Malware Analysis Report

2025-08-11 06:22

Sample ID 240403-mh1hnace92
Target 2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk
SHA256 b9fc2e5b4b4471c811cd7df5e25a24ac75e5de69f882664919d7c10da46113c4
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b9fc2e5b4b4471c811cd7df5e25a24ac75e5de69f882664919d7c10da46113c4

Threat Level: Shows suspicious behavior

The file 2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 10:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 10:28

Reported

2024-04-03 10:31

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe"

Network

N/A

Files

memory/1736-0-0x0000000140000000-0x0000000140235000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 10:28

Reported

2024-04-03 10:31

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ea7fe5d412d07ad8.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91140\javaws.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c6157e8b185da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b1268e8b185da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5227be8b185da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0d2aae8b185da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e875ee8b185da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb9990e8b185da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000af2f29e9b185da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f726ae8b185da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dabcd5e8b185da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_e9a27ecad59d073c4df6862b73549ce5_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 uaafd.biz udp
NL 35.204.181.10:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
ID 34.128.82.12:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
NL 34.91.32.224:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 34.29.71.138:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 34.174.206.7:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 34.94.245.237:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
ID 34.128.82.12:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 34.67.9.172:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.168.225.46:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 ocsvqjg.biz udp
NL 35.204.181.10:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp

Files

memory/4928-0-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/4928-1-0x0000000140000000-0x0000000140235000-memory.dmp

memory/4928-7-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/4928-11-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/4928-13-0x0000000140000000-0x0000000140235000-memory.dmp

C:\Windows\System32\alg.exe

MD5 a6ec3c87f210c15234aad69bdb818d01
SHA1 17977cfae3030353873612a3c9615088966eb48d
SHA256 5f9f355733b1d1fb48d314dc6beccf6182982670a26300362f471b6a30bbe524
SHA512 9f2174cf2f441829f693ccd0602148a1f1542da4717467f3e123d1f739cb1bfef344ee1d424db7e4bd406a5288b52aeb2d4eca18541aaefc45699df2ceae03cd

memory/1644-15-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1644-16-0x0000000000710000-0x0000000000770000-memory.dmp

memory/1644-22-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 1149863a519e72d5a768af6c0e5dd915
SHA1 3c78e579724ca19531324b5d5ac2b3e29b09c283
SHA256 c63c5768252e9846855958618c57e4a9bfa1c5d6b7b1c5177f4c41a340fcb936
SHA512 e422140f17536e81bb6fc5887624cbfaeca93271e8a3534f9f2c49855386d5809c60e14a1a643c20fda21622baddd43d0c93b52ffb2cade9ac22c9cc2d26acbc

memory/224-27-0x0000000000910000-0x0000000000970000-memory.dmp

memory/224-29-0x0000000140000000-0x0000000140237000-memory.dmp

memory/224-34-0x0000000000910000-0x0000000000970000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 5844a9926f5690fa10968d9a1b263cd4
SHA1 62c9156b8fdab7eb0e277ee92b1fdb154ccad7e0
SHA256 f434cbc57eb4d4395d01618c6dde42cd8775ef3e2fe1b033a6359f59f4ded508
SHA512 3d4eb54d0b8a825f00de858a0b0284b8185db1252b053e60ccc4c5d8cb0cc9cfa6743395613d854112983fc814094bfb543d7368888a4d08e851ad69c323df1f

memory/4136-38-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/4136-40-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4136-45-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 10b4f5c388b37461003f3f5f2031b7d1
SHA1 b9386dc98181453bec04125fe286dc6d9b397adf
SHA256 94ae9b224fee2a81c3f994523b9c92966a55f2f5427569fe1ba13da7a65c07d6
SHA512 b2d34f944e723a2532993c3ef3550a64f2a006fe4936b9f346a75318a357d8269e31730804ee8940d9f1e750722648a3dd9c2087e846c129ef118fad8aaa9a8f

memory/1316-50-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1316-49-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/1316-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1316-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1128-65-0x0000000000820000-0x0000000000880000-memory.dmp

memory/1316-63-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 777e3d9ce5cdaab1d0653196cdad1c31
SHA1 8eca46d082527d3ab2fa42515de866c4f8628c3a
SHA256 02207c5eb54eaff3afda715fef586ab6b7515837941166f3fb821945a7f59ce0
SHA512 dfab796040d230f1dcb921ce02007b285d0b4ace457cac826890cf008fb929d1255cb2f2e0d0d9b4e4b3d451d250527a7cb7e1157068b47057416802402eac26

