0ad9f19e7e1e00a01431708880384cfb97a

memory/4808-314-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 1201b1486490c7a869c35e8767859966
SHA1 d674a42da51e8efcd54198f66da698bb56a1e224
SHA256 e7b89b041ac3e45f009df117b70492fb59d2e1bd6eb6e420c1489fb6ff826f5e
SHA512 c837abb63ddc50da219b8bb2bc106b0a715419dd0b55655fe296dcd307e7a6851bc1a3ce8f859953092e4f4058b5ccb22401c8e80d9d13383ace3e690cb3bdd9

memory/1288-324-0x0000000140000000-0x000000014017D000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 bef6c9aab5231da4c2f0006643563f04
SHA1 d09d8e305fe3f5d56087002a00a08aa666d44777
SHA256 1aafc94d6c24664609bcbba0edd6a85683b4230f0991ec80b0bc151efc1243c7
SHA512 ab6bf86a9bb7b26c6ea9e7e4499585fa72acf4e65fda2b8fc7ab1896e75f2c46bae5051c282e2f9e13f9dc8aa832af136f35e5038d63fda5fa7ef417efbce46e

memory/4292-329-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 6bd8a05b6a6accc6da43b5c04961f175
SHA1 584b9854ed50e6772677430350a5a0e753f6519c
SHA256 7416fbb62a1cf11fdfa940ffaf23668674f467e49368eb94290e19842bf67bc1
SHA512 429d38e6f43edd79783812e32deb19cabcdad18fa47cd77cf361e22a6d5a044f8168b60e6440ab52a3cca929b3b8807feeacf20a8969c490ddb237d031c92923

memory/956-349-0x0000000140000000-0x00000001401E9000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 f69fece397b51df8c5eda50a99ea5c7b
SHA1 2a95c9588ee62024b90414ee6b6618d87cfce254
SHA256 638caf3bbfdc41f2793794590fdb3c3f09952c6b2ce3a7ed221e0404397be248
SHA512 b209ea646ab90bb1925c80a34b9e667ae1d8fb46f65a40742ae782e2f65a5626597676328b89da91e33e78d38b79407dc5836ea84a76f94bc90fa21a9b446567

memory/4648-353-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/4176-352-0x0000000140000000-0x0000000140190000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 8a5ff7d29f7104a667a2c9cf87b1798a
SHA1 d345480b0389b5b3e080183926c657deabb77a3b
SHA256 e43e3ee9067e4a89c1867b3ee3e23862cc259318a880ce6819663a5c5a3c38e9
SHA512 d03fa6173af7fc6c1ba7a7cdfc77f493cdc739415c6cdb45876cd51cae57570057f4873136beed5fabae84f2c1175d8890e652faec52a4d8db31fac4ddfdd598

memory/2304-372-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/2304-376-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 066c9927be33677627676be9bc277a44
SHA1 a6c3d3f70466c9c71bf705defb1485e3192ff06a
SHA256 6debbfdd6cec2df567889fa555ba1bac9d8be9679840b16c9bd38bbdadcff562
SHA512 ed9218dd48d3329a294a20f95747c94374372d1f217ffd38ae557cfa67c9b0ae5302b2a3c9b7de8dc399ac60e63650e78d4b30057f9082c11b35a63bbdad2e9a

memory/5016-386-0x0000000140000000-0x00000001401A0000-memory.dmp

memory/4408-387-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 a179396337fdff6b4e0978a36a596b1b
SHA1 3d42ea9c2e0f6c244fb3a39ab6702197db73ca17
SHA256 e19907f43d5f911250d53e9a8a1a093ff4845bb117fcbff101969d387310b28c
SHA512 53d227a984069b1b900eeccd2f95ce6082efaf7461d468a286fb42b7d2586beff6796a299488dbeb83dc1d7db4a89f243b561b8a3dafcf5b826dff9e60ef01f5

memory/5116-390-0x0000000140000000-0x0000000140192000-memory.dmp

memory/4708-391-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 e49dccfb1ec6246eae84d1bd20ed362d
SHA1 2f3f881c74fc1b13e3fe6b52ffc53c3152794c05
SHA256 aa1c006429c023b787af1ef4aac98bf2315103062fe689f7cf0ca908afef0a29
SHA512 0d58495bdce47e1e4a2bf15abba0af3f8d9ef66f9428c30c6b91f8ccecda8cfd0948ce52081498311d396d5fcf7e2f2d4f92863beb1f9d9b6c1993f65ebe7bfe

