Malware Analysis Report

2025-08-11 06:22

Sample ID 240403-mnhj2acf54
Target 2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk
SHA256 7971b69fb31cca661e2c7ba0309974383377c8229f3737a76d32751ab11abc84
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7971b69fb31cca661e2c7ba0309974383377c8229f3737a76d32751ab11abc84

Threat Level: Shows suspicious behavior

The file 2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 10:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 10:36

Reported

2024-04-03 10:39

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe"

Network

N/A

Files

memory/2104-1-0x0000000001BD0000-0x0000000001C30000-memory.dmp

memory/2104-0-0x0000000140000000-0x0000000140109000-memory.dmp

memory/2104-8-0x0000000001BD0000-0x0000000001C30000-memory.dmp

memory/2104-7-0x0000000001BD0000-0x0000000001C30000-memory.dmp

memory/2104-13-0x0000000001BD0000-0x0000000001C30000-memory.dmp

memory/2104-14-0x0000000140000000-0x0000000140109000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 10:36

Reported

2024-04-03 10:41

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\64f83844990ca9c2.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_118578\java.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b2c246bb385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000650fea6bb385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9c37e6bb385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be9b966bb385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8762468b385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009762d669b385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_fc1438bd474cf8dc307563f487339761_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 uaafd.biz udp
NL 35.204.181.10:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
ID 34.128.82.12:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
NL 34.91.32.224:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 34.29.71.138:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 34.174.206.7:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 34.94.245.237:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
ID 34.128.82.12:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 34.67.9.172:80 reczwga.biz tcp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 bghjpy.biz udp
US 34.168.225.46:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 8.8.8.8:53 ocsvqjg.biz udp
NL 35.204.181.10:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp

Files

memory/4432-0-0x0000000140000000-0x0000000140109000-memory.dmp

memory/4432-1-0x0000000002130000-0x0000000002190000-memory.dmp

memory/4432-7-0x0000000002130000-0x0000000002190000-memory.dmp

memory/4432-11-0x0000000002130000-0x0000000002190000-memory.dmp

memory/4432-13-0x0000000140000000-0x0000000140109000-memory.dmp

C:\Windows\System32\alg.exe

MD5 c8b6c6eae04eef132b6dd305cbb2cf87
SHA1 10ab3d3f58151124c3073fbdfa4ecf5c8138a801
SHA256 66e778761a20177a2f56e6403c34d290281ad6f677c986466cd0168be72b7dbf
SHA512 13eb16faedfb97802aeeddc2be29b0843f9839e384ff7fa11ceaf1e286ae3f66039dded233bab55db307dc269546ebd651e7c88ba8b29c417df3979c193c3c07

memory/3804-15-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/3804-16-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3804-23-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/3804-22-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/744-28-0x0000000140000000-0x0000000140237000-memory.dmp

memory/744-27-0x0000000000800000-0x0000000000860000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 3ecd4db6b692c66f11c41322d20c2738
SHA1 e5a82397fb75c0f955cd97ecf66be8c707741b81
SHA256 a6259a2f4dddc5bf5aaa3c97ec1a6e029922a5e5c9f9731be93d385f15deb313
SHA512 84bed82faf7b28151a223743c310ef9fe9e9e35a2882c98ab640a114db861a9e0a6acd1179c66a23d43ac76b4d0e02a739d9ac339f156d45c276d8469b8368dd

memory/744-36-0x0000000000800000-0x0000000000860000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 f73960998e26b6157195bb0782912843
SHA1 98b88a869ec7354b9b68c0c47b2d588be50c03a1
SHA256 0c6382156b40f85dbc07d530b1d7e1eec396a8ed07ee60b794eba00d0b1fec8f
SHA512 9cf55ce8615c476e07bef0f4bf0ef0c6f26f8d945bdacf779dc233cd980df4fdc28879ac5158d320d560c8ef0a705f3e7cb1f0f7e7ba5d90bbac8a8b1031fdf2

memory/1808-41-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/1808-40-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1808-48-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/1808-47-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 a5cb722e2d3df12187fe4961396d5453
SHA1 5e6c07b534aa70554af5d7819fa6c7b8969e66b8
SHA256 47b571af0cc619f7b3b9cb1647c0073dc8b49b71d572285d6d981a939df617b8
SHA512 858bb704f4de6da87a72d8b1f695ee8264f749398548cb407dc31e5854a4a4a3d3f15bdd9282cd971cccab913e3d495331afe92badf997ca1c93120164d10413