memory/1128-66-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/1128-73-0x0000000000820000-0x0000000000880000-memory.dmp

memory/1644-230-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/224-235-0x0000000140000000-0x0000000140237000-memory.dmp

memory/4136-236-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1128-239-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 adb649a1b50cacc7a60e2ccf5a562333
SHA1 d6a118221dce0cf8d3122b40da3004beadda8c5d
SHA256 c40d6bad95152885c968ab6256a9e778d5ad7572273c99c75c14badc4f8766ee
SHA512 54d4a0908028e3db9dfbc2e58061d0ce2de3fc7b6d14f19a2e9766b448e4a0cdb24ee87424a3d3b43e7923c7b1ada9fa919c42f7bbb46dc0fe2f57240185dc55

memory/3296-244-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/3296-245-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/3296-251-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/3296-252-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 5e6cdad113ddc3d7b6fb56f6545933c3
SHA1 8e40ba3d6d8c928957bf4277348ce1429273cb8c
SHA256 822ebe555a954b21fd52ebbd2494ef10c87401e571f7e919cd581bc5cb3a4534
SHA512 9f4aafa2d1c722d18bbe7a68e99f7da173d6191c7bd812d7969dea09ddd4d31e2ad75c7d963450b4e670d977a3aa414ca4b48744511755ceaa6045ea2811bb37

memory/3868-256-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3868-257-0x0000000000800000-0x0000000000860000-memory.dmp

memory/3868-265-0x0000000000800000-0x0000000000860000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 49f1659c23ece2fde8c4cd975e2bd6fa
SHA1 a7afe48913c7e3ef04f9ea22348bd08f504d48cd
SHA256 0d0f03dfbe5ec4fbefdba586c41fb8a714c29d1aa252d9db3a587a7ed0ad520a
SHA512 661e42744ff7ffc4ce3b63f2239ea9a3073c02c0ad0b60367dc44d5a66dff37ab9cbd49efca3270370fc2085e5cd0dc9fd66740df2be6b897c7a2f456bbddb09

memory/3332-269-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/3868-274-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3868-277-0x0000000000800000-0x0000000000860000-memory.dmp

memory/3332-282-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 e7c7201e80c45c7016799ba03c7e9584
SHA1 0f0eece84853056e39e99d92de7cee83fb2f6f65
SHA256 aa60fe05f40da4e63a60ae74df8ce819fdf15e8f738190e2e9296754d6c2776e
SHA512 d6dc19168c30f0c740d20653bfb3c93a1ceb84fd230104f5b3eca1a25b672a360838003108892691155fc78ba9f588d6577e2775b37fe5355c3656d4403af55e

memory/3988-286-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/3988-294-0x0000000000680000-0x00000000006E0000-memory.dmp

memory/4860-301-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 a444c1c2ecf89bafa6a691ec9a548b54
SHA1 7a2993a2f0bb55c88a3574ab73b5688aa123d8e1
SHA256 e379778c110ce26187afe2171fc5df25f4c37c23a2721c6f30557c5060d072a4
SHA512 38d3d2b93a8f3575ae49347e0dfdd65760faf9687d568c6b670891a7464d7cbae2f21195128cc427588298cd3d6f1989d5ae2f77b5a697eb822b83f5e235447a

memory/4860-307-0x00000000004A0000-0x0000000000507000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 810f2c7f858b7c5a3c7cee8ea77fa680
SHA1 52730a757b36d6a56b973f9cbff1aa5e323a80f6
SHA256 989889bfdfd4e1369488f8773fd82f5011ccf304651b950b3dd1cffc32737c17
SHA512 5ab75fa7d80c0cf8645da6db13f5243c064cdcbdc1361729d3fd1364449198ad55dba3352c88b5b55b9ff099e4a52be123e5019c414f9440a5358f067036ba08

memory/3296-312-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/4180-315-0x0000000140000000-0x0000000140095000-memory.dmp

memory/4180-322-0x0000000000680000-0x00000000006E0000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 cdc5aa000f336013405fddada1c2867a
SHA1 7af028fa0f8701096a1d7ebcf5ec6e898697a601
SHA256 a62fe00f96a8998922494fbdff0e138dc14709d09ea6c6b27e03f9740b1787aa
SHA512 5002cb0dcbcfd0666c4d13e3580261afac6268fd29316910577f5555e1570bdf7b503004cab7212c906c0e0d495b95809d0cd3682b2117f143931fd3333799da