memory/2296-403-0x0000000140000000-0x0000000140216000-memory.dmp

memory/2260-402-0x0000000000400000-0x000000000057E000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 4413af54500d274a8f3ffbfb44ed34f1
SHA1 c951172c88e0423f84b190d3f14ff56ce68847f5
SHA256 bc2e7aabdc5daa67512e7fd64218f01439889602322696e04f9b9472be7c0c84
SHA512 2f8dcac387565564e5379360110ba44605d175954ab1894584070a37bdd9125562422669364a516903ef6156f0b2507320c66a3c1b880eec1d5d0c504ff0cc26

memory/3504-423-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/4712-414-0x0000000140000000-0x000000014017C000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 31e0cc5ec6cb24477fb58ca19000ffce
SHA1 3da19968a48badb5a592314457d96821c8921de2
SHA256 1e965bd796f6d9397468d4d0b1b2b66a820d1e4b6fee5572af015e688929974c
SHA512 e925db7088d57a4ffc92129ec856f43bb2691259d245fa20f48ac78115014eb2efe654506cddd53e829eb6209cda1193050aa55a81c9789d5f9808e5fc1448a7

memory/4808-427-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1184-436-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Program Files\7-Zip\7zFM.exe

MD5 429810c5df6c03cc3b9be88a6fc75a39
SHA1 bb3d2aa7219cdc40a7fe07b702b74d98de3967f7
SHA256 18b1f737046780ad800b77b443607a22e1f008d0a0b6ff9ade53487f9a839ee3
SHA512 7c90ea787a001e5a533b312f3bccbe07ee5abb241abb4ac9be8eeaf64e80899a46ff3866dd856fc5b2f8f9e40822e8accac29e394a174e134640bc6f977a42b5

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 cebb179af426a29b3c7c62bedb606cc8
SHA1 190cfb09e585c4bc1fecb24418dba5a019ac3571
SHA256 bf8e2abfd73ce4a32f843ee395dfcd44ca7c75abcb2685cee899f8a0ca7cf21e
SHA512 98dcea816aea5eee41ee479e3a8de37547b7d4a2a8aba440c93d66073b93b4329c34c84ed57d0c13b2d74d0ac93854f6996fd3c8885e925d220d69755ded822c

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 7c7b74323607a45ffa4daa917e13028f
SHA1 259b66ee8b2badfb7f0a3ae2cb7efc1ad884b27b
SHA256 8f5dc1a2a40b474e1a3389ac84a135aecd05a768de58c2d81e90814adc4ed9fa
SHA512 e93f2cadff783a4347370e11398ccc9cbf6fb0c1086e5a8689c53a561bc98cae7e5dd114d9720d9573977d8b6cc13b19d5f59804d50eabea9b25ede4659f1851

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 bd8932a0a0e7b3faf0240c09edfc62a2
SHA1 287d96f13f90ca5c8614a8ee42739733316f4922
SHA256 6c4c10087bb28f21338ff3ade10988d9104655194d2cd57292514668d588f8b8
SHA512 46dafefedd019950d67a949d9fc3bd061f398f25864e3a8e9e38fadd5ba5b06658bfedf732a0931987c0fe676d8758d557f13182611036815f2d80aaa3139bcd

C:\Program Files\Java\jdk-1.8\bin\jjs.exe

MD5 59d9b7778fb9fb3155b8b19b91930679
SHA1 dddd50cd77d096c3cb1404b6975663d227b5ca4e
SHA256 f1a81e19edbd236d2516e2c97533f4e97c455236314ab04eb7fca73410377659
SHA512 7f83268047b8cf19b031e30d57ac2fba0001bba6b81def63cc1c5966fecd2ef4e79409906923aa714356565be8284fee9db627f5ac18e4ab879f7aa10214f6b2

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 49f8890f68d4982def25d314927b8be0
SHA1 ea3fe9d0f6ec80b3a5c2f94fd1da0ca33c37e572
SHA256 3363ba6d9798ac8721dad41fc5e48aca433db3f0f33570dfc9ac16cb387c74fa
SHA512 439113b3ba6fb0edb0cde34c6dbba7b7e8d71c22dd3f36202599c6b1fadd48011dd555acec779bec3b4de7031a9bfcb2a5bf25376250073b7e51b91d09a75557

