Analysis Overview
SHA256
e54bbea2c08f2133acd91c5d05d5b581f227253366dc975ac4229154a81fb45e
Threat Level: Shows suspicious behavior
The file 2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 04:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 04:58
Reported
2024-04-06 05:01
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe"
Network
Files
memory/2292-1-0x0000000140000000-0x000000014022B000-memory.dmp
memory/2292-0-0x00000000003E0000-0x0000000000440000-memory.dmp
memory/2292-8-0x00000000003E0000-0x0000000000440000-memory.dmp
memory/2292-12-0x00000000003E0000-0x0000000000440000-memory.dmp
memory/2292-14-0x0000000140000000-0x000000014022B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 04:58
Reported
2024-04-06 05:01
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jmap.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\servertool.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstack.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jar.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\policytool.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{90C18CAD-5F48-47B1-8376-0F604ACAA84C}\chrome_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\keytool.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmid.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jjs.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jcmd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c91fce58df87da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d499758df87da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079c26e58df87da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d20f5e58df87da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9612e58df87da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020113f58df87da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065229058df87da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000032ff2b58df87da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9612e58df87da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005b11d58df87da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 560 wrote to memory of 2144 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 560 wrote to memory of 2144 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 560 wrote to memory of 2652 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 560 wrote to memory of 2652 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_ba4b5d7a56eda44ff80dc5da595940d6_ryuk.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | 12.82.128.34.in-addr.arpa | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.61.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | 138.71.29.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | 6.218.225.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | 224.32.91.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.78.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | 245.229.41.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.13.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | 7.206.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.13.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.94.160.21:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 34.143.166.163:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | 46.225.168.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.160.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.168.225.46:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 34.174.206.7:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 34.162.170.92:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| NL | 35.204.181.10:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 34.29.71.138:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.168.225.46:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | 92.170.162.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.181.204.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 34.29.71.138:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 34.29.71.138:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 34.143.166.163:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| NL | 34.91.32.224:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| ID | 34.128.82.12:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 34.143.166.163:80 | gcedd.biz | tcp |