memory/1352-326-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1352-333-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 8233cdb57eb20d19a7297f677e9df9d8
SHA1 d61268f0ee1ec737a160ac3917a5f398f42aa745
SHA256 6bb1224a8e599f25f61c34e51506acec89004f3dd624fe611d09e70031d53977
SHA512 e5d8c2d7e9a2f570bfcb48ccf8d05bfe62631a98177b0686afbeda6208c04f9c3a6567f1dbe98d7b80603779a115a0c7a68b62a685ad84eab9ac88f70b1ec857

memory/1928-340-0x0000000140000000-0x0000000140096000-memory.dmp

memory/3332-338-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/1928-347-0x00000000006F0000-0x0000000000750000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 fdd4f0a84876588e08577740d566aef0
SHA1 ed4d104dabd313547aed853e0de458619ae0fd05
SHA256 a76d505271bb4adee987e86e5708d36c63103e5413fb514d3320ecb5929d3e6c
SHA512 8ea5fc7759debfe810fba1ef1c5ffaf36930ab0dcb7779ce1e205f8db50d40ab491186f7e99b74f8f8409fb70caf0a6f5a415a851d2b2cdad1d0df8b98fe264a

memory/3988-351-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/2652-352-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2652-361-0x0000000000740000-0x00000000007A0000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 dc53c9c2fc0ab541ff9f74a3e03b3c12
SHA1 7ad2bcec32b307368d85ec058526370696714b25
SHA256 1b92e12c566b632e70e7bf2c361ec8596469d48f8c0979f2a5f4564f8005161a
SHA512 054617e693e7e9a0a4aa32cab5cb80ed753ff04371a4f4c1c87dc26c853cbbd9d597d426c403989f40df54bc7dace6ef52cd72ee272fd888f385dfc767eb7d25

memory/4860-365-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4452-367-0x0000000140000000-0x0000000140102000-memory.dmp

memory/4860-375-0x00000000004A0000-0x0000000000507000-memory.dmp

memory/4452-376-0x0000000000E60000-0x0000000000EC0000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 9d526776b36a7eb12e9e55f80b02d7d5
SHA1 0df89bf62519344163b062cbb217f90bc734e4c5
SHA256 072e4512c15637848c12f7a5bb8f8f3188aca3cfb5aecfb58d7b9659f670914b
SHA512 baae0dd8c5f8e8565157920a4e5fc078b9677489ddb05c99d40daaf6f203007b9f4cc88ae136db8af5fb8f9933de86f63356a4159a3e6ccd8c34c4715788a85e

memory/4180-379-0x0000000140000000-0x0000000140095000-memory.dmp

memory/2188-380-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/2188-389-0x00000000007D0000-0x0000000000830000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 6da512b88d79c3a3e9d3ec7d0050df4a
SHA1 e7de352fef0f3a47d8932be751b9a1eb08630e8e
SHA256 f89bc7eb89008a6a93d2154918ed357a7df9cce91cb2c75230f2e65d10b69d2e
SHA512 fd1b5aef0104e68a942db5d756d428f5c737b0ef3cdd6e1dde2aba3f0c4bdc670c2681dfd19b7e73b176adae9c451d81c60f67c3558ac6ed59a5a47d6ac671eb

memory/1352-392-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3236-393-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/3236-403-0x0000000000C30000-0x0000000000C90000-memory.dmp

C:\Windows\System32\vds.exe

MD5 b7427454c3fd35c13fe7ab250c6a4582
SHA1 62c76b456cfb285be852cf0e21194be93b68494f
SHA256 4b7706781f58b08cb5c057e0f86268e861ac1e1bde44eb0ba6ab2b118a7150d2
SHA512 870d59b0b1b21342e2af5fdb5f23ae012017ca218f7dcc90407c531971e69197c6bfa962d1f7dbaf0d4facd268b141e65e8872d113292fa6b480f00cdf223d95

memory/3236-407-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1928-408-0x0000000140000000-0x0000000140096000-memory.dmp

memory/4296-409-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4296-417-0x0000000000BF0000-0x0000000000C50000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 0280d9947544c717fc9d0e6ae400ea01
SHA1 6e9d3da411a120ea92490ba0789c942b738b1408
SHA256 a828b2e17e49cd090b26ce7a0856873e391f24429dcfd290bdc2e66174e2310d
SHA512 8455d60aa4878316e3b87e7be993e9e56e5b9693aeb0e090eb6602c60db53b78d9b96e0c506402a0a786c6a985a31d078e1d3e69442fbdc8e9e092b67aa1a4d7

