Analysis Overview
SHA256
522aad1b718682cf0d454ee79306918ad69ec05cfc31ecbd5a4d7eb427e45e34
Threat Level: Shows suspicious behavior
The file 2024-04-06_e5874500038ebae29fe765f303978138_ryuk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy WMI provider
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 05:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 05:06
Reported
2024-04-06 05:08
Platform
win7-20231129-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\83ab578956fe8faa.bin | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\System32\msdtc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\locator.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\vssvc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\wbengine.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| File opened for modification | C:\Windows\System32\vds.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\WmiApSrv.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\MSDtc\MSDTC.LOG | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\SearchIndexer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\perfhost.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{7AE638D3-C69D-42D5-9B63-3C52AA32D796}\chrome_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ktab.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\unpack200.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\DVDMaker.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3DF00F9B-1878-42B4-A9D7-D9E438DB209F}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehRecvr.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehRecvr.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3DF00F9B-1878-42B4-A9D7-D9E438DB209F}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Windows\System32\alg.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{5ED08B40-574D-4117-8420-87CD69F06130} | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{5ED08B40-574D-4117-8420-87CD69F06130} | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\ehome\ehRec.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
| N/A | N/A | C:\Windows\eHome\EhTray.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 248 -NGENProcess 1f0 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 250 -NGENProcess 260 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 264 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 26c -NGENProcess 254 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 1d8 -NGENProcess 270 -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 288 -NGENProcess 25c -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 1d8 -Pipe 27c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 248 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 254 -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 264 -NGENProcess 120 -Pipe 1ac -Comment "NGen Worker Process"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3627615824-4061627003-3019543961-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 248 -NGENProcess 270 -Pipe 120 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a0 -NGENProcess 1d8 -Pipe 29c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a8 -NGENProcess 294 -Pipe 2a4 -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.13.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.94.160.21:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 34.143.166.163:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.168.225.46:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 34.174.206.7:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 34.162.170.92:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| NL | 35.204.181.10:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 34.29.71.138:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.168.225.46:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 34.29.71.138:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 34.29.71.138:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 34.143.166.163:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
Files
memory/1848-1-0x0000000140000000-0x0000000140125000-memory.dmp
