Malware Analysis Report

2025-08-10 19:53

Sample ID 250703-gmbgfafl9v
Target 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk
SHA256 c697b3b40a2115c5c7e2d3fb2da0b3ac26b6caff42babcb1b4522128f008818f
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c697b3b40a2115c5c7e2d3fb2da0b3ac26b6caff42babcb1b4522128f008818f

Threat Level: Shows suspicious behavior

The file 2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:54

Reported

2025-07-03 05:57

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3387b3538bef39f1.bin C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_92906\javaws.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\perfhost.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026329204dfebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052949404dfebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022723004dfebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019d43204dfebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091d25104dfebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094a7a704dfebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067bb9b04dfebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddc3a605dfebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_9919f5cac21ac109d52310f6b86eb7a3_black-basta_mespinoza_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 44.244.22.128:80 pywolwnvd.biz tcp
US 44.244.22.128:80 pywolwnvd.biz tcp
US 44.244.22.128:80 pywolwnvd.biz tcp
US 44.244.22.128:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 50.16.27.236:80 ssbzmoy.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 50.16.27.236:80 ssbzmoy.biz tcp
US 50.16.27.236:80 ssbzmoy.biz tcp
US 50.16.27.236:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 44.244.22.128:80 cvgrf.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 44.244.22.128:80 cvgrf.biz tcp
US 8.8.8.8:53 c.pki.goog udp
US 44.244.22.128:80 cvgrf.biz tcp
US 44.244.22.128:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 3.229.117.57:80 npukfztj.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 3.229.117.57:80 npukfztj.biz tcp
US 3.229.117.57:80 npukfztj.biz tcp

Files

memory/1416-0-0x0000000140000000-0x000000014019F000-memory.dmp

memory/1416-1-0x0000000000720000-0x0000000000780000-memory.dmp

memory/1416-9-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Windows\System32\alg.exe

MD5 a0eec0a5da7a7b325fbea7fc63657bd4
SHA1 7c2428f4c0378464fa9da6a5efa6a002f07d053a
SHA256 56a7e5cfdae28514340b79d381e2540b42457641c25b9cdd62f22751939868eb
SHA512 8291220e134c8278422ea654f3d1a4905eb4647004ef268c36fa0f5d8fc4381b8e709cd7963c27a7ee0001a92b47244ab36478eedc8da7c62ceae073c3396782

memory/1388-14-0x0000000140000000-0x0000000140148000-memory.dmp

memory/1580-18-0x00000000006D0000-0x0000000000730000-memory.dmp

memory/1580-26-0x00000000006D0000-0x0000000000730000-memory.dmp

memory/1580-17-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 b9648ae6091b6f3265e12e3916dc45ec
SHA1 c38a4f7fa84bdfcaf21db3d340859e06174bff9e
SHA256 c16db618f623d49d535423e1df96a16d2be25b36a12a299537e2a8ab6b3a4749
SHA512 55c3a54d9593ef980193979371a9bebfece9e35e9042513551fbb4d5f9769dd992fe7a5c97b10785e3d757a44d6a2b7b226c9139d11ae1f0c0be5096bb9be697

C:\Windows\System32\FXSSVC.exe

MD5 cf2ae184c02323b81da0c66f2fd9c28c
SHA1 524a7ae65376e82282cc9fed21c16580d6360dbe
SHA256 f3febe63ea87c2841a32a69879840b131106b1134a5e35472f9153e72283e7ad
SHA512 8ac816ed275742cb1180cf9e4310b1a3dfa946c4fa63bf486d32d867f793a77734c7190650b64010860d0fbf1ed110640a2aba8056aafae7f6a3069ea256ac5f

memory/4452-30-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4452-32-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

MD5 5188f499355658b0abda03a1dcbd0405
SHA1 008920a556ee08ca7501bce44edb2896c14b4e39
SHA256 8d4b1c12917b9542f593e6b4e1e0151befe3c85e65a97fe6d85f5c9d292253f7
SHA512 0a20fe90a77d8cc74a93c13fa311211c6cde746c882cae59548d67dc1f5594ea13e17a697135c90e26b5c9d7d4b4e0fa400a5f1b1d0752096809026bcef528e5

memory/4008-42-0x0000000140000000-0x000000014025F000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