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 6955b4f551c2ae6fc3c97a5819c6d588
SHA1 164d4d14d487ab5a300a1b3f481ac307175973ce
SHA256 8b96300f04fb107de8f5a64adddfa759e718a77a41c51cb2aec15997dd846bae
SHA512 e5d19604598f99e134f6f9d2e1d6b3a354e055028cf9c83a4d5f5a4d1f20a3ff2372a0c17dbe1523c3c076c2f92becf2a909be9ffe9ef78ebbeeae9aba0da199

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 dab339594c5b993942ff347f459297f1
SHA1 4c2ec9acd67c43615f9c5dad74beae368df74b45
SHA256 81f05fa684cfd9b0c0bbdec7835e15242bde0ee9a7596445d89a5d0e0805234a
SHA512 bb0e82d5f53281b55dbbfd9c11dd67b09edf2922b6295fdc134bd5374721910700500c4622e7ff9a882941453db288e779887558522643510372c248475662b5

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 4d5e741d5ce1dea9ffe7bed1bd9aded7
SHA1 2c9bf5a78251bbb0afcd9aa5e7cf3a2a0f26beaf
SHA256 68732d2a7c6f658ce419a6f0f2600bc3c105d15adcdefc8d2daf3f7ab554826b
SHA512 75e73c6a85ce9a048428ae3b84d399a21a156ac845861550ddbbb0a01aa45eed6d6a4a8bce07e253eb11368a9ef90fa2fc824531acbabcdea236edfb0ac49046

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 902553b9eb699e06f29f7c308abfdac9
SHA1 09a2b69e9b0e48ba50536338aae667911abeaa7e
SHA256 0e21ca73f8b8b320d8e92187ae476ad5c5f156ca559a001bbafc2922d7275566
SHA512 417aca9e59febff1c758fbb0eb4c69bf7139160ca41445f0065c1e0d490a37b859d28c39ec3af293edf2bdd11909ce14ed7dc111c3fd343f2de8d445e53beb7a

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 940bd96bdc0809b9e24e00f758a3a4d5
SHA1 845b19b989cd3d34c241c579a2deabe0970672eb
SHA256 750ff86637a5f9d37d162acb5782e29b4925d833201de3e6d6e1f7700d0ed555
SHA512 3b8db963d91a2cd2fb311260cfb95fd255d6b5f79caecd9408bdf93b330e37efdb63c98681c394d748d7e1df2f91b820524e5e597dbe21b75af8947efd5f4272

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 67b1a331210eeb859ccf3bb0d13daf3a
SHA1 4743b1b324e67ed3527562ab0577be3e596b36e1
SHA256 5d6f60ff7019654e2fd0c072cdcdd8375d2d622be558ddc42d5bbabac30c6c5b
SHA512 58a276554e58e19295ec36982b451c195b0a971e29dbb4e92a7a92d9b08f8fece68c240d2094dff5e5663e9775c949ff32e553af5f02f36e2de5f469aca85bd9

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 b67f91be0841709809cd8bb7ff3d25e4
SHA1 690431c93962afe08adeacccbf9fa915a71f2e04
SHA256 4db2b570e8eb48cca7f827dd725476cdc1f4aa1b1a371dde36bef6c09151cee4
SHA512 d88dc3841d2d1b622bacf05f2db87a70803dc4f8fa19059ca1ab02067cfeb67b026a203826e3eabb75a9f6d104e8cf467c4920c0fc00715f8ede0b8d3c9839e0

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 ce23a872a0bd316caf62b8b1455f1538
SHA1 728cf749bf2bf43718882c00fa15b229dcc36d9e
SHA256 52ff2fb256384dc4cc18021c6e74cffe8c358e9c0de9570081b9083119cf92c5
SHA512 765a7327e7959a9b3e2ef69c658b2cde173c420e4750eabad5b2aef7d5cf6f5fe5f733c2db536414fbbb90a39741b5c3de5a74a7265968944dc1b5afb43f4df7

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 11af79f241cf87fe97d62d48df7cee6b
SHA1 f1f0a094ac65b3d75b1507d66dbf8bcc4a3c82db
SHA256 4a14c8c2b05e8476534446f88fa10dce33aec43d40fb28f2c56dd675abfd44d9
SHA512 507828acf3d56322aa785f71cf1c570b0c5f2b032f0687fdf4fee6999e689a75649810c12ea563039d964400cb580789281248a19bfcec269a2a2078f254d80c