memory/3580-53-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/3580-52-0x00000000022B0000-0x0000000002310000-memory.dmp

memory/3580-59-0x00000000022B0000-0x0000000002310000-memory.dmp

memory/3580-62-0x00000000022B0000-0x0000000002310000-memory.dmp

memory/3580-65-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 94c752d04a92d2f2669c10922f8b4951
SHA1 6351ba994bb3e56d043e47020f550a4debcae702
SHA256 6137c81b9368d15b473c78e2fc7532e36b3e35e98a6773849640557a822c6f08
SHA512 ca05e0ee714312b8adc03de53be381976a5bf20d502c9e8c1afaa9906d0562c6d59aa421f379f1418460316fdc743468a5af9eb389894d52dbe1409f7a86b136

memory/3204-67-0x00000000008C0000-0x0000000000920000-memory.dmp

memory/3204-68-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/3204-74-0x00000000008C0000-0x0000000000920000-memory.dmp

memory/3804-191-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/744-233-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1808-234-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3204-238-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 fd1995bc193d8a23798b963e9e613b3b
SHA1 2bcc908731c94f403cf6309a6e0ba42225e3f206
SHA256 f6364ff679e1bf6549cd486018c6d5c32be8cdc2e8f23f7e40eb6b2039fc3cfc
SHA512 4fff3107853df146a715dc0a2beab0ef85bc798d2799d1bc266dff004fbab1d7a1255b63ca6cc1e09bb257e6bc8339021322df3cd3380f5da08b90716bc2b686

memory/400-245-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/400-246-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/400-253-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/400-252-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 c15ed17223fedb417f4438c3ec1c7f6f
SHA1 a9c0dccca642fc5e3c8218ae7c4f6aab40274902
SHA256 f15150a37113f04c7e10449e62e83ba5ae4971511b4eba87f690fd4d26edcbd7
SHA512 c43c584ce9091bf31e717f8e72b89e677c6d80b62a672e0912a496683110fc1d9c4418403bf3c8c8f0bed32cf5216dc80ab5715a90df72e76a00b5e28a441202

memory/1488-257-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1488-258-0x0000000000E90000-0x0000000000EF0000-memory.dmp

memory/1488-266-0x0000000000E90000-0x0000000000EF0000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 11ffe2ffaf472bb61f5de2d6e2821d97
SHA1 7629858b911b2335eaa4a8871e3420bc41706a3a
SHA256 a3a2ec16e56899a5cf76b2003c99221707b7f239c958af762a43282604615403
SHA512 26fb7a27618a75e68f7be6b0337d323dc2ecccb754f4ebcda9aff674dc76e495aeec6692c3f9bc5c2e51dc91ffbab62da76f93e16c3ac78a20f6546ce68d74d0

memory/1488-272-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3160-274-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/1488-273-0x0000000000E90000-0x0000000000EF0000-memory.dmp

memory/3160-282-0x0000000000D10000-0x0000000000D70000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 456bf7341f770ed1383ec6d15a6d88a3
SHA1 451099eddf9f747740e382e7331ddaf97bf4f86d
SHA256 d5f6514373fd7716a51c26aecdf7ba70c295a2cdc7591ab567cb7be1fbffa852
SHA512 df20a01653692449a3ae05d30a68b89493a488260a89e27f91561b775c5474c52eb51e80a8f09a279979da36c125ccb8bbd2952abcb4cd09e98b80e32269cd1d

memory/3624-287-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/3624-296-0x0000000000680000-0x00000000006E0000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 797be6fc4857a298abc28450a4ae842f
SHA1 c91c450e87cc3b1f9ee060749d84e4882e924e27
SHA256 cd4100a0245448a8fef80a3dc649044f4850bec55b74a63f72b5e6c1ad47d557
SHA512 2d921176d19835baea77ee8721c3ce92177d597c87a66d8c21e9cdd6d8da8783651692e1e2a8b49a7eb84ee83fb2985665361f49b15a3e9dea9cfa123af1a7f2

memory/2832-302-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2832-309-0x0000000000600000-0x0000000000667000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 081a21d634efefa6fa497b16a11858e4
SHA1 65aac2f85ef046575e0149d0f72bbece340f3e53
SHA256 dbe5977f32650a053b63c566ca790df69caa47b352edad4c93034407471fbb70
SHA512 9d0633444c5972af1bd5a1a178b9be1130b3268f321a0dbaf12938afb5ec03165e7fa7dbf2f286cbd51433bf2f2f8f1fe1d68a17a105044a2fdbb390f3e05492