MD5 5b2ff31ecfda32d6bf5d9ca07ee3ad50
SHA1 8eb72a1d74677130cf2b390eb58bc80b6d929945
SHA256 d0d936f4309e0aeace953c3361847883c6e4d18e3aa623432190a8b682033314
SHA512 c796ab2cd3c710c19b341a254f09081bd7efc8acbdbf4e3457858de0d7827e23417d124a4e104d431def72fd0595ba4c045ed8a7414f113b519d5ba54a42768b

memory/3672-67-0x0000000140000000-0x0000000140174000-memory.dmp

memory/4788-88-0x0000000000B40000-0x0000000000BA0000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 6e1a327b3b7297a48aa6f201e9d0020f
SHA1 1edcdf6646c5cb901be6ba1f70a3fc2e870cccb7
SHA256 7e2739b0b9a2ce1254426f3f20a222ff9b64936c09913f2af8bf34c3dd10c6ca
SHA512 8c5affe6972181cf08deb5df7ccb978e979c78e33877e18aad1659957f19e01e3bf8762d027a39e0039af8786c592db86531d94421864b4e1d02093815e09854

C:\Windows\System32\snmptrap.exe

MD5 66666fda6f3c5efe1d68a06336f03bd3
SHA1 0e936d32405b3921c912dff3fb8a36ecf6a36633
SHA256 cf616e545cfda039d3eaa5126559098cf164e477c0d1026eba40dba083568d69
SHA512 75d322831922d20fefc3bb4a58c6c489ba9a69e3d2ae635861508cd42969062626de6676a7772b2e4e1131adf753c983cf6ea7f14fac112bbcbbdded0bd4719c

C:\Windows\System32\TieringEngineService.exe

MD5 35fa65d6b5e145b491cb95536e30a7fe
SHA1 3e675587ec3aad18e134c45a88b2c74bdcac074d
SHA256 d730fcfef3228a77eb71a3d798be658534b1e84dc93ace0dc77f147a78ee2264
SHA512 ed19604869e9d946c2982a210518193e7e938b7ca24625e453d8190f26540ff6f2bbb311d2be99cb17c480807e1f00faf86aa6211ef9a976413ea9de7f78a2ff

C:\Windows\System32\AgentService.exe

MD5 e018206aae43f8196f34b50b0aefc8ce
SHA1 e6fb123225ce1dca9ab799b7b20c2ecc53da43e2
SHA256 7a8269da4d44e68e370cd8439c45d536e242db114701c597e5a84c91efda4091
SHA512 fd03fded8e84cd78916c560b38cd6d3b25dcde833adf40e54f1e038d5fe3a69de32232c7cdffb4a7f1f41f44097dcdc6ec3420120c1ecbeded0678b1b4aae21a

C:\Windows\System32\vds.exe

MD5 ab5883c3a0588d4de63ef37870ecb764
SHA1 1106377ae242b214fee329b1a5f1d2243aa7cc7d
SHA256 d9e3225b65e42732e5d95560e96b7c52d50029b291ab2cbeee01cb88e3e968ef
SHA512 53d9c4faa5570d93c9b310c6544feb222c6e357e5857e7a8a59be0fcbd643336d36fcb25540f0419dc886738cbea430b7d78fde3823ca763edc586036934f2a1

memory/4116-138-0x0000000140000000-0x0000000140266000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 018cfa7f79043c1d64c2885521280766
SHA1 e38d636058fb3504ae0b96fe1439cf93be270f74
SHA256 885f9225e4c40d03e3cb32f72d3583fbe358f157677c9294ec56b9bf56b81bb8
SHA512 b2accb0b0aacdba4e2db74517671f89dd2aa26a6756020a42c8fc8fb26463c9abc0bfd48caa973091609c3d41362dc95da8f7e2bdf45191a3c5883bb7ea1d77e

C:\Windows\System32\wbengine.exe

MD5 0f371479db2f2f54b1f035db88ca49f1
SHA1 e7a117f82647a217daa254d8cf60d4a0f709628b
SHA256 543a741f27906a5481b95ace0fc2aab27deaa4b832615bc940d087e9f94873e2
SHA512 3101bc3eb11ad70426a6560913687660ada206767797941b40742b8942bd88742c5a0c89a2c52fd6077b78e183a9dc3b594646d00e4dd1b944e090837d48cced