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 40fe1b9418a28a01c8cdd7c28965ac29
SHA1 0741b62fc8e9820386afcde67ddbcdbaf67139a6
SHA256 4e26bc2e7e4d0bb8b5273ef59bf3ef66fddfefa36b8decfea3acd0177269280f
SHA512 4bb3cfd00b96e93a2e24b4578b74b1c329027ad729076c677187053f38dbfb090cdce4a5fff8490ea3e3897d4c7f71fd4aef776eb7b3880ec9f3cb2eab8fd97a

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 25c1c9f06f09d229f46abf847c3bb3a0
SHA1 3ad0bf2945afdd772300819add00fd6fcac7e4a7
SHA256 ca6e84c267c00f33e619fb9abd8510c7085fde3339e2d2f82e6c3f03c40137be
SHA512 591eb21ff873cd90e84d327ecb8bd0e77e6bf77241ba968ad55f180631b47d8c76ef48f17e531d7580b0170c53daaf6c096a009a34b6e155d583754da02322b8

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 0105abe10c5d060559fb49c57033b3cc
SHA1 fed5cf56367f79fcad161961320249c9fc87ff66
SHA256 d149ed321f3cddd0f5b376f845067e60579472754d5a23365dd9708bed2fa67e
SHA512 9fe70b7762c7852fe78e0acc5e46f819f2d6ab7123a399fd74f7ddbe1fca1a670cf13964963999d1f07b1ebbd79b0cfd5ce231bd230a3d7b5ed6de04fbe7a899

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 1316243735711c8335eec80d2e92e537
SHA1 7986bb41176e0cdfd3dad8f65d8fa5bbcc89d030
SHA256 10a6ec80259f2fabc9fa51292b78882554c727a0ca1b13fbfb7ff974e257e5b8
SHA512 cae8089ffadec08dff0c8bb32e7cb8ad6988194c1d48db39f21d66604bba8c5b732f687a79bc8ff436995d3a6a2d9eff6e5b89471e520f991bf091b2e88ab829

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 582e91f22fa727a11556975796af56dc
SHA1 ae63020bfdd1e0d367ae8362b93475d5f8a89843
SHA256 24ed96e6fb998e65d56fa8e1d75a4aed2f54eb47cdb7f99d3cdbc864a319dffa
SHA512 56ff3ed4c7d1b1a37b71bd50fe3493e004d2f3dff44a67529d9f5b3d7c2503444a173cec132426e4b5786277c1cc50469225ad3322c2362c37d086cad1792484

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 7de83f59c7372fc1bec24a0cf41b50f9
SHA1 56cb844e76b7f58344ecd749c5976ef5c57a2fa8
SHA256 6396c70319ecbc46462cf778530a5214955bfa409cffd97cc4c6b52d9a898d4f
SHA512 3ceb84347cc6ea51a22e70ffda06e192d1204016e2c60ef15b45a771e8e988c0648184f208048bb45e37eacd4e867d16136f7419099c203b5bef96614598eed1

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 013ae0c21d68e2ace0e69ea166fe9350
SHA1 68bf07a2729a519fac0b1fa1531bf71a2d2cf11c
SHA256 4383d70f66cfbb5fe8246f0c3432797a408f227760762f009d9d1ae93c0ad4c6
SHA512 ad6184bde82667afd51cd3520eda2dc66631b70d4fd0faeab66dadd4091f769033083e42e127ad609d85ab33520581621899af871235ac168ca5b9811ba07199

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 f6ab221babeff659601a24f6c9f633a9
SHA1 5a34ed318983537b3c035d224d486cd46aeb0168
SHA256 1c471d35afb08625708818b1d24f9519d1efcc515c8fcc319f8ad87660919e9e
SHA512 7d7f7313455c1c23cc41f043ac6f6a274aa0f8366bf7d3e57d38fc5e245a2419c9c0d5ea386cb904fa59acc21e32d6fc286cbbd5782cc6900af64b34d75eddec

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 709458b04c8d48387d39f801c561206a
SHA1 ce413a51ed02596d3ceb0d69d100fabc7b7e52ce
SHA256 34eb1b28b5b7003f6e8a44634147e7846a1fa103c13040660e5653963fc16f80
SHA512 c337d7533a482f394fff9de34c2b59d689366ffc7b43aefed10637e38291206e9d8615f17b004c636a19514b12150fad532f8bca6b2e10619aa1f74275299121