Files
memory/4808-0-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/4808-1-0x0000000140000000-0x000000014022B000-memory.dmp
memory/4808-8-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/4808-11-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/4808-13-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 6f9a15cf6f77e3387fa56003d7439e98 |
| SHA1 | e48ea9e865f564f870efeb24d6818898e90a2851 |
| SHA256 | dce69a881b7cd00aa7bb65f490180a192140b2ffcb3da880cced9d501d6c1434 |
| SHA512 | aa481c7a86ae717a4a8ee59877baa8ec189be5f28ba04e2955854f5b2c4c2310753507ff2c7ef4983f34b4918a2e4f328ddc483137634a471490f9337e2be03e |
memory/244-16-0x0000000140000000-0x0000000140201000-memory.dmp
memory/244-15-0x00000000006F0000-0x0000000000750000-memory.dmp
memory/244-23-0x00000000006F0000-0x0000000000750000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 766071de9ecfc4a7fea5c935894a6762 |
| SHA1 | 9e6f2c4206078f80b35df59832e3e45ca47691ba |
| SHA256 | 3a9948bed201d30467d15920f8b1313a0d812fe1f2f62ecb76c1be0bc32a6500 |
| SHA512 | 85e53610a30f6e8081a8f895781072b7998c0d6ac41e5f47952e0349dbe47c4d9ba196253a99acef9da23b952f2e37caefd2b8f3c83f1ac5ff905bb7fbd7e684 |
memory/900-28-0x0000000000440000-0x00000000004A0000-memory.dmp
memory/900-29-0x0000000140000000-0x0000000140237000-memory.dmp
memory/900-36-0x0000000000440000-0x00000000004A0000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | d270b39651b3e93c5e5ed3d64f28bee2 |
| SHA1 | f0f14a9f255977c1cc12adf37caa29110ac6f6e5 |
| SHA256 | dba29b4440a2668f85ce79f33706e0c4a9a38bf2293ee704301ca0f2c7cf7985 |
| SHA512 | c3b519d37776cb59b20b6837125d949108b5a9e1b82c2bfa00a37f64d16fec1b79dbd89b230b503c7b70118fa760ee882bffd5738ae479bab4615fd11e721e46 |
memory/3000-41-0x0000000140000000-0x000000014022B000-memory.dmp
memory/3000-47-0x00000000001A0000-0x0000000000200000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 313353616d3ab60ecbfe7d9e5ed00324 |
| SHA1 | 91c7be18a32f6311eaa8f182600f6cc7b16587f2 |
| SHA256 | 928be7936f37aa9456a2958987f5cd8870173993dabb2df9cd5867c12308593b |
| SHA512 | 8422ab08935abd7d944ccc502422c7a2f7d513041b7af2fdc9682b4c9b6a6539b1da127536e2aa63c700e144d22338322003d5767f06ed397ccb58a0811887b9 |
memory/2904-51-0x0000000002240000-0x00000000022A0000-memory.dmp
memory/2904-53-0x0000000140000000-0x0000000140221000-memory.dmp
memory/2904-59-0x0000000002240000-0x00000000022A0000-memory.dmp
memory/2904-65-0x0000000140000000-0x0000000140221000-memory.dmp
memory/2904-63-0x0000000002240000-0x00000000022A0000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 3f28b4a75f947a2d08cf7200f1c4f91e |
| SHA1 | a805eb58ed91d9418af52bc4a8e46a904a632403 |
| SHA256 | d51b8744c2918f23775061ea0e7ddba18488be7c667a9e1778cc77553cc7fe58 |
| SHA512 | c790d246688fccda455171e94ad7431481c2f8f73a9a3948de4e3b520e813d90cf019ab34b7688c76b2eca185b34ec615df08f5d0481db3856ffb75bedce3a9f |
memory/1884-67-0x0000000000830000-0x0000000000890000-memory.dmp
memory/1884-68-0x0000000140000000-0x0000000140226000-memory.dmp
memory/1884-74-0x0000000000830000-0x0000000000890000-memory.dmp
memory/244-210-0x0000000140000000-0x0000000140201000-memory.dmp
memory/900-236-0x0000000140000000-0x0000000140237000-memory.dmp
memory/3000-237-0x0000000140000000-0x000000014022B000-memory.dmp
memory/1884-240-0x0000000140000000-0x0000000140226000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | f8e5733e53c9313fcd6985a9220fecf8 |
| SHA1 | 707fa784ffb24676627d1654e8e0e1b11dd594fc |
| SHA256 | 0ecf4849a85660a85b7bd62da74eb98cbc44d24f38dc3c9aca06c9be70d87765 |