C:\Windows\System32\SearchIndexer.exe

MD5 5ad3b1b29fc69526a448b47444aa7848
SHA1 bd533b8c92a8948b2e1083f6b978a4d4c065e18a
SHA256 f9f58f3dc3ad08df175f0e9030cd5318424d764ffcb3dc54b662c792ac072451
SHA512 9957def83a521480177b73803f8fbe58352fb9840442797b5ddd3b097e7fd6a6424e5a11714e8611ed70d4fdba13e88d853435b391adbafd92bb94a8a20e553e

memory/4656-152-0x0000000140000000-0x000000014016E000-memory.dmp

memory/3144-161-0x0000000140000000-0x0000000140180000-memory.dmp

memory/4628-166-0x0000000140000000-0x0000000140157000-memory.dmp

memory/2644-167-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1748-165-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4164-164-0x0000000140000000-0x0000000140164000-memory.dmp

memory/3956-163-0x0000000140000000-0x0000000140216000-memory.dmp

memory/656-162-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2928-160-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/4976-159-0x0000000140000000-0x0000000140169000-memory.dmp

memory/5004-158-0x0000000140000000-0x0000000140134000-memory.dmp

memory/4396-157-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3156-156-0x0000000140000000-0x0000000140133000-memory.dmp

memory/4568-155-0x0000000000400000-0x0000000000535000-memory.dmp

memory/4788-154-0x0000000140000000-0x0000000140149000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 9345c25456dfefc6a7eca8f091f7003c
SHA1 0cf9c2d9b2fee5b324a33ee07b2cba2c7aed4c83
SHA256 93d3e4acee866bb66ba3f8f8b9452686934fadb9137217d7d91157e3593cf6d0
SHA512 f7d4fe3752f0f647dae37802b949324a07fa72c6cd271268928c62e90c9000cb8a722f7c6e27a366b6665e8fc34bb030a46bd85c0c00c42e3c59aeab5e2e3ca2

memory/6096-135-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 17cbd7fbfd76f85711a30d2826064c6e
SHA1 96bbe5e51d55580b91154a878cc13e0473ea7f98
SHA256 15d142021d5e848830e53c3bac37986e8fec401712530d7fd959e1b99a1b468b
SHA512 7c558fb1d90cb1757c9f1a53ee2be3e10b2bcdbdc2382d194b618b5b8567a2ac5df92362e5c7884af3ba52659e0fb10a8d7fd1c8335ecc1ee205b1cb9c94d32a

C:\Windows\System32\Spectrum.exe

MD5 fd7986550ec8c317605558678153ecea
SHA1 45004900ead973a29699af68084353c52be448ba
SHA256 03918ec4ad8a31fc67c37e54890fa5bd8320f053cd952e3fc777e6690a86900b
SHA512 6bc80a53098cfc244416509f3d3f58bf8a5125e7458db239bb6ca0a6999cbae43dda57f605f07068e798341aca7f8f6a24eb5fd6086be75d41e3c19fec5fc426

C:\Windows\System32\SensorDataService.exe

MD5 f1684e759d1b905f6a8224ec38209101
SHA1 5e0862538953dcb94e1e5438b8fb34d7cafc9baa
SHA256 0acb16e49b6cd6536cf63d6d366ff4019f9fe58fc020503f299c4552f415fdbe
SHA512 a214f027c6ecd0eaa535134d1553c52241b3f55c5e36b4937982f5db60fdfde990976695bef2b5ab32460e6229e73f38e2b46cd381f46486103cd87981a4854f

C:\Windows\System32\Locator.exe

MD5 646b67fff58617819f90a13ca7b67b55
SHA1 b2aacb6cf93ff261782a9b10ff77a281ef9d3697
SHA256 804c1117fa6a4af5ce44d3fdadeb86ed1beb91c487451f3e7e8a851e4116a07d
SHA512 68c7d53768eeb5e3df72ce44ec77c4e6940418c0ef87dd4a25b32af8d8686fa68b28eed78a8a60e5045bd9e2600ef1602d65a31f1fb773aa54c0faa5dd7fb136