memory/2652-421-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1116-422-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1116-431-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 3a2cdf8a028deface46e300e73515369
SHA1 7046bc6fc232f2f7558a1d52dab3b97b8dd9c8c1
SHA256 1348f6a77a713253ffb3f69b799ba9d5ff58b5882051136df1b4db4677e1a2db
SHA512 5669259464c6a31d5616a51745beb7fdd1d53cc3a78f17dd15c92753fa32e7f083e8f56d63513ec1fbac0166368af3498870daa24423f0ef0e68caf270498407

memory/4452-434-0x0000000140000000-0x0000000140102000-memory.dmp

memory/1460-436-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1460-443-0x0000000000B80000-0x0000000000BE0000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 ff406597e627b62e616cf5174aa4eaec
SHA1 889428efaa58e84e7adb0103a620bc47eab0238a
SHA256 70b99e3435954afd481a93b8b919339782b1bdb837aed6dd3e04a38901b17e57
SHA512 45f93761e0da4754c40b6983e4fc25d96d1ed019e6d61ebbf396d4d3cc57937c54c9cfc61858233f804d005114d6161c1065429cd4166b64d4e6634f9950bb9f

memory/2188-447-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/2160-450-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/2160-456-0x00000000006D0000-0x0000000000730000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 bff33bd9af3a59d49c45b7da3a36d603
SHA1 105356af9506853103c7f646fd9fb8b3e8b6bdad
SHA256 ef17baad5bd20cc6fe90fa906153fa90092d861f433d2b62624ac72a3697b9d6
SHA512 7cb438f2efc0948f636b49e047e9ff793548686ac8123aeae07cef7b0e59a091924c7d1b5ede4d81fb9d8ad45d20d971f3febe9dac537db1b9d2fd2b1eedee85

memory/1544-461-0x0000000140000000-0x0000000140179000-memory.dmp

memory/1544-470-0x0000000000870000-0x00000000008D0000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 f8c16369564a2d4d7283e29ad887ee6f
SHA1 188ff5e51592e8697a71c1a221a78487d355463b
SHA256 b13e45ccbb09a6c3b439946bb8febc91bbfcafd259e6b8da352c6f748821dd56
SHA512 5475d85add5a104c2d6164c8688a47db602fee22ae9b2f283725f30897d9cc2bb19bfd360e3fb986f2aff35e1437623c6a9972d3d1e1386fe8e3366141c4a1b4

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 602ccd660301c1efd43dd76054f373fb
SHA1 0941cfdfd9fe43d7c6d727b1ef18f262e3da0132
SHA256 8a8df72285de0dc49d99006dd6f71c0d801090d6ffd3e4f08fc6ed7bc28ce9a5
SHA512 5245d5429b8e2060165bcd96275cf5764b9babedf52a03e7e26d95bb8a9ae4678eaba834ef140813fd972515c18f74c5b8ecbfa9bfe73692127b9d36a8ae1441

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 00c9de88b071376c9a714435cf87ce24
SHA1 8b6fa0c509b32b405d0727f09b28a795bfd7677d
SHA256 408a5b4910c487f5eeb01df71eed3007fbe7c6f9ed843e08051f8b2e46235974
SHA512 eb035d05e581cdbffaec6c45e255559e6775a63e6678ef4101f3bb4235eece7ba2b8a4da556b30c73b5197adb238ee186964423720a3806a71df830189cec934

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 bdc8971f118d2c899ae93b143519a7a5
SHA1 25f1162c23aac2a39572c671f85e9acd6c45fa7a
SHA256 ee89e885b7cb531a83bdf1bb7ac1a52675531a0239b4bee68ed24bbd43fa8c26
SHA512 0172ba09089d6682113a1cc4823c40a9b153f8997a462604932f321caf3efb089c063ba6ce8c9123dcc25e2f21b0ab67f7319a603a15d6a25da73c981e1e5d6d

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 9ab644587b34a59fdca8a49635ca9354
SHA1 76f5cd0ae81338d2642a424ecf1a2c73be752485
SHA256 748bde1a80e35cfa1a59f02bdfade0599dc74c72a34e8a44260633ee9eef44b2
SHA512 134c485a9df8527e855cfc351e8e7b0a34801348b7c19550791fa2eb930433fa37f0865a66af7f74520da1bbbc95c9f569d12b64de49b59bfd357e58ceef5677