| SHA512 | 269438d0c64cf1ae8ec95cc70a110c188ce43facb16277ff5cd066a924571520aafe17610b09e61ce4b3f28c8551c114d8e36077164041cc6964bd45624f99b8 |
memory/412-245-0x00000000006A0000-0x0000000000700000-memory.dmp
memory/412-246-0x0000000140000000-0x0000000140200000-memory.dmp
memory/412-252-0x00000000006A0000-0x0000000000700000-memory.dmp
memory/412-253-0x00000000006A0000-0x0000000000700000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | 200c281bfa444237c049badd66427e2d |
| SHA1 | 5f960f96e9315f03289fbb7398636b517a9d8fa6 |
| SHA256 | c63705646eea72ab9932925b77cc7f391f196a6a828cfd0360789ac2bc7743ca |
| SHA512 | 78bdf13e7ab94f4f8882848182fbc5af4459eeb5ebd6be0110f2d462d7ac3fa15e41ad4d95a92723ab251e43acbb9d1a5efeb27228b656a126105612ca9f9929 |
memory/2864-257-0x0000000140000000-0x0000000140135000-memory.dmp
memory/2864-258-0x0000000000930000-0x0000000000990000-memory.dmp
memory/2864-265-0x0000000000930000-0x0000000000990000-memory.dmp
memory/2864-271-0x0000000140000000-0x0000000140135000-memory.dmp
memory/2864-272-0x0000000000930000-0x0000000000990000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | d72d37646788daa62318f7d05c202c1c |
| SHA1 | e4bcc9fbaa68f182bfd82ecf96eaa1a0ec09a0c1 |
| SHA256 | b44434164d807115c2b2dd518f15012593726ffc3323a2b625be7b39e98e0b93 |
| SHA512 | 50f5da535bcb7a4f77d2eca57c99c62b2005de44e04075b07b4b984e97e7bb8ab033610ff07065444d211543a97ca88f2382e1c180b2f57eed8799e6f379bb06 |
memory/704-274-0x0000000140000000-0x0000000140210000-memory.dmp
memory/704-282-0x0000000000720000-0x0000000000780000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | a1af965e10a6c0654118c0dfc1a18f00 |
| SHA1 | 4fd40262b864afd1aec080095446473748324726 |
| SHA256 | 456f0c7a9613182bd9458c1c464626f0a973fd91f038d2543cda2e88a8fa76a7 |
| SHA512 | 594bb42ce1f1dbdedeb0abac3fc4c7ea2122ae5eb9846a8a0100537d1303de12e4ed7a5bc87c3d5164f7983787e49b94bdb9e828a19bf6cc38a2e80f4a0fd7f4 |
memory/1496-287-0x0000000140000000-0x0000000140202000-memory.dmp
memory/1496-299-0x0000000000BE0000-0x0000000000C40000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 5070d82f4d32de43ca85c06613abc902 |
| SHA1 | 1422652b89a7793ddee711755baf2f8cbadc97a8 |
| SHA256 | 495dfc9e5ab40f7804952573534b6d5f72069d903e34b374819cfa46300ddb48 |
| SHA512 | baf0c6378dbe21a45e302d5d989d1b9631014e26d187df131822b32dd3c4ad7c39308fc806bc61b71a6c3c10baf4ca8110eb14c6bf7d254f5972210d94150ffd |
memory/2632-302-0x0000000000400000-0x00000000005EE000-memory.dmp
memory/2632-308-0x00000000007B0000-0x0000000000816000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | 1ab0a3c0ee994dec6204dcec0f4d7b6e |
| SHA1 | 8f38f52745d99e6c0fdec629201b0f62042fcc0a |
| SHA256 | 16d88df07d40fd0fb2fa73fac79826e5ca43b1b578253e9dfcf836e3e088506f |
| SHA512 | 2d2631a9a7341417d4ba80ba6fbe9e213b17d7970e631709f0fab1467c67f1b979efcbd449fc367afb9f31b36594ee40494e6cd3242c30d2a71c1a3fff62a806 |
memory/412-315-0x0000000140000000-0x0000000140200000-memory.dmp
memory/4128-317-0x0000000140000000-0x00000001401EC000-memory.dmp
memory/4128-322-0x00000000006D0000-0x0000000000730000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | beb9e1b89c516d49ae695b89dcac3d80 |
| SHA1 | 872284e3a6d075b8c062c347ccd7987a03ca4150 |
| SHA256 | 9fbf41bc5064414e9203a618588f2017f956f0a996c2989930cf55d0a3cf339f |
| SHA512 | 3dfc9cfbefb4b602cde2601f46d1740ab93d45023a826705b56e84044d79acd6a18fb6aa4e1c8da4166a5c2eb194d6b2a338743fa7952664febd057f25516902 |
memory/4972-327-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4972-334-0x0000000000700000-0x0000000000760000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | cefba1d18ad8b5368d79f7b6fcb520a9 |
| SHA1 | 4993ead83f5da77e3fcec8a9723d7dbf289bd532 |
| SHA256 | f99b6783c88712250e59a1f73b79beecb53362f82b285858acaf09c102b731c0 |
| SHA512 | cbcabc7eb4d887a68c4e22a11bfa092a145aa186bf804c7663dd86c40f335ce682ee343a9ca78d126a8521975e4f62c5690048f58fe0e2d3242a4c476c51e9b6 |