memory/400-313-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/2808-316-0x0000000140000000-0x0000000140095000-memory.dmp

memory/2808-322-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 4f08aeadefe6c4451be39c0880598fe6
SHA1 a8d7a093d954af362d116203b6484b06836284da
SHA256 15e2ea1d0a33e30086d5355de0763cb9ba6f77f32a42c4a2eee0f89f0dc1c95a
SHA512 ba5231bfce7b43e5fa4e006d9f652dd11880efc865021e2e1a54527e57e9f12d69ec5e2ab485cbc0eb407789014394c63b56adda12689d5d42a02745b8a8b28a

memory/3816-326-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3816-335-0x0000000000770000-0x00000000007D0000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 091a455da4ae52ed45895cf4222b59be
SHA1 24c87929b4a0ad82a97aa11d74bea8c4f13ad1a3
SHA256 173753480b2ccdaf95c3d9a50360cf76a9bf5571d529d336c6efb7ceca8743d4
SHA512 e88dae04f1049ddecca17ca009e9181cff7cbf9d999d86c0fec6d3e272d22b3665033755788527ee27ef18509aeb0d964df1a38377dace3145ef43ed4468fa70

memory/3520-342-0x0000000140000000-0x0000000140096000-memory.dmp

memory/3160-339-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/3160-349-0x0000000000D10000-0x0000000000D70000-memory.dmp

memory/3520-350-0x0000000000680000-0x00000000006E0000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 48a724ca5b2cd7fd4adb388125f0ccfd
SHA1 f2ccc8f2527016c00040c122e93ab1964b7c5e8f
SHA256 27c5b0877a9e75f4e84b24007a7d0674418e3f9990398ac2744b76c95f383c72
SHA512 424770be173399f2d47a7d6915e685c231174ecc5960f76d30554d499c5af6fa7f1bf1ba08a3093dcffbf56afa88227a31cb30f7081ad7aeb4ec5d7cf8f174f1

memory/3624-353-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/4536-354-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4536-362-0x00000000006E0000-0x0000000000740000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 b1b7cd228c7d6b14a5ce109eac9d8474
SHA1 958270cea0ba2c44286a2eee1488fa3410de922c
SHA256 65adabffb2faf5dfe3971d25bf1af36138071ceee95ff736cca8515c3f4a63ee
SHA512 8df94be8ba35a6d80469590dd25c0f041583b6b597d582f0640ca3811905f7226792aa18f5e2df4edfcdfbee8aae0114b8a1fa36b15cf9a4a559d9417004bdc2

memory/2832-366-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1560-368-0x0000000140000000-0x0000000140102000-memory.dmp

memory/1560-376-0x00000000009E0000-0x0000000000A40000-memory.dmp

memory/2808-380-0x0000000140000000-0x0000000140095000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 c15a46137b0efa569d4c9ec84291d632
SHA1 272ab57c4495596cc06516ff6e4466769987e5bd
SHA256 528bbb9c326ca989a786b53f3a2c15b2e369ee14e8d8e0a63f98849adfefe448
SHA512 db3eff0bf72f3116d543d2cf14e032bf020b0db104f0fd9426d3ca3e20825b572d017be8209d7acccfddd525f0b929f2c5bcdc61f4358f5c5671900ac0c7e152

memory/2140-381-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/2140-390-0x00000000008B0000-0x0000000000910000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 a8156bc94d7a0b85cece333c3e96a718
SHA1 5897c82584f483c927bc2bd09005e6d198329db8
SHA256 a18032674f63cd45588df4aae989f249b97ae2c15949f1365dec45d63c3869c4
SHA512 16ae890bdd874fb72a9ae654fb62707e0f586308de61b1786f3efdf810aae2ab15c35ca87ba7f561480f12b59be119c29277185c2d31764cab28d0851aed95d2

memory/3816-393-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1596-394-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1596-402-0x0000000000BC0000-0x0000000000C20000-memory.dmp

memory/1596-407-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1596-408-0x0000000000BC0000-0x0000000000C20000-memory.dmp