memory/4568-100-0x0000000000800000-0x0000000000867000-memory.dmp

memory/4568-95-0x0000000000800000-0x0000000000867000-memory.dmp

memory/4788-82-0x0000000000B40000-0x0000000000BA0000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 1e5360abbb92085e1ca3178e89fec51c
SHA1 fd49e5c8f27cd3b5d990fba2a074000dd5d8d2e8
SHA256 fde8193e1d38bdc3bc3ef8bf6f88a17f8c77c92519bbfed908f00f956b308364
SHA512 cbc21a6b2dfc384a31458458232330f2f907512f4e9aeda7f5957e3d83ce02dff0c659a517a3a55be59d9ddde2f1864edacbc280c57d498ffb64f7454bb40d16

memory/4656-78-0x00000000004E0000-0x0000000000540000-memory.dmp

memory/4656-72-0x00000000004E0000-0x0000000000540000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 6afdfb0c48193572990f575824c3b6fd
SHA1 092c8c4b41c62b469ac0fd3662e953704b02a2d6
SHA256 3a7fe5947bafe38cbabf655c34d51013899b8b93350ffaf8a6ab814562cbc915
SHA512 de1bdeed1b01d81101b45d9c15fe5e8b17a13e4f950c425494147cdcef259469e6d6f177acdb6287777cdee07a1cfb58be11679b2edc0f4895a124af0464db54

C:\Windows\System32\msdtc.exe

MD5 7d07e300f09072ad2790251852c89a1f
SHA1 2c6a3d89e28fa8dd48657bea6175d0d5ce4a7772
SHA256 61d585bdf435a03cc3b6f4a4db7d7c74087fcee63896155217743f827c7ba78d
SHA512 b3b5b96b238607c411d601b61a5a9cfe7770b5a563ec14b71e43200e31a0c6821100c39b4483ca67a807b08f146a61722b409a0c4b209c915567250defead890

memory/3672-65-0x0000000001A80000-0x0000000001AE0000-memory.dmp

memory/3672-61-0x0000000001A80000-0x0000000001AE0000-memory.dmp

memory/3672-55-0x0000000001A80000-0x0000000001AE0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 72a8fdcfdc74fbf6fc2ea4451805ab2d
SHA1 2a621028b2fed19511911b82cda64b89efec66bd
SHA256 dfff8e0e255ad70ea2e8df3fdc0a13566d420172cfb33b5cd17636b1c638d100
SHA512 a72a58fe9b0bfa6b9b645447182f8f533e0a9357c1789dd75eeddc5920e5aff5aa0dc273c45457cbe90cb3018fd881c73d9a09a192d8e24b04fddc981215b229

memory/4116-51-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/4116-45-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/4008-40-0x0000000000CC0000-0x0000000000D20000-memory.dmp

memory/4008-34-0x0000000000CC0000-0x0000000000D20000-memory.dmp

memory/1416-248-0x0000000140000000-0x000000014019F000-memory.dmp

memory/1388-318-0x0000000140000000-0x0000000140148000-memory.dmp

memory/1580-351-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4396-400-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4008-458-0x0000000140000000-0x000000014025F000-memory.dmp

memory/4116-498-0x0000000140000000-0x0000000140266000-memory.dmp

memory/1748-500-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4164-499-0x0000000140000000-0x0000000140164000-memory.dmp

memory/2644-501-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 e6a379497b06b7c0b6300e1f12f2fdc7
SHA1 bf3acb8c890587919fe99c5ecc83959f15a0d26d
SHA256 d24e4d0af3109ff51ab8ff9bb55a8264609ab664aa2788d14387f6f6b046624b
SHA512 b2f792ec688ff051408550dd0cceca8243482f505449660c186d341b421db75010cac381cc9e62405c05af9e73380a778db697b97fac047819316da1454e427b

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 7ed774b323e6ee480956142a5a7c7da3
SHA1 d4db7e8b690c74a8f65574f5d4332fb1e5a6ca83
SHA256 ce5c75275954f12b413a426ebd788c55d0c7deca85213525a0a80ea04079ea51
SHA512 675a79f74172f50f4c5f3426c05873cadf6b0b627c14302e28f72377991d758c593ecc9498d39ab3c9afbfe21fd2f1af41fe0714142864c44a1da84df49bf1de

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 165f490194ce64bca7c717b1c1ba8f71
SHA1 3e42269447ada1a5775b8b0b6e0dfe536e01bdd4
SHA256 5dbb04ce5c5ceb4eeaee9da715cb9d6c19682e1fd03e4f96e25beb7c0c31db45
SHA512 3d1cccf8083daa54d10ba42f2657680d1df58436ee84c85cef6de25548f288c6e9645baa3900bf7bf514d530d994140dba94e85a12ebc3fc25fbd7cc77139b39