memory/704-339-0x0000000140000000-0x0000000140210000-memory.dmp
memory/4444-341-0x0000000140000000-0x00000001401ED000-memory.dmp
memory/4444-348-0x0000000000730000-0x0000000000790000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | a832d1b686049a1bfc5c066710caa4da |
| SHA1 | b0a1136b6a0b22004280d2159ebfe28e9cfa2414 |
| SHA256 | 8864dbba4bf6a7031abfb6a1c46a41698b29384a199fa0e316bab16d2555dbc7 |
| SHA512 | 1c3693b409c86199b164549ea74dcb8c3242818429a54309973249c354fa0387e7a6a399336683a490f675bfc6dca1456a894c3cee2f9861f40698b0081426b7 |
memory/1496-352-0x0000000140000000-0x0000000140202000-memory.dmp
memory/1632-355-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1632-362-0x0000000000780000-0x00000000007E0000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | 54e13e5e251c90acff039976355729db |
| SHA1 | 66774b3aeb31c992bae332ee58441eb5de39f3f1 |
| SHA256 | 7594df493f14f3a9de62ab2229496d071922e2f28e9995d28d044b874ae99439 |
| SHA512 | cf8c7a323ca075122a90d0953be8a6ad80519e75e8f3bd5d124b9c42c4a39a47fad8b45c24a20b761c8c7732c29e963dcbb5fde9c455dc082d2a2f2e27f604e0 |
memory/2632-367-0x0000000000400000-0x00000000005EE000-memory.dmp
memory/4612-368-0x0000000140000000-0x0000000140259000-memory.dmp
memory/2632-376-0x00000000007B0000-0x0000000000816000-memory.dmp
memory/4612-377-0x0000000000540000-0x00000000005A0000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | c1a2868c5d97765058d1ba32861c6eff |
| SHA1 | 862a7ae289a1eb60d217c52cb69089b593eced98 |
| SHA256 | d2910bdc8178994c0e92a208950299f7590be88786466b0d181533a24e3018d4 |
| SHA512 | 84f394b0d0358d9dbc9e9c2d6e3176a718aa93e723e22f38c47649b339e05eacbed973913e29fbb246d925d38aafa25d5c4b33510db33650107aeaaff6d3d3de |
memory/4128-380-0x0000000140000000-0x00000001401EC000-memory.dmp
memory/1992-382-0x0000000140000000-0x0000000140239000-memory.dmp
memory/1992-390-0x0000000000800000-0x0000000000860000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | b9c27e40489e8398eaf72198aa27e612 |
| SHA1 | b74aea32cb9cd9064ba2027b34959f3eeb6e11f2 |
| SHA256 | 4624d37dce2c4c1dfb25e42226ce1c10fddba2c02f61f64ff2036ed498f96391 |
| SHA512 | 4d4ad303589fa3216c19ddfc27638444ffe7b8e9ec42c4ac80aec6dbbd00b6bf7f45583e3242d03397c2344c07c75800fc8b2a6f28d5f4b584de15c8c934bd7b |
memory/4972-393-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4264-395-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/4264-403-0x0000000000BC0000-0x0000000000C20000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | 247ea78e4e06747ac38729a8c4ea45e7 |
| SHA1 | b29be028081db38559f9704758eca58d34ddbc91 |
| SHA256 | 8772328091a1ee4a3dd111b4b499e0de590218399b236b5b2be9806f8e81ffcf |
| SHA512 | b3f2fb78b14b1cb257f3136a77a5cbb9ff57cffe289114e3be599452491a2edd1bbaac8285c295206f5f82d6e54afc69c467434d66111f6438fc4b4242dbe872 |
memory/4444-410-0x0000000140000000-0x00000001401ED000-memory.dmp
memory/232-412-0x0000000140000000-0x0000000140147000-memory.dmp
memory/232-421-0x0000000000BC0000-0x0000000000C20000-memory.dmp
memory/4264-408-0x0000000000BC0000-0x0000000000C20000-memory.dmp
memory/4264-407-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 24f1dc561bfd74ccba2a7e580d03109c |
| SHA1 | 9602f7198525fb1641967f599d08a367c620272e |
| SHA256 | 4c518d59c6adacd72b5c9f53d2a15e3fd5c1b44f268025436bdce244b6d336bb |
| SHA512 | 47de7389315b0a25542a5fef0aadd05d77dd2fcb7bfb5219450ccf61f9acaa5b19c1b84295707c5683adc5410404b75fab6f7873d9178f6b94fb3da96aa52186 |
memory/932-424-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1632-423-0x0000000140000000-0x0000000140169000-memory.dmp
memory/932-433-0x00000000006C0000-0x0000000000720000-memory.dmp
memory/4612-436-0x0000000140000000-0x0000000140259000-memory.dmp
memory/3144-438-0x0000000140000000-0x0000000140216000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 65f3fb091f7e479773088aba5d46493e |
| SHA1 | fd98eb4ec0cae16d3275b9966038bb0947962396 |
| SHA256 | 3f9ffad90de83c5af3e726b3836972e6db830c6256d3d157df5cafd2e5d1545f |