C:\Windows\System32\vds.exe

MD5 83e36fabab7e92b6ef193fca9931e8cb
SHA1 5b714785e8aa955b8c42e23d01c714643465cfb1
SHA256 747af89602fd63cfc0664ef536c3a71377b33cdd78e5e6c826f9d8fabe7e0a3c
SHA512 6d821568d3c019acf384627eb93e0ba5fe605a79acef928f9c2e6ceb30324928127a9dee57b169c02993c5a016695c65aa793f1a562af02737fc0a0dad6e8a1b

memory/3520-410-0x0000000140000000-0x0000000140096000-memory.dmp

memory/3892-411-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3892-419-0x0000000000C30000-0x0000000000C90000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 d8dc6e0147e01b6ea630ed732dd75f1b
SHA1 b07bb668c5416ae4fad488cfca9bb109779d12e3
SHA256 49fe4aee743366f2de07a551b6ef27d36f06cbe601af73ea43f5e42923bf1f10
SHA512 93299cd6e348395c8100e6fc49294ab84bbd38f6aa230004d64f5e38ba0014cd8e6a3f8395c1181a9906952563099a0d9da74bba98054a58e975a14dd4a7ec27

memory/4536-423-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1196-424-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1196-432-0x0000000000750000-0x00000000007B0000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 caa512b1fcf31a45e560270c0f941b70
SHA1 d7a1663ff76ac62d1f4a69c4c780dde5d9ee6764
SHA256 66e423c827f0ca172003d18aac08efb38db18a69868c6aadef462514788947d6
SHA512 426a5e8ebd7fc1793a07bb23a6601e346edf58ebf2bbc6242d0fddea58adf2a06793c67b8c4bed77e0b1c28b8827cfcb9c7a127875946781049e6810aa330421

memory/1560-436-0x0000000140000000-0x0000000140102000-memory.dmp

memory/4428-439-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4428-445-0x0000000000BD0000-0x0000000000C30000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 9ec9106055065ce92dbe740200ec4afb
SHA1 fa5f6c0ce6196509877e2edef2589c746d40c749
SHA256 446df6f51a7e52f519b1de701f65028e2db0b6dc6390d850f3bd851223ecbf29
SHA512 edccf257c96915f3233b5ed9cb2a8f4de11872394279eb64f6fb22013412472ba0d9b59a79d1c050aa7408cbe8e7a304a01c47e636daa41ff6dde207011de833

memory/2140-449-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1144-451-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1144-458-0x00000000006D0000-0x0000000000730000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 72f1b6934fe14e3ebc66771d2644d479
SHA1 3ffd6deeb5074a6ecaedf2c2646907e7d61c2ff2
SHA256 ce12b02c0b294e9b349a1236ef5116c8f1e889bdeac52e9ef4a764a8a3b6f805
SHA512 f020146300728705ee74faee7a21bc1d0251551e91e224f1b2108395c811870db60a6a39c77c1d60f4889a7304d47990a8d3e140d6bff788a1f1f76e6d2d45a2

memory/3700-463-0x0000000140000000-0x0000000140179000-memory.dmp

memory/3700-471-0x00000000008A0000-0x0000000000900000-memory.dmp

C:\odt\office2016setup.exe

MD5 90efec1780bbcb3e19da39120524a5e1
SHA1 fc0a1117d0053a92bb427b30c1d5494cce3cdcfa
SHA256 cd923582cdb0120a5ba99764fa0bcfb3a81621b09064261d148dc9700ddd9a17
SHA512 63dcc693d1e4cd5dcbd8f8d127e957282bfa6a7ad6d9a2b4cb1f21ef0ed886c42f745c09b7183e1c368425e94eb891eeb1dd2138536ad3fe3c52f6335a6c0be4

C:\Program Files\7-Zip\7zG.exe

MD5 8ba1f4410b9fd707d8e5dc94b324ea32
SHA1 3c1c588cd3732ecd9c54f625302ed44d773a4907
SHA256 d7992b5491267c102dbf883ee4b34778050b19cbd5199f46a9ba78841da6d2b6
SHA512 4b61965dcce9d15e895d10eff05816a52bfc856a638e597be32683f210e587941c15d4cd06b14ea1f8edd8c45ee67a362583678a9548e2dcffc3a5e17b30e518

C:\Program Files\7-Zip\7zFM.exe

MD5 fbb4f756f7cd055c81c408eedd4c0570
SHA1 d75bce5a514644cd43b0067039bb5498649c7bb1
SHA256 fd91ba8d2fc01f899726376e301c5f7095019216a38552219dbc79269283b651
SHA512 0157fa6031c12331f36289cfe48b767d6a69a4b0ebfdfc67fe05d31d59666fde1ca3306f73772d4db6343bc0775f0b95eb17d8a1f5b8d4592a4befbd97471f77