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 c4aa8d5f6b05c4a4709cf300a9692be5
SHA1 0369e1bab7377f84c45ab891fefdc9f020d58a2c
SHA256 79241b59b01c71ecac00d0828be465d065aa33dd5b1d4920786415d8bf25621d
SHA512 e707e8e4d9468da9ea2e87c94bbd532b05fef461fdd10593ed50fb41c3613b492cef58e0e694f131ea34784d50e899c059e2fc0f8f07af2549b52eb88058ef2d

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 99413ce170dd77aab2385cfe59d4fc4e
SHA1 8d5f125992332fbbd159930f8a4f63950adce763
SHA256 b7c10f79599c20514f56311fbc5b46ee460748daa324705855657c3e741decd9
SHA512 75112d20bc48c5eb31f5332ab257dcbbbb81ed6aa24b373f03998b5afc77867ff50e8aa49d3e6ebc393f46cea22d32da8cdb12529f243a503de9367f2a067095

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 74a286f754d5d0978470e061150dbcf5
SHA1 f619f99de64c388549ddb151d5f26fcdad128b9d
SHA256 0942e5dcbbd15cd7950780ce38e9b3077dbd2491c5930a9c141cca16a973f07a
SHA512 45e4587176a1c1861c52aa6ed865f92781468799495b85af231b6e6287d0eadf4b9b7bc80ba7f118f90f1eed3441370d76a161fc59034e473d19ce8709584e67

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 4f5a751576e31893bb7f0ce7a4a8c090
SHA1 0a6e8703b0fd66a349a203d6c6eca86a02ebff42
SHA256 5807be0547680a2d95e33f3dd7b2e2395f9357f23da69d9e1647ac0df17b3498
SHA512 9b81ed4244f1cc103fb17dde990f87d7304db1ad2f791bf41451b90d0138ba42b3a58a45379f2119bd0d1f07e022486bda73b4e157b4ed03a984b7702ac72e03

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 71e78d74db55f68a13a5748ad85160da
SHA1 000388479b575ed82dc0fa314444651a975b285e
SHA256 5d5df67d79cf95340030c5043ab5491978a1d2d91b8af3d375f27dc9aaeae6e3
SHA512 3bebd4bc9481263a01085653ecfba932f17fbdc79c06d177dd24f6ac60dcf818839bdd60211dcfde38d3515f2c385890c21be61e006abaa1acb7620f7ef60be4

C:\Program Files\7-Zip\Uninstall.exe

MD5 029f51db55861bb0f362cb656cf77e09
SHA1 4f6fc14c46ea68a48d3b6a6514318d88ce610d22
SHA256 e38f6d73721e8f2370b608c1c64d2a4e8bcdd45f025afa3d8e0c489dd2b22d6c
SHA512 f33588206b6662b44a1c42be4bd24f8effbbc62f9270708f80ec2ccc9bf73df093e794573369a5963111ffc55b38d740087bc3d388df44f35ca8eb62bdafd772

C:\Program Files\7-Zip\7zG.exe

MD5 812b2940dd6bc0656531c02c04e28677
SHA1 2a322fd117ebfdd389f5a43f98ff742903b59e7d
SHA256 a63151ac43c1ac89a41ab3dc74dc95295c03227eee3e9ecba14bb291f79923c7
SHA512 27568cb2dfbf8224e98efb4ed70ae366b5938002070c591ad4fd824261c750edcf052b952e28469d05f9f9e290bfb7345099aea66ef51c4a5c3a7c5df3f79f13

C:\Program Files\7-Zip\7zFM.exe

MD5 2bd7c5ee519ae2b660c5913208370183
SHA1 d602216785892bee12d4ca48e42773b50fb8b4fe
SHA256 486f4f3f1241ef8f6f4c542f20957ef4841301ae8c5cdb3c1d9a94b8bc936289
SHA512 e4a7e6bc364a279cb1bb5626f4fa27edeb6b8b361f73657b7b2d6e9b9114a652e8e39926ff6b8f60a36e62ad019b5c23be68e77f8460f3ce293d43cda72de2bf