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 3c87b2256071d1bcf4a9b07d8dc59811
SHA1 34094e67d9abb0b4ba0d7f3ae3047336a8de765a
SHA256 4af07866969da5eb81a0300fc3894ef8f5bf5ad6649c19391f22972d70825dd2
SHA512 0eba61f51f56cadd899401af930a4a609418b45f0afec84b761e57d27f46954d8043927836288ee494ca2f6d3bbac1ce97fb206fca9d571a0faad4d8484adec5

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 c58b0e0a00545b2d66006b588be3057b
SHA1 e5fc5356e82bf43100eaeefd84c92fd65bf57af3
SHA256 006ff9f63be5db4c9463fc0adb35bb63deed4ce2cf1f04496058f8ac2d2e6a2d
SHA512 4ea6675f5ffcc47301b0f89be8ecbaf1cf4fca631e26436533ed2ba98724c8ef6ad412815573eefd469302e5360160489ac289b8b050dbcc343e37e58b4a1977

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 fa12161d510c634846cc72a82e842ab4
SHA1 21d939d0648e478d8067610290dd3f6fa06ba8c3
SHA256 c11d96c4b5eb59064dca7d26cdccbcfb945988b81e3447b189a56d79f3abb6c5
SHA512 551baacf40f940fee65e1f1d2ea57cad65ca08ccb5fa2d049982959fd81e41085ffc0eaa4fd51ce3952f9cea1118d57ea3201e8f9b612cdaae601b6dfa5bc92e

C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

MD5 77dd3250d5572214effd24d0373847d1
SHA1 a20fc995402faed792b5cd89775c18ee00389e71
SHA256 29cabbc7c08c31000f4751c4b5f62cf86c9612a9b84a31fff650beeeeb7f2fb2
SHA512 76b8211b5ec4fd0a2af67e332f6d73787614bb1873b15bbeceb68defad59a35fefd26c6cb6f4f53d49fe5cd410ff4fdf2518cd2b44bc0b375316cd9fde4730fa

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

MD5 5899c5d77bd21ca82b960e06807d4ebc
SHA1 dfd91d4c87b465edd53f7366b44c20381390915d
SHA256 d19ad4a1d1722e91f2e513180e984de9ad772173e46cbdb681a65f5a10ce9b70
SHA512 8c86b983fe5d551b87bec324ad6b1ed5ecdb40f8117af35261a654bbaaa0c68a315a5af17b0ff00c1ac1284554bf1897da1236c479cd501a236d1a4e0087843c

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

MD5 6ac68686511602d1a101eb28626b035c
SHA1 79a7f951767be233c328e9a3418063fc05b1ea6f
SHA256 09bc6dc4cd634fccf48f53e540741e30a93123321faf0eb6784d0d8e85643faf
SHA512 f971f0d89201f21ea20e60006991fc9b113df13fac50ccca17a88b53775e2d88777c695b39a2ef1ad53485b2594f8274780aabf37e3301b21b53c66b599016a3

C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

MD5 752e065d86b5b071f0ece7a117819b83
SHA1 a5c111a0494b771e3238dd0f036518be145b0efb
SHA256 39138edc99546c6aed36e36d1588bf1a45625d558b152486d4369e283754b3d6
SHA512 448affd4dfa544cded897c8f00b1825b7eac90c126ad0104016ef88d962c32592e4fa09778de9cfe1d3260acd43af0ffe416cf2fc608c16abec2bee0660f87de

C:\Program Files\dotnet\dotnet.exe

MD5 1b92401a4daeac774e2e7a4010833b14
SHA1 4a04fe2c979c63c73ae84daacec0cf3ec0f6a678
SHA256 aca5131e80589ba5eab0d91c2b38c1181b405dea643f8f656724c8cbd2d2ed90
SHA512 c8c314cc44b597c943cd3287a53cb90d8ef8a4f305a6747f1172a06bee62877104c541c5e9ee1f2848e3aba97044ceaa6d7523b8ed34c6fed178d451b434558f

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 cfc3b068aac832bca741b7263a541667
SHA1 1ddd00d19e78bd6a492a76dc53a44736e8866ca0
SHA256 7c6c38d3788948ef39753c5c1f2b05af312f8fd0dd846ade721e36258cb9dec5
SHA512 19a123727ea13fa9b772fbcbb1788cd3a6b64c5d1416e5edebbf14115cd0483eaf51f77e7569c70790b3a602572f4c506b3eb8f911db5adb860866ef10d4705e