C:\Program Files\7-Zip\7z.exe

MD5 d689c158331ce3f5007e706b4cda83df
SHA1 69adb09f939e2cff01d0ede4ee8d9316f498c840
SHA256 e606a7a2c9117c4be379ddf74aa2e879b8fe82ec3370a02b75dee7630527d51f
SHA512 a9fa2f3c844bdd2512f0af7c20b974239a457a4e4f07dd0e889244c2bb7caf3010159070c81194e0422e30ec263f23673ee2dbaf8c04954b84113382a367433f

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 87229a06ce77b826d1244b6e6efa3e89
SHA1 0eda1f361a5162474882f45ed2edc482fd7e167b
SHA256 2a76f53bdda257b2efe53d3a7ef6c24015bd02aaa250648106ef3fd2271e13e9
SHA512 09966f890a26cfa5c97f14c089c30f6328a410edb38746b95c7b0aac723af366e63b5d3b5f527375c4a6b384acf43ce461b98ca731c18c7a1bd97c53019e7262

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 e38e52a84e956da87d032a16db4cccfc
SHA1 d57c79f82ed0a6384d58f6703a24230062a616ec
SHA256 7f274f0221f3019a018b2f358924820c97a86a4625f6a6819753ea3df5957eeb
SHA512 db7c33541ecfdc7eeb02c6e7795c062b9f93ee0ddd560ce757873b58cb3ed7042f1a77e623e06ab7d555effcd0ca2af2ac4a90a0b568bda212a88720c0837a54

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 6d5bf9c4de03bb65d8876de18385b264
SHA1 8fe48873025692215d7b3ec2f3a1e1c1e48d6889
SHA256 cd9361429180c2368ea58ea403cec019da09c0995e184aa88c155787963ddb2d
SHA512 ee0dda4927bb23648211389bb57501157e1204409970b6c3b8ae7b8f582c1c1fceb7c896d08c0ab9a1f798e1adfaae2ffd998fc050a322d1ab880d201d4b432b

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 b6d01f83a19284ec588db85df10a791a
SHA1 b4e03875e0a2e38f2ec22bc5e8ee338501298a29
SHA256 0b41db66f6506959ad58f680a819e152a4f92f5b7667997fde5204c854a29348
SHA512 c1c651aaccb1b21a2f0da2f2eef2397ca6a2fda1170a55d1b3b9d0de209b8a4ffec96d5f50ff0b4853e35f3918e09d07a03e063561f908759c7cbe3e2c520fce

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 28e229894f1b83f0530f501f8ec54146
SHA1 5b6592bf870820777cba1309ba22d0628dc00f46
SHA256 c628ad4208ba692fa98507f227c819dff324a3be5fb032cf49785f67f8b91bdd
SHA512 8eb370ff4b35841c9379c78040c93ff0f209a89c45fd1f3e62f6f1cbb74682bb533cc44095c464cd9430b08c8a4da0727899a042d656f66e317e0598131debbe

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 6f53e494c041a96fc27ebe034d9fb7f2
SHA1 da55074f1a8550fd897f67e1f698ab82194003b5
SHA256 a42d55d9542cba76d751a70ef9989dae67e95303853d83d8311e36759e54eacf
SHA512 f50ac58c07beda6e4f4ae78ae269dc71d3e900ee6d382a720bde006503265d0c1deb056d0f39ea6e03f8fadbcb0cdb361075d1cb66a335e8f8f38289fccd8fd6

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 8a452a0a4f4e410967c6213516489fc6
SHA1 503b6d273994dc6963dee9abfd2328a331ea3067
SHA256 c87f30a2d9bca2420c544e3bd3f88631bd8ae125c92c243735d7f52b28938bbc
SHA512 86fa5ae7b69d76c4f58bdbc631a91fb158a4e1ce76cbe33be1f5d385ff78d0425cd2e982132e70ab02571b5004d9efa776c1dbaeb972bfaf00d7fef4848dcde9

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 bf8f8f8884f9cb0986b2fe03941d9343
SHA1 1b902cc74d719dc1ad9325ebf4c6b5362d76355a
SHA256 43747a730043cd2e36687ce780bb202cc02914adfda5e324e6e62ee141c81a0b
SHA512 9a470f59cec6318647046f6a29e7c6a8dfcc73d6baf798ca4ce9b73f8e83975ec39bb6368d37f50634214992651dbdf4688d6d0318b0cef65c9abe236d1c3811

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 5e13ad88991e6c6f868a4873b4984ca5
SHA1 da55d3ec3f6aeb87caa0dfde33c390490f172136
SHA256 95b6cf46259a1249aecac4fe48b5292fa65dc9807d00fe457805a2d8725f7e2b
SHA512 a0b9da2bf438c73fe3fb8ffc8004ccfeea42974e35c1160026872fd578b9fed5cefb9a27e29158d05cc27ab7f747969c299326ad6ed6c4d08f6025bfc21ac6c5