C:\Program Files\7-Zip\7z.exe

MD5 be20d36ea13b9826c4abf643d20ac3a1
SHA1 702b796f92f4bf2453ebe082d5927b587d3b8093
SHA256 ec36a8b6e6d9e70da69349fe424a66fb5d2fdadee879d3db6f3ae6e8d0abfaf1
SHA512 25dd3d7dc8da97f8c418cc38ba43384f9cf9f860d88c1d6ae0be0912410577f38f3759c679d5d3d6897b94b98e5c01530035aa8447212f1039e4aa2111d5cb54

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 bf9b4f850670672ab1e48a29a372daf9
SHA1 2b52f65ddc3ff25b8ba89c7a832c0e7b77f99a35
SHA256 4376ea07cee1788c0b7bf162b3517af4c8667dd9569bc79a2e154a1766e75ec6
SHA512 1a77716133211117b9a68aa857640f5eabb40f11f8c93203da664a3158d41671016f5e087daf9026eb62a7f1550de5a08d520ff000e99cd4fbf3eba6ecfe8a48

C:\Windows\system32\SgrmBroker.exe

MD5 c52f11ba2fe2dcc89add910e8363876c
SHA1 03a04af97544c7a3b6341d9a2816f2d5bc03f738
SHA256 5b12a2a5561b6a7282ef90932b915870d3d33cafda1f899d80b0246fde6248d0
SHA512 382b11b958492d0093670055a85fe9de748136449c5529d55bd7727b55e04d08a87c6e98b122c6676920a9f2a088000c257523d3bf4e6589aa28f8d276e21d16

C:\Windows\system32\msiexec.exe

MD5 0cbded6a9bbb8777ea3cc8f628ad06a1
SHA1 84ec2e596e3d57dc47a0e1addd10b9e6fde91eed
SHA256 c933d84bfb37b199fbf504a7b4558d729f62efe97fcbfd1b4bbc76369246eb15
SHA512 2b8063b4d1c0b82ef94fde68c90fd00dd98872b760511378023a019873339afa5d39decef9e287ecf9a88d37ff8291b209a7f2e682994eb2ccc995b053ccb4e7

C:\Program Files\dotnet\dotnet.exe

MD5 bdc2f7673eb796b1fa92e43e9d6d30f9
SHA1 9b6351f6caf1429d26d7be1b5124105d7f3563ee
SHA256 e18de804ee2f4f1c56b0ccd0831a2b8a298d3831d01ec669a2cc6240aea2c71a
SHA512 b8eff382dec263a66e150c4730fb34d10a6b31ed5ce2f4f2e2d911c970fc2c7b3bf978b8aaa0e934d89334f5f39c1c3cf52a0774c1a41ee865febe59823dfeea

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 96d35501cbe7c72fa656ea51ce4dc812
SHA1 8a216b76fadb6b1c9f287f6755072fabd0a7fcba
SHA256 0fb2dca1ceca5286c2b4123dacc7cc33f779dc3b2149a4a00a12a035250191e2
SHA512 0d26f2e4406302c9c7bd91e812f228f88a91153e0a141a0c5969c295073ef144241e19081bc27a209c9fa06337b29b65eddcc404ddd59fadab9b17f34b801ffd

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 55fae27ac0425898df8a8371d8dffe00
SHA1 c32e62070edadd1b3593d82831b8a4c70253d59b
SHA256 9e5a8736d95847904684274a05f3dd9ef6534a2784164e77c4e40419a48e03be
SHA512 8ee0bb8613f2ece94a6f9246b327f36cdb1784672df35c3c8c2bb3474aae41577dddd5ab7fba1f8a18b8affc6c1601ff6a95a0f8d3a4553f8cde5408858534b5

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 161982de9ef951e6b7fc9e5b155be885
SHA1 6fa7da0c97fec2fb0581c053c0e406e9f1c1cd01
SHA256 694e48d2c8cbb2e76a37843907d8784428cb2f98b15751fd4c8fb47cdeb002a6
SHA512 8660fa5bda435d5909004b06d9332ab7f89952811d57941414756fc9835f95732afa0bb2aa3a146fe9749a7a10c3c8ed0589448d583169a76aea2cb67a6dbecd

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 77cc71899236e77e558fffa702e976a4
SHA1 549fc0b11e321ef91482ea81b8b5292df0b3d0d9
SHA256 d0d8137223b5ae3dbf0c34bec0ce33d46a41589b3d6c42923fa9e8ad4d64522b
SHA512 713d3e63a57fbfcfd03e3ecea1b98d440b902f0b453c3a0777881459437eedbefcbba9972f151368d4cd7d92bd870ff24dd8826e4a83d5b0a8d5e1e2649ad979