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 9c677ba6e335a21975f72e76f3f8af21
SHA1 ed0847b86a8ecd5a40e12cce7fa5ca4955121835
SHA256 25d1069172e2f25a6e183aa393efbd10ca3cbe97c01d27eb94d1e0ef725d1ce3
SHA512 81e84c61d00f660a78975f6b9a03a36a637a133fb58083e214496db30b01c9db3619137b463f659373b96b34e9e6c1614c2570cdecf7d1bcec6cb915d92700f9

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 fd9cd5b66362f75129d6b3162bc0843a
SHA1 4aedd627f0a96b0c6b14ec8bb9e803fcb73d47c7
SHA256 f4b732dee585e9443cd76bb44a800d7734a4b4ae28646c828113765c01e6abb7
SHA512 f30985689f30db3e0c4c855f6518d24a67a0e7990f30c71f3e944bb4b7aa537f0a0f2d42c8960b62e48325ba956836e283f2adbb26526a151ff13e8f86276d37

memory/1288-511-0x0000000140000000-0x000000014017D000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 76137ef0849eedf5ba1c4b7c898b686e
SHA1 232f78959bd123b33aa9e94925007fdd8901b0e2
SHA256 54f01b99ad2958e4f45047f7a446fcc534a13d3ffbbb0da575a18aff66dcb9b5
SHA512 b581342354396ef8f6d91c7b763e3f30f481ccad5bfd172586a64cfadd05203d8e784e6ca94a52f02c373d77690eac0c6a6b0c40f6c490a8f7f73781fe55c82c

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 b53ed81dbac26725a4b0ccdb6ad48354
SHA1 13d0b2b63978ec1fdf337454dff7cfb026152f27
SHA256 0818c91e1a6637f9e0190289a359a3ba362b82e860dbdc32e45fab2637d0228f
SHA512 6805108f40206d50faa36458c7060b5d4e359fda5fbdcb9c92c0eba5f1dfd85c4c31a4f3578c4eeca95eaa028a37e08bdb68a9a6874991912affddf8428d8fc1

C:\Program Files\7-Zip\Uninstall.exe

MD5 aa30da41f721a539134675ab426f9ca6
SHA1 5d465a8e1a61071c51c17fcd94155ecf27dce5cb
SHA256 108fbc94904b87a3b63d258b73028e728a96c84f2b7beeaf64874fc8d505c5e5
SHA512 0f907f8c6d0f73ecbddf0a844033c97ac63dd9d5ec7805abd1a44681e14a855312c2b9a2b441c2ffc0b423374d545a9cefe6eed10439b48964e758a483064b74

C:\Program Files\7-Zip\7zG.exe

MD5 aae97a656b5201fa91cd467a6d64a81e
SHA1 464febe387247ceb9e72ea9df986cb651e652c63
SHA256 d431e6f9e6ecf80a53ebff7337605b41b4b6d09cb5b4d6bda92f0092554da273
SHA512 4f21a92ccd9cd8bd4732633e126033043241c53b4c9e36c740354f6a80a6555e31e994a9eadeb3ec5591d3151e2882732a96a33460134b27e4b6846dc00c80ae

C:\Program Files\7-Zip\7z.exe

MD5 760bf9bf7dbbcf8ef20d360363b56761
SHA1 f05ab5614a25b6091d381adfcc29d07a5d2e3868
SHA256 7bcb16efc89bf761a4578c913c6ce4585790fe853f3aed9f2784eaf122fe4e28
SHA512 417829a6e0a593b5eca479feb0d761a21e6dee801bf63290808b5bf5b33286a2c5c348a3502bfb197002636ab849310de8737c55b5f88581ed1daadf2b3517a6

memory/4292-514-0x0000000140000000-0x0000000140169000-memory.dmp

memory/956-515-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/4648-532-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/4808-551-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4408-650-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4708-651-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2296-652-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3504-653-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1184-654-0x0000000140000000-0x0000000140179000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 03:57

Reported

2024-10-26 03:59

Platform

win7-20241010-en

Max time kernel

15s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_b06c0b4fa27fb529f88ae2d0fedc528a_ryuk.exe"

Network

N/A

Files

memory/2344-0-0x0000000140000000-0x00000001401F5000-memory.dmp