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 27d3ffed8936074171a8d921f6444a72
SHA1 69fb3d17fcdab909727c01aac51f51279716ad8e
SHA256 5c093221b9eefacbabaf9f8413d50228625a186b14a195852afab915f3f60562
SHA512 f7203be6ebfdaed0bcdacdfeeaa85b3a6cdce6860d3ad1b276cafb262476bcd90589550869f40ca1a6bc199dfefa88f056b4cd183a17355797ef9ec8fad8e4d7

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 01c2a10b8a41a193de2204e9f7e8450a
SHA1 a5c0169de5755e7b363f103e78a6c3935001d6ce
SHA256 8327730834d78d27e41791eaf3c4a3f76488871edffa960cb86f8ddc3b7cfd9d
SHA512 03769e056e8d18d7266f07ba4668c6735c91322231bb791e0fdcbff5b5ec1725f247b091d112be033a9548534ee6f93708d88c9f3e60ed7295b5b01b8b0d9dfb

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 4b22ae799ce24cf4e3f8b321fce948be
SHA1 dc8e118f4e03f5b9005d1f37f4b123e8e5009091
SHA256 fe73a7ab6ffd4ae164085626ed5cd8fda2fc5108ef8f17b8b094852fea55efde
SHA512 cd311392bc291374942b309ba02ec145a4e2e63e2fbf4aa48a80365682938823c8b6a09a932852734a7c132ee14d40dfebc3ec6871e5ed3bf193e9b6dfffb703

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 d60f84fb561da5d0614d1773496c4a67
SHA1 fc2615a7d63a557bcce42f08f35030a30b4dcfc3
SHA256 d1f5267a0849263c4d858e02b90108e924db37d7c8c793208cc903139393e748
SHA512 0fc68f9ddf029f906bee9913bdedc0a68e5af2beb0a6c2fbf41d201c92610d83911c86f028bab8d48aa5d75ef7fcde14b4e4e88f6abb3bae2f7e6d707ae1590e

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 67125825d7d945efdcdb94e13d43905b
SHA1 9e8949581a3dc54a3aae17ae000a0517b191d534
SHA256 5989c3a98256c7903eef7a911397905da50e116065fd06c7246445c7accbc75e
SHA512 9312d468ad4ce198fa7a5f9232023b59fcf4a1f968b256a8b3db825df97f6ae40394052cbebacb2e194a58da3fa33a40e54fffe288d906301f774e5b2523cbf4

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 836dd55b67918f92bfee95d3ee5074a0
SHA1 e110f342dc60ff8112c0ca6aab9e4470c3e80699
SHA256 92021b57305ddaa091e2a499c2f5b12fbb8bf7cea4b73b6da321b56e50bd245f
SHA512 9b1dcd49648bd2a27c3b38a2e00d849585f0ce1b2b207c3ea846293f5bbd4c4cc7c6d556ebce9aa46cffb23896e852c339cb3db9358aa6aa58d4f08004ca2c42

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 06eee95f2602c353af0c9efd954c757d
SHA1 d9eaeb7b896e34bf0fdddc7848bd9da08f184405
SHA256 a24b0302c0dd0e58e4810a833d6d38436ac6ed73fd8025809558b56edf5e2529
SHA512 83d0b5b487ff9dc683e68cfd1760a29ea246c7cea7ac353b02012ab85dc7673dd2e9442bc7453285db918c6935f9d9f59836cd48c2656748fb25e0b765444636

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 ab9ed826cc6e1213aed975d09e4d2d59
SHA1 faffaf59a5e51b99975b10bb460d7a7959dfc008
SHA256 0acb09b6c5a7a3fe7cbc6f4dddab8a6f8feb70f09c2be2fc68a6596477347542
SHA512 daf37b412fb74e6ae9bf13e734b302efe241e83206ff6a56905ee55390568c82cd91cda8a04eb4b76af780a0ab764ec5fb6949f7a1c1305cd39d8cf7745b977d