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 4497be5a59d4ed7d5d727e72dfbdf667
SHA1 405d8d47631018091ef1889802497850787f7c06
SHA256 56e1c9816018f9934815591ec99a30ffdd0cec5f212573da1e7095ee0fca6c0d
SHA512 65e7087494431c19746bb0d5914652cf6929ddec1af63de51f577455a986d8290f1df95cf2bfade6ef4ca0ca726eb087b6ade319946d396a56cd6fa3a5ae44a9

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 a6662853c1f1f34cf5bdde3ac717cb6e
SHA1 bcf3819edd18bc08257590b5a8f59b64151fcc07
SHA256 c43c52de544b70fb490e06a1fc9e100d9e4668daa3e9fcd9751afd7df7706e1c
SHA512 1c78fd0fb2f54e6a5efc896faa10c88a7796f20794e4ffb71f9677bc45d63b3beb630cd7891f90cba7f8713cf1c62e85812bb62f3fb3eb01a73e7d9d450e40ae

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 939bd36e9bdbe14967e35c7c189dd085
SHA1 b360dea793298925c34b1a80bd0c9f67389ead12
SHA256 56266d4eacc57912e5ffe66467e2dc1c52abbbb64f38cc3f3fc572810779a741
SHA512 5139915bef0b71f6bbffb6644e04c32c2dd4b266ffafee24ed65d18621c6698c207d47fd2504f8126101e4545d16a91d67f603f6d3cad4def9d5daa0ac7c9a11

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 b9c9014752bee044e774adbd45fa2f3f
SHA1 e40f1d6ecffa72b814e319e54b500febb690fde8
SHA256 b5bd285f134d153297ea4ad27b3fda2e7bd5f969fa192308e5224b1592019254
SHA512 2bd7db7987beb8ec94b7ff5f6c0e6ef917f985a95ef7eea3258b16600457ef7923f9c5fd1eb6f5a33e69c840e3ca168e9f6554145c559351841a0a0082deb4bd

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 358f3bf69cae19271680780110a6fb26
SHA1 789b5bca46530c98395cf1a89429bb1ac970f4cd
SHA256 a1dfba382f2d9c6e29487ce0031921bc2c92f3e74b3ea6f784ae040c583a04ae
SHA512 672d5c83224c59232d87fca8e3101192862ec38a8316c35efbe7bc5991aaf7d597ca7bf4ceb47855e22bc823b204fe4d599db46e30c6e22eb1e5e73d2cb04226

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 9c7130953d5553f46840f15ce3207ca4
SHA1 a792da28383bfe80b70005a3820c0423e9d35e59
SHA256 f2a7d3c47112eff0c8e598804c7298b9a1f8449590497395b4ee1a36a3adf80d
SHA512 44c8a87831c7e694b6a61adbf1b76bb6c1ee6e4b3a461ae56f918d36a1db012e5be4f09055798625671a83ac0af6ea350f69e9f8ceb23e797b1caa34849ebabf

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 a0258c9033e848a4b85a26ccad682414
SHA1 0b43b066d54b3fdc1da61a646855087995bbd7a9
SHA256 81f4121678dfbd70fe32c379abbe1db2e30ae13a6d7e9c41e160dd94b6b28319
SHA512 10b2d50768da27fd4cf248e6e3cbca42d7ee328a12b7e00f0af6124e568be94afb1128bf2ddcdb976a49bae209014c0c4e0ddb1e637f8d5eeecb5bbf13d86528

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 226d36f9e4f8463a3d1ca3882ff37c7b
SHA1 cf162c252cc47756348e9d83f1ba45c20c648224
SHA256 b5125b938feb5cdbcc1bdc4246a45e2469d218426a2031f7c9b1dc5cfb0a9c96
SHA512 a494493f54419d057f4802fc76da592a68e4ae88739abfa90319c7b16a7e4e8f04d45735396edd4af18f16ca04d06f3b42a376399e9366b6a3ce2da1878eb18f