| SHA512 | deace694cf6b4df3384730506949202e21bdaebe570912bed82df2fe7abfd1c66cb5b110604868ab5dbe75266c4ffedcfecef83d97d5df14f957eb15585ee3a5 |
memory/3144-445-0x0000000000BD0000-0x0000000000C30000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | ed715d6096d8b593da3772b7bca730c6 |
| SHA1 | b06b444923535de7f0f757901a23338516d628ac |
| SHA256 | bfb65f719e0c25a04dfa3071f76dfe7f1fc1453535334ed576eabdea188fc450 |
| SHA512 | b8fd2b6e473374ced948c0bdca100b4a28d11cc57758f04bcf4a952e559dbb0204639bc9399832b06a841cc0c1af8b8cabe4db56f79bd1901b1efa361d4c1c92 |
memory/1992-449-0x0000000140000000-0x0000000140239000-memory.dmp
memory/4400-452-0x0000000140000000-0x000000014021D000-memory.dmp
memory/4400-459-0x0000000000740000-0x00000000007A0000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | b58fb1c7c175e0233da6dfbcc5832363 |
| SHA1 | ca48ba5d1ce759dc834eebc48cb63b4141d38d07 |
| SHA256 | e7717cc2e4b66527f039a78456ed799ed6b344e078289c13c48f7b1716931c22 |
| SHA512 | a9535ca6620989348778c7a3eccf565bef2c0c890b6f0f4be64fdc71524cda0a38f061eb0a0f28a9f42d4eed024da77511aa9c53a1b8f784f25358af328f6f89 |
memory/560-463-0x0000000140000000-0x0000000140179000-memory.dmp
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 43ead139e0aed112736932c1f440cd8d |
| SHA1 | bf0384729f8af00930ae4a74d7aa09e10ff4b48e |
| SHA256 | c6bd547b12e287e65909236e0ca8396fdae6c8e48de9cbbf684c0f7ae382756e |
| SHA512 | 4a0e2f05d5187c05f2d580dd7c50b0ef0d77d4a8c6adf241f4e7efa70a2eb45399336f8d6dd5e1807a8a2f5e6735f82bfdfb91853f7806e5a4fe3c4777879f66 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | a52bb948755b97d07bce45736862de73 |
| SHA1 | 4c4ef04fa1d6ea2d34f0b500c5c67eba2b0e4d41 |
| SHA256 | 40ce43ebc4720d70d38e0b24d16d294cd834823653d05838dd93e6c6a269ec14 |
| SHA512 | 8e1633c465efde5c9350eaa91b65cd3263dfcb5ec18233b748bee4a326edbfae7ea31a9624cd33e07652dd2c62ea1ff79497d4386b1c64dbae2e0d3403e3526d |
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
| MD5 | 043d375b2b68399a55d05a29bfb838c6 |
| SHA1 | f6defc49a98db99fd3bd464653e77de233024907 |
| SHA256 | a95af5eb57f7a16655fcd6490a5a19edfee763d9296b0cb3f06bd5cfdf7193a8 |
| SHA512 | 18ca0303cd576bab21d729cedeb2c892219dd79b1f62ef0376ef7234c15432663be25645b08816e193a9da00588cee9d06e5fa123227e52c065fb8e6472c08aa |
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
| MD5 | 4dbfbc260e29ffceef366527827a74b9 |
| SHA1 | 8f14014a78e31c22067b97c9b8318e7cb937dd74 |
| SHA256 | bcbbcdf52021f3275e00eafe56b82ea6e2f776df5c35c8f08b2072b82f7788c6 |
| SHA512 | a765d0949c7b4f430cf6a258cc2b498e3374056279c1dd83d541e9c11d4af02556c2db8723bf211d7ae697ed2694125c91ec651eac71d41165c3fafb7cafdbf9 |
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
| MD5 | 141c06fc5941f7d0d17bdf8c4b48826c |
| SHA1 | 40e13a860b2e50bdc6ce7d62869fbb41fad7c336 |
| SHA256 | 4ba1f7b09e6a2e5181e908cb94772680d1b68b2941cb0e60ad031b35ffdfd2e4 |
| SHA512 | b658bd05913baa41cadff68b5e40e98d685cfc6f299ff2135bbd4862e99fdcd44506d2982adb8efc9e6f53c5a122580ab9a077c50750692f04ef6d7bc7ceafd0 |
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
| MD5 | 46f11e2cf02bb9c1c2ada7c954843aa4 |
| SHA1 | 533d3462599c8f5000eb08f006cc1daa8b25c5f3 |
| SHA256 | d4761d620f61fd61633367a1283a190d921201c14eb614b3860ab275a43ad67c |
| SHA512 | 44e0a03b5f3ad49ee89c0967f051b6943d77b554cc292958194dd5f78933bfb018e475da3f537912d10c5d1223a81776692baf15e038d6722bcc4a99f5719d09 |
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
| MD5 | df1023faade79e1c7aeb519a91583f53 |
| SHA1 | 0e1eea49047865cab12aaf41fd64db36351fc383 |
| SHA256 | d8898a516559b754b59af74a24498af3b5819d01c6a5fcd778d6319e5288dc8a |
| SHA512 | 55657b99c6df928dd0aea0a559dfe9fb4105b1808f782632b9788e29e4142cded76d1d8ebcf2ea04c8006ee0e2347a8e1c72b17db73bf8c8791aaf80eb1cd505 |
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
| MD5 | 82271a975c7db2427e5bbc5e7971a121 |
| SHA1 | dc3182db71759b7613330788b4e8c9ebc073dc65 |