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 1ff8705e38d6425948a9cd2730a776b2
SHA1 e0949a6316ba188363c2eeb6c2c9d60f6e27d88f
SHA256 f410e27521d86a403dd003e4abdf90f092431043064cb7a742b2b1792f381fe7
SHA512 08290dcede956c8e1d9018617acadec1d5609ed1741d96974a8afae3fa1500c9ce282c9ade70ff8550760ca9ed2aea965a0c8bac0afefc147e3266a64568cc73

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 9749eed6018fa61231fd0932f52036bc
SHA1 18b4169031505c3fb5064e2e8d9e50953c63d054
SHA256 48059ddab8c9df85ab66e39c26c572f588da7ca2cd3b335f7cbc7edf8cc94b77
SHA512 4c679289ebc0cdddc8159e6a17f562398e3b27039f76a82ba8fa321dbb33f1e48549ed2b30f6cf702562f170e2863622b82adae9b7bc2f038fa7c05bf4b02f1f

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 e8e3d76288f032f8d59f13ca097a15bb
SHA1 4ae1b773f2e8ed01bd88e89e5c5c695cc63b4abf
SHA256 12073db73982e423b6bcbcb367965a0aae364222df57e7867985d7ea2e1a2e3e
SHA512 99f72067764aee4b956ee2873c21cba9391fcb1c3449247e736d48901470a378221e805f12bee42fb5cde204036ad386a30433cf79f7f01111facb2fded84f0a

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 b8454f3050ad9c751666cf98173f7977
SHA1 56b46018665801569ff91bd30b5cfbf412a230b0
SHA256 0d5564902e1f58980854ca29fbf3f6dc219f3903835ad5bfbb6a0024d1f24371
SHA512 4aa3ad16b91cf4ba1037f6240433c2f679d223a9a1c4e7e91a0bfdcbf08e8f5108ab46c6cbacd926274e3f043ffaf4402bda7ea62761f152955e5649b97b0421

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 c5de1d5103d9cdbcb90f0b376a1a296c
SHA1 8770b09559ce7a0a8a6d8ecb94ad75f1806398d6
SHA256 35d776aa04f3eb2812e31ab68da23cd5f9bddd8d9419755bb71ec0069515b060
SHA512 1a0da8353c3bc67ca0143bdd5a8b2931d2af9a1b6c777d2f81171e6d1cde4b6527b08776f02cb0043f9186bf4bdec5561f0a0d255120c8187fcdc654e6d11920

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 9e77ccc2b4f09f5128da929fcef5402f
SHA1 d452b1461def3a6941187d7a2da06dc1eb8e4924
SHA256 e23e8dff6a14bd5c8925704885458d4c1621ce55cb21ffa2ea98027db5e8fa4c
SHA512 af8e64fb0895d80f156e2e58c8657f0057fc20eaef8ee7eb3b81c1913621bd50f4966c2c8e14983680d96115fab014868c6e0624c9410c021d10bc840d97de6c

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 255881f445bce01ed8bc2eb430f31893
SHA1 2642a7ae6ae45c1373bee45cec611b121c51ecb2
SHA256 7b7b84df42298d9f26d5aed3ef1b8608b0c4c6bb9ac6c59719b7cedaca52e40c
SHA512 caaf9aad4a154cb4dcd2544db0733f88558b731549d5376b1ed7ebc4ccc2969649a7fe05579dcee88e2bb4cce6b92bd111e7b0ac0fb510d3c3dc5e89cfb0b349

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 518d252fbafc0966e468381aafa907d8
SHA1 d01d0105c159a771430d2d519d56b521d5344eb6
SHA256 928ab462fef18793b6e9371a5cb492215fb5ce38020545322d3fd6444cab780f
SHA512 11cdbf33abedabe31e232d9b28ac11cda6d9903609239d1d6966a828eaae03ab813f90497d44bab374b9cf3808f361898fdd55b0af40d94fd26a68380ac2635f

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 89929db68233d3c07e497289cd7f14b7
SHA1 8ac6c448649b2dbd817bb1dad5f9c3ef28c59a2a
SHA256 01140ae5a361e75907d5016e9b25acccf18b9cbec7db052cf083194dac45aaf8
SHA512 9419e54f746cdbb18186fd029a3d3d7dfa502adc403e3d51f26fe2762647d27f27f7134b7f57de248e5ad22ba3364463ab5981687b9a48d739c7a55a2bf9cf9b