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 6e6f52b6d3c775c0fa98c7bb00068e2e
SHA1 8bd08531d6bbda19281d3d90abc22ec57520fa3a
SHA256 79e6b20b269fb42b28de251e4e2dc8d6cc973bf9d19577a0a56a6a7a656eb7d9
SHA512 59b7a1514eaeabe4b2be968adc2892267cb8fc39cc02f4f4da5d910d737667c20fb5062c23d5aa145adce011768e0085a132f13e3cfc39937c95f367bcf0b060

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 e3ebd2cc227643343ba5d9d65385ee74
SHA1 2c1f86ccbae3bbd31f06134567a280ab116cd8c0
SHA256 e4d665701abf7dea3b6ebc944664f5f97ea55f46b979a5a44a52dac7d2baa6f3
SHA512 587ca6aa1ba04b36c43cb45d22f60a4c2a79475f8aa08f7a88cee64f6591ecfa8f6eb8202e581d4c0ef9c0d39e3daeb2516609550fddd7d47bf20cdd294b666b

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 65c79a697b6247331abfa801009cf1fd
SHA1 fbdae286801edf1d97b82665f1b47ddd0d2155bf
SHA256 a06283a72bf3f0f5dc07f93aef1756e6a6a0716d4af2eee9b66f4e139527e55b
SHA512 efffb963ae385ef555c348a4efacf4ce5f3d214cc172ea74786c7deb373a56b9769354de2fc806d0d4f873f11ca67d11492644e41ff5c49922112ef6a759d076

C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe

MD5 6272c377b8be53b1e29b3d6f4baa408d
SHA1 336aa3eb400c664d38322511ceceeb3d1fe92aca
SHA256 c3e2333f35d84e329e1d87356d3c98e3551a046b3c2dab2b89a2601f2505f461
SHA512 7515c13f4dcae5c10ba77ac19cc7054e2620c664cd8fb1e7fca0e5147fc272eb04068dbae181da0a4aaf90c4168a872caffc0df38477085f01cfdd43f8c45c72

C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

MD5 f4c5e780685dfd8e2e2e834a16d60edc
SHA1 1f0f019b11450bf0940fa9b299b6ff6d0da56731
SHA256 07fa93843cac08298d1555a32d5d31738c41efa3289ddaa23ba64c234738282b
SHA512 f6a450637f9b88cbca32f6e0bf391eb31db010bf241664f41079907ddf058ea742782b2e65f4853a587232ad997753bd0e349252533e11178d723c6fcdcc63ca

C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

MD5 f7b0b7b818ecef337258c6e44f6d638f
SHA1 b05d8cea8a79d6bb764e765b32970f16d71b1c1d
SHA256 35bc0f91ca2b0cb6103e3e39f7ed3d2b3c2f3536e9340c18afa4c0dc1250e59e
SHA512 4e16e2d294eca35b7483d89b960a711baaeaa4abe3f1499d41d103ff30909f30e5b13ef524ca21ad650e88535116c817925d03367a35f56cddf923b49a3142a8

C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe

MD5 33ec870d960328ecb6126a03eb564c5e
SHA1 612f4db5b20aea73a8f4044fc37552a2e585994b
SHA256 b1babb5e2feed22696e8396c1f1f7149041a8256d7628a756fd75bc52dc55b36
SHA512 a5651def36d45cb3db25d6e3eddbdcd4a0ecf99485dadc3050c12ba9e5927ea7e54d5c6d333863decf45e89001b04a1cab01e8e5419826e81371a99cb89172cb

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe

MD5 9cfdf40eb172e5c181f25c1daed643f9
SHA1 d3ece9c9ba4b8cd600bb3aa92b829516c1d0c23c
SHA256 cad59a067df8dcfd351858eac1725171d8d0b6226089535beef87ca4570ced18
SHA512 1ecc833c75c8ca2fc1774a2b993101f1f51e3569ab1ddcc910dcfe9e2f2bc2e34a6e5bbf680f0bb3986ae7691a1970e7ccdb22fe30c22aed61794287f886befc

C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe

MD5 896917fd38f820a42f43e48ce52f38c2
SHA1 81d70f3f1156be90ba313fe3a0710cace7fe65c9
SHA256 29cba1741c60b16c1c5b29b420e39fa63af5960f7390415d5ecfed4489413a17
SHA512 eb06a7fe18174ffdcd83f6625d56a103a879eeae0a27aae02e7203a29b3565b254c7cbc6b68309f96dda9151dce3d37ba3a8b4eec0c5ef9faa29ee8bb6df6890