| SHA256 | 2d994ccd943ac33a32668ea5eefe7e2cb917a040f9f06a37f07fd5a7d63000cb |
| SHA512 | cb55b7b84aa5f62e254039fa25958c4e97851a7757ce5fb31fac0bad9bdd695b06e3393965503c2ffbd56b7f64ac838289442dc419639dae3144a2a14ce0f447 |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | 2700ae1e3f67f49de55f81ded49a4ffe |
| SHA1 | 51279922093bae2e5a5545966c2f44fa5d93624a |
| SHA256 | b3ffdd5b96a09cad0c2f4dfac0e04700c094b567c5a156eee4362c9812780e1b |
| SHA512 | daa6e5176ac73838163050e626d06aa9fdc02e58e7ad162b19e4abec924d9e99025ee7f4b8c355edd29148b7e468a7dd5f12b247b05c5025bef068cca03e7e75 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | c2eb0653da725d380872c794420622ee |
| SHA1 | 85a7ef388e83b5df0d1b9fb752ff35bd6c90384c |
| SHA256 | e9b45a8b3b4e80285aa48fcd4132219c37b313c21a0d2408fc496aafbb1bf02e |
| SHA512 | 04b29ac24bde32a8b4f9a5c8ba0e412aacfd03cd0a60afd02d6b32ac08363e01f8079d14759a2c5127734ab2d704c136b61e316abfbefaf81be0f0094b2752f1 |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | 5270f91eb97c4f7b7b3f3ff0ce1abf27 |
| SHA1 | 4dd7d3e8ea233607dedf2a7dc8a84da742764b13 |
| SHA256 | 17957d001684b55b555ce8bb776465f0da341c9efc2d66e3f1c9e33cf70b2c8a |
| SHA512 | 9fb03e50f19bcf80fbae038cc87514305c3b917c281c8f9cd2eb22f82f4433e4b319740a9d7e2ab2d5b715d436d806959205bfcbe3d885fdb062b4498a556951 |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | 9bf20d09abdf9bbba1f5dc69a3ce2dc2 |
| SHA1 | 4bcfcd94a82926147e35376cd43ce82a7fea9650 |
| SHA256 | 099251223a047b919e5035337e8ba4a10d8687b6a51e71333e928da1ad41c7bf |
| SHA512 | 69dd1345e418c7db080ecafbe1a8da45311e4f5d2115d4935a7ca1766881254c05edc8b43b947676617a210a0569e2dfcf1acc6d218c9f544febb479ffac7eb7 |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | 8b5719d6b76f168a1a94f00aaac670e0 |
| SHA1 | 541f62673670154f85bd5e547e9ec3e0bf8ee33b |
| SHA256 | 6e27fdfd14f8d6ecdb3a220fa5c6a045667531cb9a22d1805bc784ef8ccf3aac |
| SHA512 | b3a85c66c5aa80fd8383b0645e0a40950f043590416a54090c9efe2eac249e9de66cb068923a6daf89e08c737b3646dc8b1312d20c54f3e9d5460bbf2b67c9c9 |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | 9d94f56a818b2881ba3d47432afe7028 |
| SHA1 | e05b0b368e20480c8b4fff2e47939655fa8fe475 |
| SHA256 | 2d760441744bbda4522079516e8e22312d16af85c2025ab96b9286c5fef5069f |
| SHA512 | 646e920ed160de67fe19be92f0da0c309e32f2f92922d7f738d47bc0e363122f2f7fe1ad87123627e2244ada536f305de0c4dec75bfb3ab1a2732b9bd98744d1 |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | afac608b04bf20166e5ee6162f4cba0b |
| SHA1 | d17e393044fe38ed1db3545cd4162069b11e6eca |
| SHA256 | b9ad4fa39ff9cd6c0a2aa06beb312b6b150daef89bee8bcb6b63ebc727b4fa34 |
| SHA512 | 38895710a30c24b0e902345301ed9e2658870bfae8876abed0c1048322441d453c9e65d8f153fbbd62e223779282c9d09cd9d0e77ee5d1dcb59301abd563f801 |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | 0c8d20e88607de2364611dfd044e780c |
| SHA1 | 22731ae1d10675b2139930b4339d4993df25e28d |
| SHA256 | 4ee6fecfd1a218efa82270d24d729036d0195ec5f9200350c3965b4c12ed1150 |
| SHA512 | c91194915ac1de3265c0306d56b7141823660ce4a64170a6971aa030e5b4b05477db4af1ee8b383383fec5dce97d101bbb9b9395da880d0a7b2cdbd3669b79f5 |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | 8b9f7b9e4ea8ac78d3f4f6a9da470e4a |
| SHA1 | aab49f58ed9f0798163d8f6fcf549550e42a3bbd |
| SHA256 | 3c8b0f5809a5be7a34349135010abd87d460427a7e63a3c68b71bd5c1a117b22 |
| SHA512 | f57ffd0f5e56a4990ede0b5a87901b4bd395bf04fcb1c9f83c343fc00ca71baabf5d6f8986a68e0a5739981d2a8bdd408e8b2cd5d4175c9a8786d318d8f53de5 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | 4a2f1ab7ec7ffc481a5796a25ac42d1b |
| SHA1 | c0c2f4598ac8b68fe6ab47f907b77ca2536a648b |
| SHA256 | 43dda646bb1b12f1f721569cbfe979ca7f45457fe0ac7beaf389ca9196e497e8 |
| SHA512 | 3bcc9c6838e61224b53374d3337bdda02647c477d29f162d8d77acc1fdd0d97ff63768f8e8947e76b00969e9d61033f2994b249748fce101fbc2753a14488cf5 |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 5ea1bf96a9a40693340dae255689be36 |