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 224e92256cb773164a9c58e8021aa0b8
SHA1 135d615222997f7853d011c5ea5686a4908bdb30
SHA256 42c8817a8937672489cfc4d796cecaaea9a79dcd443283bdaadf045860039d90
SHA512 503be696092f1902628bbaec356b4431cbafce96d551d4628adddb10f4285e0c81ac051911f240ae7c4c0ab73c03de8342d4f6f173b230c39b2f88eddcb07e69

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 dbf435351c7aeb4874b4e0049f33b102
SHA1 1f0145dd7325125a930740c95ac0c9f2711ff948
SHA256 5756d9471789f07734f1e0faafd3c225c8295b1b34ed98a7d43f1a924aac1da1
SHA512 447555322846ed8ef5fe660656ae8d1d2ab8fe035de26ba7269c585bb56b5c926cc127caa098ec2afb84734280420d58cb964aaf6838e0fbf09b0d173b710aab

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 dce9567741e82bc350168edbf1df2b56
SHA1 a106aec24f1a01432c83aa00e88a2c090afa5346
SHA256 a47eb595be92f782a5dc57e1ac7f5dd58d27813e758ee54c4c222d7cfcbb6cce
SHA512 4e77409a733d2994060112601a476057a496d51f054b122312467ffdf7046ad93496d6c03812178d4a15873f2aa0df91a6f97b9198d07e3fde412f2f9f7f0466

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 37b215e265efaee32b6d92b81fc084b4
SHA1 ff4f581acba8555204520a9288f6d4945eb599e7
SHA256 93143f651229c38999bce48c4c5a8f8dc797c111a60e7231c1b1422442ce86a2
SHA512 241d39347168ca0f49311ff466a59afb0c3974515987e74cf435a50303d2be5339a83bb652023cc8157009c4d7f277fc5bd5549dabe246b729644db0461dbdfd

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 0e54493f07c171a4f615260af68378bc
SHA1 cbab30541c730126fa3ca612b92728209942e6ed
SHA256 09495e0655f5872c71e49e4dad41f16062b0bd77f4a47c2df40476f2cbbc3e89
SHA512 c963a5143c5c30dd30790366d36214fce152a3902c77e3c3cbd1e6bad02ba3b225f18eee6102f8faa8905aa808b30d2910c6a5e4e839051138153512e2d1160d

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 66f5bc7aaa288796c6de546ea13f94f0
SHA1 6191862ca06997a632b8a525d66e730f4817a69a
SHA256 7162c1ac50f44d3a7241466acc0ae5a9307352825137ad6e911e6075a754711a
SHA512 487c7ce0dd0f3b6e05e6b05a0960efb37cad93e67ad9e749f54ea52f3403d23c28ec1850ebed277ac5e987b9239a8df8106b3fd294d419dee3ae5961ec0d0d5d

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 5e15aaf80de8c31a4b801dae1c63282d
SHA1 b93789333d60fa1f94134ec382fbcd560e23fb34
SHA256 65ef918abc2e069a88127f883870e2ec7be71afd5767192bdb4e8962271dec7a
SHA512 588f5030a6ca4abf96d472eca7ddf9458f3b6925cbe118e20f4b8b7e7e585bf6115b75125cb9d11d14505e609eba203e95c57a3254f02f8e45be534aacae421e

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 45defa9a5f9695b8fb4ad4ead9c19815
SHA1 8bb82fabb198381bf0241a957bbb545a42442384
SHA256 114d809165f9daa7a932d2954bc059e5288c2a60d8e82b36982be589a47aae2b
SHA512 b65bd342bb1faaff3f68ac35272bfba6754cec02e5b2552586c837954749b750c15d4214fffd65015565f32720888f14096fc2817e1303f8cf89908f42a0a487

C:\Program Files\dotnet\dotnet.exe

MD5 901069f729b0989ee1af37fa2b5af955
SHA1 02615dd411a622b98d92f0508e769b8d0d247fd0
SHA256 7cfbe1d6a585620f91ba536bbc5ed2c0d4762f1094b354c2841a8899b5713239
SHA512 cd753fbf35cebd53b93f93a14b4f800a7602481c247e4e9a0614287cb7344e67b670ccfbf58d08206dc2477a0774889711803f1f4993b2e28aab3e1e370de262

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 7ac39551fe56ec7aab0df5503b216d1e
SHA1 fa0ac9bdde0326c7a314dab406081eb4603342c0
SHA256 ba341f24fc2d1d127b1053592c3e42a045c83d7444f8018dde75471f6fa60033
SHA512 dce88d33e08fc2d6c47c0a5650eb1781cef1cf1f20bbed9e53206a38fed5e14f1c6db60bb8f3c9ad801916a81a2f94882e1f1f838602fe1b117c77331ccdeb11