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 b9d376f2ff483456e3ad63b291f3df5f
SHA1 7b2ffd02208391194577a9caa0e51ea5874e9a4a
SHA256 0aab19ab8b56e1f3c0824d82722d682940f7d5a99239e717f9f26b0e43c8cf6a
SHA512 568ddf5313a8557366d9344314004cb4a7c2cb45847242adde803f6b3f8c79952e351ac868c4ec3bb8d7ba3696c82d7c909b0b0a53eb2b23f770ee3147bc8a19

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 4b73bb8c0b8c310abfa6405281349b33
SHA1 90799d25f8749d2e85147d3dee4feb182e1267c1
SHA256 83f47bf6c25b024b12a1853992a931268b6bbff006c2ecbdb9ebf4b23c57a690
SHA512 d80641e100219c69ec7783f8ba0ad79155ef0317771aa7e3e8e600600163e9089f36e7c3e5dc859becd08b44f15f8b1bdd30e8a6be939beec05259c3b8334589

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 7cc5ef6957be0cf830392917bebe22e6
SHA1 523fc030074e52ea51f4920a3b812db656aa9361
SHA256 0ffc71d82a9e4af8bf0d3496008640bd14fc04d34a42257b768e0b8b8edf11d1
SHA512 ff12aa2bcec08fe821b78ac64815488e3be2884cc392306d97950ac438dbcfaca1c5f61b0a3714959f475de2cb00aee2a761043021f29f7d6d4559c9f76a50cc

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 9070add8ed5c462f5a960bd1e455f934
SHA1 cc595e19a6daaf65d0703f9e6f6cc0033b59078a
SHA256 1702c10908f6c31278ebf52f61eca115e75e5ed13e687d0aacb62815ebca731a
SHA512 5259dee24ae0c33cfd05459760986955a719492b686fb547a84c50c634ceb2c58c8930bfcb7e961c656342faa50571874edb28982197881c957dc2f0da057a67

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 9c5ca39a26c8876cd2ac8f879893602b
SHA1 ee12f01b4cee345aede40dd5a49159af9705adcf
SHA256 988abbc93ac89db7ae682736501acb842eef4422fd0a50811726c9a36dd2c525
SHA512 6e9294973d628949f73b42c4c71deeeb6c7b8db55d6b17786840d87bae91e13af527bea9e8f419e0f74a608780ec7c7097f2b8c73b3fe9095998bedb965a5d0c

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 7b4419fccbf720f62dfcad6999678a40
SHA1 ca8bf92f9e473c4f7a586a4c132f11264252302c
SHA256 7f5126cf590f6f2abd91213fcda11fbad83cf1049b6bb8a7b76d4a9b54a1be68
SHA512 647693b61ab6bd6f58f579b853d2847dd5036b5948b1c06fe47acb3f36740aa2a9d83c4f978be7e19a13553af33189598e9b8b34913dcb70da9a6bed3327898a

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 146dfa33f901a845b3598a7e7a16e49d
SHA1 932c4bb8905c959f8477c8c1ac3d9296d5c0fe6d
SHA256 a1d6a5d85638d3f8cf720629373fe85e7b5adfa7208a0cddebe256d7abc5adf5
SHA512 c21cbd10ced018e9a4e1d33837535e3974034d9e641ac6f9e8f6c0ae7fac68327e65bddbc4cadb6e209ce00180459f5995f7bff15a9718a6b02092dec22646fa

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 e7606c193aed838c7062b44f94dc34eb
SHA1 b26bdc92a55333195a913cc6222ad2d9c15dcb71
SHA256 4657ebed75be3360918b97a2f80e00170ff84ac88a196fdf312e7b4658119bba
SHA512 8f6ea39ae798869ed248966313c00d242ecf11e346714975d6188186a0297e816341d0872302132355f851f68755e4c57f811248ce5a27d5384bd1b0df9c994e

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 8cc2846d31bac3ac9d0d7c3d70dd845d
SHA1 1c64775953343bf55e5cb95786361daa9d7a1d98
SHA256 c591e3ad0139daa09c5b38ee68cc5e0b03abec28b896f066ddacdce0d6d9f2a7
SHA512 fcc45fe4e5712a9177d86ac633fa361242fec2bb8048fa51b8424490030ee609f8412285d2d8b3880d236727915aeaae753a6b43fc0491ed61ed507e36575287