| SHA1 | 31126b9f09e54765fc8c4ddee38a8f6124c5f7b4 |
| SHA256 | 124ba373b16b9b4b11cbccb14902f6daff897fa14e2cfa7fb517f0a2dfe74fb1 |
| SHA512 | 2f08345cb2828bc8405e5b15b5c5fb068c42a4526ef8b9d205d00ca5f29c16a69a391235fc78a86ed004312cba7dba8fabe70e83e52dbf45e4bdeeffd21e9363 |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | caf822e588a6fb1b8b64d57e99e0e426 |
| SHA1 | c45dc866d4f7121853f0ea0abe48021ee0dec6f2 |
| SHA256 | 69ca899f40bba99ed973a196bb60aa41157826b7f9ec8caba26e11df61c47996 |
| SHA512 | ed345cf4160e6e5ea8f78ccf019fc932945a983924c11f16395800b429a6117aad48e0994585e1adaae5b9056488a0f68988069e3fdf74f8ba9fd021367c7416 |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | d79448899593e1750091bdbd75acd29f |
| SHA1 | df496a1c8d5596e1124115c201973a933219ee39 |
| SHA256 | 26c545906647c5af9260d2b882ea55b93808d8ccfb10c193ab59441ae281f373 |
| SHA512 | 964b71a04094acbf9b6c6005956bc67a5f82001a88f3f9964d5ce606c1e7ee6115313bb699ff9dce1246aa605436a01f345c7db25d90af13869620237ae11c42 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | b77677fe0a3399b094a847d99b6e6dd0 |
| SHA1 | 9c25fea986142891b425e1181e8ca2f5dfec199f |
| SHA256 | 7a3a35a7da867bb4fd84dc12cabf706972908e1e106ffb56287f851706385572 |
| SHA512 | 1b687bf7e227c2788fcd5d82ac073ca74e263a1078afab8ae79dc2c4e1dec9101fe5fce1252a5e8f46d887d3dab152175bc72f15584667c87721a7081899e56d |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | 1309e0be0ee0b1df061cd2fbb767a818 |
| SHA1 | 56d4eba8b5a6047ab9987fc9ed7179287ca05867 |
| SHA256 | 9f86cd3f4de9b7975eebd229e210826b8e5f16d1f1a986885c5d0b15d1b4f796 |
| SHA512 | 62b26974200ffd36dac2bd43705b2b21412e03090196e21b9f2727071902b09d3a081765b7f21da752b9e28382581b7906f5b0ac363da55feb27e9aa2e93eea3 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | d2185f4768898f28501b3b43246df196 |
| SHA1 | bb1537f26b483e4b1f4314ba551c6bfb25174922 |
| SHA256 | 744369462919e15d0c92a98781bfe9fc92fbe88cc063aa6c8750574c428e4956 |
| SHA512 | f85a8f8d216868eda236877c515c2cd705ebc00fb3466a972a6f90bd9de9508ef00fbb5bc0ce7ddf5b4c1b746811bfc64a5a33a456dcf3ed31ac75197b9e8e2e |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | c77b51320eb49d04236a8c1ea6eb2b8e |
| SHA1 | 94b3a90377dbdc2079f9ea7325aaf658ecab7552 |
| SHA256 | 6d1e3128c7c0423a8775e4e8b851d0c592532315e0598fb7bab8bf0019f3339b |
| SHA512 | 817e20bc49b95b877d3d647d74b097a8fda8a7a3d40623fb18c1e54bdd1f6faff13a2ca68c36ef7d764b468d90d9cd3f21a9fc2b0493222708a40b0f96e7a627 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
| MD5 | 43a4ae5ff5f1b7953524ae29818c8fc2 |
| SHA1 | 00aea8e90f81c74e6ce6858fdaed103c5e9cda86 |
| SHA256 | 6aff242fee98b98ddb3290c74cb4f43cd68c8ce02b750cefee7afd1c5c6843c5 |
| SHA512 | 42277020ecf928837a397cd93961de45f64f6e86efb01eca2add0531aaac6efad6eb93801b45911c18452d4576f7f7efb39f4b46cd73095394f8386ba1c3b868 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
| MD5 | 16183c11c2a894ad57c9d78cbd798242 |
| SHA1 | d446ff013f9022aca626f334fdd721580b3c284e |
| SHA256 | cef2193038c6638e7a8ea681bb2dabb748c065ea125eecffad5fc68d8efb256d |
| SHA512 | c437400b219301c0209620cf530d769b678c227d888db0ee852eb39fb75c8492b8c54099f0f61b1645b03b977cba117dcb19ac4255db166a4dc989cbf35a76fd |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
| MD5 | 5c7daa18c0ec8dd7b63f740313cc406c |
| SHA1 | 15342e6e5cce46e66d7423adf61b79269f96acdc |
| SHA256 | 96ea8f023474ccbdcacdf68c57676cb7eb24a8c562a6ec8a4a49c8e69018cc5e |
| SHA512 | 752d3ca163d9e8c5e424398acbd3a0962841b48248fd65dc97efe9eedeca089e58b400fbdf858ebd6ed1821cbe4a2b923c236754e129cc69cf11df5615fdf2f7 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
| MD5 | 2a4a80384aef01ec6b4d3f25a0db0532 |
| SHA1 | 96d92a94bd6c51300c014d24d31e604be4813f73 |
| SHA256 | fe58ad47cb04405938c4ed5d4165e36a522e7a9f9cb8a3986b89d3389651e14e |
| SHA512 | 741893217b4ab86b7b6cacb8e5429d34a80218487c0227c3ed71e1bebc76cf130d5f7f22ae2df68281a1a0fd5ae791b3ac63102012f71dd191ffb539de2168c7 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | a257f557d85d38add58ee55d04843563 |