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 9394b76e14ab6cca3816fcc923dd9557
SHA1 3d22e838ed3998c766e7761e9ec98bde9fb876e7
SHA256 e88bbcb04e6f7c64e07626bf9a17d3accbb4c5bf2eb4380ec60ce598a3f4af3c
SHA512 c4740b1f6325aa1508bddb11c3f4a638df9c48bbbd9d68a18a9b59d14812deead6737123ba0ac381a2aca73970c55180756d629805843384add510bec3061990

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 02ebc015054c29bea445ab769e75e59d
SHA1 92037a0579389854780157a5154e3495983ba291
SHA256 de82ff8a5708245fc81d6cdcea0444c0f90db9e9797ac8c8246dba3c32b81089
SHA512 a1084c778b21e266abe10acf43a832d4b60b4a40cc4afd886bd40ccba996ae612a0fe92ff95a75edea1d8402581d2fc8ed1e42d5138a1b86b720d66769dc0291

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 08ce4d2201ec15c51d3aa48a817b6ced
SHA1 015e125b2e213827806bfbe58023d2ad766b8360
SHA256 88978b4da641989a845db2702be4824dde1254bb7ffe1e1ecafba03ed1784909
SHA512 fe4003b4289fe7c00804980947a965ea1411c720c76058162071ac89afee1b94720a4986957e2b34bf4919b70b46ef144882bd2d489016ea1ec3e05286acfb8d

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 3226d34e9ab777d7699c2ab48bf31b58
SHA1 c98059a620027ca71f8d9b740cbd95e5c26f6414
SHA256 b2d948efeee71070ba3da5184ccfb3f50ce00bda4fe421cc11e3756e00489d0e
SHA512 371672337b8c576c00f6bfd1372ab80cd244d1fbc54f45606f17a043e95a9b6d64518f37a4fe52229bee73f3b05ece7263ecbd629c078c28c223fe8cd821c042

C:\Program Files\7-Zip\Uninstall.exe

MD5 2b7f393a5c895081d03637d06a4c66ee
SHA1 0d02f28e961adb23ca6815158281ee0f0419d18d
SHA256 8387d3a6fc9775812ecba50e59aea7290dcd55ccebf84cb0e69bbe1919ccc97f
SHA512 deb17919db211651e0fc5d5bc4a0bf069afd74d0cfee94e067081f2db2b6856fef5e13ea8554811ca3b75fe0677e9e8917d22daf9f2444db4f3db90e5dcd8579

C:\Program Files\7-Zip\7zG.exe

MD5 5df06bb61e0573324e7c0e93a0589443
SHA1 222a6a05a82b23f4afea1c113d892e4e19e88218
SHA256 294e815bc12fd75d357a08c9fa820df065997e315ca0223969beb0b9f1e5b5dd
SHA512 e01e4215e2f996a618d107f6d4af29b83b585f5b09fc6c2873067ba91fc9f93b0b9f2da1200df537a73b740bc63a5d5fb204fb692fa1ad5201f03124b6bac8c3

C:\Program Files\7-Zip\7zFM.exe

MD5 387d535f8b8524f90b56dfdac8d822c6
SHA1 8a7833e31170c33cbca7b5e5c2a933b069b37226
SHA256 d8f29ae2aefb1e4a457dc237bd2a9950ce89108f04f0825fa336e21cbbc652f0
SHA512 f59e8e44a72732905ad292e10b1fc6853d08a619f71f1a079ca51be159629d2efb2c635eb632db4f8483059b721583134d99857bc908879e2f25c2003bb493c5

C:\odt\office2016setup.exe

MD5 f3f17b2bf0bffa934edcd1414d2e5d6c
SHA1 b2c2404509eff263203e5c719bf34282c7889e3b
SHA256 3b4886715b4d29b6d7f19297f6f40be5b5a3565e4ecfe9fa3bec31fdda3ec280
SHA512 7a689f2003bb065b32eec7f8e7dabc0a2c78072524943a74da7fab8b78ed16eeae74d72b628ac3423933c0c1cd4c0c0753ce5acadecd4eaf37683dbb83d92959

memory/2380-554-0x000002368D070000-0x000002368D080000-memory.dmp

memory/4296-553-0x0000000140000000-0x0000000140147000-memory.dmp