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 a2db43709f32650f95aad283674c30f8
SHA1 bed0c382e9789b8761136c1368cd58ea92b0e0f3
SHA256 994cac653bb5037c3b2420b066ddc1b1fdcd0eabb89db2520e5fd1814fe20758
SHA512 6582cc7f9148576d6ecf1e05995e90b012875fd8dffc1763ed739d7c8fc19ed8f0a640b9265aef47e88990c815ec4bf9552dc6bc01382cd7110db5320b34e95e

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 5c5d7d8ce9219a4e2f0e89c6a8b19ed8
SHA1 a4b424ae0424e620eb97dcb2a0021588de97f42b
SHA256 e55c4fe9270b9202a1527214794b1223f9f355e7052fb1732dbaea8a6614296f
SHA512 e6bfe8991deb2899a8e2cca55e5d22eb6ee2493ecdec80958ed1b358db1ccfaeb2da84983468fa20a84c4dbc9f4d94a9805f181cc5819478b8b412d8234b07d6

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 d219a42be83ca33d0fb0b31890e60e1c
SHA1 50acd08d3041fc75f447c92b06f3f12efc3749f6
SHA256 cbc1955a39fe265d5dd8a7f8cb8f86599465351db344fee14274860740f81610
SHA512 eb30dee9231723c1ac29b98db5be4a359ba55144eaca5d0ae2e8f080944fc028452577989a400fe1147a868e9dc3a7677db8297bdb697a52a2e540ef4cdaed3e

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 3accd025db14e92655e0754adc608eb3
SHA1 8e0a8f2d7b04f68dbaa67867e21ba293b42c7cee
SHA256 5c435f09a5ad602e30790552f2634fe325c57c95a843dfb709563f8e86ecce7d
SHA512 e4b5bc0612f25d1908b08cc4d56e5f1f97f4c79bf92102e7d1430114f8b0b2e93f798706c3efbdf889db8d7bb3141d3bd3f2da3671d045b6cd9da33c55e70e65

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 fb334bfcbcef084ebc31795ab713edf4
SHA1 7ca7044ca6dfd59b8b2032b5a600cd37fd7ab3c8
SHA256 877b5906b19a15f21cc573986c2cbc79cc59281649e6dc78409bbf1254954ac9
SHA512 a496540cbed7253b275143f85070955483357fe3ce9852593205685d3cbb48082a31d1a838bd6b24c84d9bfdd2855efe112036f6ffa1c0da7fd5c9f5f94d3d96

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 4e93d88830ea236fbdc4a060df875ca2
SHA1 b1bb59706b5f20edaf7639f62c3cd91d51d7681d
SHA256 a3efbd0f42dcf11f626cc0422ba3987f8a3a6132b8c53216ed5a8fb260297c19
SHA512 3223692c7900585eefe7666b1d96bd96fdddae6d9e7d31db6ef9d45a21ecc2fa685d460bc9d8ba4ad6ede4ca9afb6f7aac02a55c455513d2df2eeafc98f5d4fd

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 054c5b9d777fc7cab79a1a24dd5559de
SHA1 95f1936ffc9c026f68b92bc5e7d9ed48704b5d8d
SHA256 8e3827d8cb6863f7125436e4d5d60692e3287c2a70310e8d47070e8517b22563
SHA512 0174676fee6f80d19715c162ecc2bc485a78cde805f08640f4b45f544b0aee5e8b3cafe2c7b50bef698b336cd7480215bd33e1368e6ee1bea37d8589f7eedd79

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 97d92a49acfba48c624a37c2cc48a35e
SHA1 0c19d4c8657a4cad07e2e1b4eebfa6ae31987337
SHA256 809718a847fe075027bb7fd7adcefe174d031b8f8df8dd6aa1ca433c91b01028
SHA512 b061e6992f135be6b4e53d5da63199b837167f8306f3bd564d60a430944d14aa0f01c7b8f5bf69219549f7097b8462d5059dcac6fed63ec4a6c0702573afc289

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 0a0a505f17442b52401dd89785adb7e8
SHA1 8be17d24d26852798317681dd0c9319fdf1a5421
SHA256 dc9be1a86b56640ef93f71b8922fd8a41f53642647896eaea484080940915da7
SHA512 eb7ac30e58bbc276ee392ab97e9d8c4e36ca0c723d3aa703154c6194907c0d22776ed7c89e2247d0651f3dde725f5135d65d0305178c64ff389f811e42ced3c0