| SHA1 | 0fee55e5891400c5290457cb3ce57bf57a35685d |
| SHA256 | 651e821eb1ce6da261dde5647eb84a28afbe2f3f60e442c62e6e1710fe558546 |
| SHA512 | c3a21ba5304b28af997695f7302cc89cf7381b5ca6ee5d57d20ba8749e8df8baae3f0de7092515be22de7039da630fe89c6ce3f3494242bd8ef625a5b543555e |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | bf2b17937a6662711c411821a3df722a |
| SHA1 | 41dc4bee98ab9b10f218cd41874fe490a9a56ea6 |
| SHA256 | ab6b36d95fc658eadb6ab26a0cecfae33b39cd994e38cff0c5f5e9f5e00c6faf |
| SHA512 | dfd50459447db36a02174edd83e484100c10deb3f48351cb3460ed5779a2a5537b9e225c62f16039e193e3aea6974bdf9eed4a51d7938ad688e77ab589b791b4 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | 92ac256ac06a716a66130153c91d5fdd |
| SHA1 | 7c18e2bc30c5f04bc8901486c1ca1a93355e1505 |
| SHA256 | 3879db7d3738e4b5a0e1291bd61fbcbd2d56ae1f6df3fe8c534bbf25251916ff |
| SHA512 | 27313d5aa55c5604c1880c3c026b5350bf0b80c81f0c407db4f27e789b2404665e059571e2183ca393377b342665db5248265c61bdaf316a091f421b38c2aa0a |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 3c7e466438c1d893259c1ae39d596ab0 |
| SHA1 | e5e742bac628e65b4ab9f23e68b816979577464a |
| SHA256 | 73d99808fa58177d1aa89cc3eec1ba0090c3a85549c05b0bb4770deb266bc090 |
| SHA512 | da54fb3778ebf3ce418a0a6873d44cfb6ad5ef06da56f9aeae93806f29c4dcf3f15a3c727e216925dfb26578210e996642ec0df35f5ef096b1435dbee0376d4d |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | 312386dd81a6842c989098bfbcbaa98c |
| SHA1 | df2ee3d8e438f156a7a93732be7e094408873e48 |
| SHA256 | 7d40e87dfd8f92c649e0075c8074b88b5b8387485e015b7ffa24f28ef57ff8ad |
| SHA512 | b611ea7dad26246412891ba6a5b3ad6d1d15d965ec4ad792a84e032a1d93767cdf210968b117b238a3ed4e1e45e1d7a6a60f64f244260488c44cf78051f80a21 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 02173facc2f80080ad336b48ed1cf810 |
| SHA1 | c18486e60ab58d549f1123fdb5443459e3e777e1 |
| SHA256 | a2fbd7a2e4df76dc36d477e14dcdfe4b408ba525d9f197eccc6df95e7ab1da6d |
| SHA512 | bab6da5a4ecd73ed48f256106a28ac1a2514acf7128e0d16769f697f95b57f851948d9ea1a1a6042201a5f329d0a906f6e058648b54a51a39341c9cfe1d11f8f |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | a9dc7b4e4ff65abbe3b2ccf5d24c492d |
| SHA1 | d0901eadceb6f8d79fbb8d2bdc03b3744419fb60 |
| SHA256 | e772946e820028a1be83eee9e993b0900565c852174150ff30a72e9e5e41e5aa |
| SHA512 | 49565f108328d2ed0c36ea0b7fc1c5bf0aa8f5780253f6a25bb387c49c4402b3eea8611b562b2db13db1a261730639d7bcbfbabc871046c42cb7f01dd30142bf |
C:\Program Files\7-Zip\7zG.exe
| MD5 | f9842deb7a07bf022051d72c3e3c1c45 |
| SHA1 | 507740b55c86c15556103cf81b9c074577883308 |
| SHA256 | 9d6564586b8637532ef33dc348c2e0ffdd5a2c171171f8531dc6a4cea45e6493 |
| SHA512 | 05a2ea137ac2a0ffc2b50bfac94eadc58aff59b90e296cf256237bd694fd99b1e7e609397956d35a067a0d8053bca0fc2a2512b0968f81b9306471d94851549d |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 9727e2a5b12964f93fcc70ebd0b34adb |
| SHA1 | 2dc517f230964f6a4de7a2bfac95285756799af2 |
| SHA256 | c50c597b6b1c61d0880b4af35ce0d697cd74c0a889da576ff0a169646651199d |
| SHA512 | 809331d8d97ade5654e195e7f0fddec4d8306ee611abbaa07bff12e0a7cb483a4ddb4c8f0f673e812b7a4ca51301952c666e1a0ced67689d3adccf3597b702b2 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 0cb2fceef05d3e1f4f049546ea75858f |
| SHA1 | 303e78ae0a6fa29bfaaf5b57d369d634b2637882 |
| SHA256 | 18dda8d401d1fed2890b0934fc7d4ce5b31293a5ed5c611aee1e6a420ba1c927 |
| SHA512 | 1ea69a7d2aaa424a73d2e97698fc777889794ef0082c2fd6c0dd034b16371525b2c53c78046f7e16302f84ea18623f92a6881f04ee8ddb87baa227748c77d95f |
C:\odt\office2016setup.exe
| MD5 | 7bad9f624eb72c0e5915c50c03eef086 |
| SHA1 | 77db64c925a3dd2dd9f2cf199416fd9c70928a8d |
| SHA256 | d22fab7caccf88ca60432802c641696636f5ebc3b471f677af0032229fd0b604 |
| SHA512 | af343ec3090f2f79d50c9cebdfa6f33680392f558b018b7ce79415ee55afe765a6e46e53bab8a9049bfd3a540bf4f7e1e21fd2e10e31b1fb1ed2a72a380cded6 |