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 bcbe4e072ffb10edb8b7409672d6d644
SHA1 9d1e049dfb1aea6e44ee7e2052314496478da517
SHA256 3788d91193ee4075ac5ed0521833aa4da79eb14d2f69216aa7052dbb88f21557
SHA512 3f30967a94c27498984b097c38b1336a79edf881118fcb038fff6dff84e049c441bf440472137ead26b8aa1da0e46eafb6d6abb19985a45e8850d440798209bb

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 f0c258ecab03763c90e20485138a646e
SHA1 6a3db1e3f879e200efb88f4c24591a4b960e27b2
SHA256 6e8421bb7b933778569ac29eb2d7a94291745e9a2161107bebb40216a57c5c5e
SHA512 baf7398466b3fbf3b15b8b51b12b6c0b3de36a49a4369bff5b0d669d0ee07f3ab9ced2ee39946daf001bddc6131c6b7f559f6cb6969fadd9483a1a28b563b651

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 de62db4ac920326e69124cbfcdc337fa
SHA1 3697b85c2bf66931c021c214f3a53c8f76d49bb7
SHA256 0a34f1f7ca8a2e541c71defa02edfc1fef49fccbadcf1c12715afa81247f4fe6
SHA512 d29278369d55879a26e5ae93160f2dfd47671b0e6ac626fe9c7cfaa1784f2c2ca2d9021afcedb348e75bd22b679dbad8da9d5008d6fd54fcc17b2cb990e72de6

C:\Program Files\dotnet\dotnet.exe

MD5 338639b9e1954203428e4cda6386788e
SHA1 d210768f06896a860e6ff2fa3c5fccadac57e7e3
SHA256 09143a5b9f2e19108e0120d4563ec7b1cc295e07e0ef3e43a757031c8bad50eb
SHA512 78bfbaa0888c1a51b8fd579bb9a561816f105a949a6ca2ed7eb703b16251d12d72717c47a94429fb42cc8615a1345787e675db225e59203bf7ef0b1eb3482eb7

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 872bfeb29d95ab29a59db30286efbda2
SHA1 41f5d06ab61e66d56b813d1f2d7c499b2770282c
SHA256 ad8219c456e041fcde88484bb2b5241e49078fbfb3ed9f456a26235798bbe704
SHA512 cfe7df8fbd6ff251afa3d22e78e59377be2a98bd2cd2168197fc821a0ee4930ac77f29c5f7e6ebc084c25dffbb9b45085d90aee6adfd80cd2467bc811fb49f2e

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 0de84992ec21bcde4e035e1345c1a986
SHA1 9f95dc04fb26caa721484be7e152ded3279595a7
SHA256 d170eed2d614c4d4d238eb53d680f4b2002c0abeb635d43f6bbf9d4391711821
SHA512 a6320063cabbd730544e2823a3953134c8bdc999ada15e2c4e21ad8698cf547dc7762232a1cc4d1c6973dd648ade6ef978a0122b578107e8395ca0cdd5670b9a

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 ef46320cfbc9554bb7a86fe1fdb3e33e
SHA1 6d6d1e287a02a2cb9064c6d068ae8019eb5e0e5e
SHA256 7a08c3a2d33ad2a0f7955c6dbd8c2c1a26ef90f3dbf4e24792c1c248a5dbe29b
SHA512 9ad05622eeedd0ebfa84c15211b4026aefb0316599e6039990106b535f97d855d3cb3064fdaf90221efd312ef3eb13a12015ec72d1ac6f00000933c873444152

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 53bf37843599886318588fbf8feb5017
SHA1 ef033815a2c15f3355f61175469f30d289903678
SHA256 76cc27bbf79f46eabc6071bcac419ddba64d74dcf341a3365b26be8b017e0a10
SHA512 c4b5c8c600f7146143d0b33a4909ce53c4e37be077e920ad6623272f8b77ada4d16baa849c5ac64fbd345b2f0539c53ce17bbfc3385edb9c45e737c989f92d5e

C:\Program Files\7-Zip\Uninstall.exe

MD5 7d4cccf89e8bd8b274acf7a39d799e1d
SHA1 816e6e2a80a807aca9cb13cb3ffb6ab3bf7bd239
SHA256 1bba68b5c594a091fe4460238e764e91636919b6f4dc9d5e4ef23e71bf0b01da
SHA512 a7a4a138193daf94fab9e228a81fff4cf1ebf3a7fed507b47acce7051df9ec1195eeb983c0f81c34da93dc173a9542575454c17befe9722668927ba389cbea7b