memory/1848-0-0x00000000001D0000-0x0000000000230000-memory.dmp
memory/1848-7-0x00000000001D0000-0x0000000000230000-memory.dmp
\Windows\System32\alg.exe
| MD5 | 860f006505d429f00ec518bbf676d43c |
| SHA1 | 3479fba6ee8110c2f793fdc8c9ddaf01e117e851 |
| SHA256 | 2767a3a97e5cb84e28cf78959088079ed18b899b3ac47a5072a76e3a9a86a907 |
| SHA512 | 58bc185c0419b06c88f67ed710dd7987651b6fce6c146ad8f0f2177b1c41b5d80a03040ffdf0c822918e34b8ea04eebea65868ecee0c3ea8ff531c5f70125f6d |
memory/2512-14-0x0000000100000000-0x0000000100184000-memory.dmp
memory/2512-13-0x0000000000860000-0x00000000008C0000-memory.dmp
memory/2512-21-0x0000000000860000-0x00000000008C0000-memory.dmp
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | a3e0b47290f7b3bba4b5c5e6fecf597b |
| SHA1 | bc61342ed5573c982213063cb094defc05e71c39 |
| SHA256 | fb691a9824a903f4a736d876acba7e92f4424aa70e70d08640ff648f700f55b9 |
| SHA512 | 56958911730ff504fff42af51da13cda7c82ea9c50c4d331010521bdf0db298626ea2d87d903fa45737c91c9740ba23879808fd004ea35cb74e27a916992c5e2 |
memory/2576-27-0x0000000140000000-0x000000014017D000-memory.dmp
memory/2576-28-0x0000000000AC0000-0x0000000000B20000-memory.dmp
memory/2576-34-0x0000000000AC0000-0x0000000000B20000-memory.dmp
memory/2576-35-0x0000000000AC0000-0x0000000000B20000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 84552bea8c1d30203c5475d92aff14bc |
| SHA1 | 1bae1ae53f312409e73042d8fae8aa5ff25df19c |
| SHA256 | 2df9aad4a402f55853bd1745112c32043cf8f32a278c136c82f65e84bdb9fd5d |
| SHA512 | b329c1b6d8ad524fd0f8f65f1582531853a60983fe1530d65f47e6cf1a2e8caf48c3391aa5d83689bb9584d4994d21509c6948a3993d210c4a50dd94ec347938 |
memory/2620-39-0x0000000010000000-0x000000001017F000-memory.dmp
memory/2620-40-0x00000000002F0000-0x0000000000357000-memory.dmp
memory/2620-45-0x00000000002F0000-0x0000000000357000-memory.dmp
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | d059075990ebd23fbc182fb4ddc9f4d1 |
| SHA1 | 5eaaecb024b3abcb5a599e8abf6169ab0a4c3dbd |
| SHA256 | 646da5a3fabf76b2dba19b1f38a22d2bbe0b33725d7787e4ae6440c4adff44ca |
| SHA512 | c78356ca41569feac4677c7a1ac78e6668d1c3b5fa04d36c01cc36c00d7e74ef5de4d7224df677b3654d36ea25b5ee2b796c5f15460510b3be83d7a114dfb815 |
memory/2596-55-0x0000000010000000-0x0000000010187000-memory.dmp
memory/2596-56-0x0000000000560000-0x00000000005C0000-memory.dmp
memory/2596-62-0x0000000000560000-0x00000000005C0000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | 44928b28f5e445b59c0dec34e3b1615f |
| SHA1 | aa1915212af606c3a1fbe20aef810f5e3c64851f |
| SHA256 | 7b36ac684bcbf1d040ff72b002a96efe9838d88e7a1c9a41b1229c00894eb807 |
| SHA512 | 6382b50ef0f92303e3d90f8975772b721a0792ae7d6d7dce3a611ebfc649b5b3679617af7c357fab861d5e8c278413857aa7ff407cc5ef6c626fa3572dd87a2c |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 25f6640547db18f69dd5fa01a9c44034 |
| SHA1 | de69005078cdaf705a8152edbba0c1a8d5593a89 |
| SHA256 | 1e3167a611dac5673195b8d6e110d2da6d123a6e968a2091043c0c5eae35f0d9 |
| SHA512 | fdd56748145dc081ce4118deb7ef12aa554ceff6e0ad38fd3f14bfed3f1c0e82d19e292da9bb0f7ef5979473f794e48080a67216177f8b02975dce7f923a540e |
memory/1848-72-0x0000000140000000-0x0000000140125000-memory.dmp
memory/3020-73-0x0000000000400000-0x0000000000588000-memory.dmp
memory/3020-74-0x0000000000750000-0x00000000007B7000-memory.dmp
memory/3020-80-0x0000000000750000-0x00000000007B7000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | 4d2b9b0a39d1742f2449a9921ab0b03b |
| SHA1 | 67832be69a2afdf832a3d4f34032c75546e0d1e3 |
| SHA256 | 5542f6b4104b26223fb4f838600fca9b2048a7557678300263909adc0ce40300 |
| SHA512 | 3ce947a7c37f257fba2999c3a117e1419dd690738ffc100416320d33e44469d256b61cb421dd24644ef5fe97ed51dcb32c01ffd32f39bacac72560c35557bb6c |
memory/2620-89-0x0000000010000000-0x000000001017F000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | f174e17474b2ab1a74c08ebac4aa8b85 |
| SHA1 | f3122070cc2f917accd26e193b3a1d9f5e1d2382 |
| SHA256 | 08af66dffdca283511a94075cd4861e8b40e62e323ca9f86f01d224b0f32492b |
| SHA512 | ac56133725f7a89329e6e0f8cd9538861c0bde9043e35ecc171c5d854471dbb107a70682eed5f527442ac350fa3e82a3c847dd0611a3b842f3cfaf03cf5a6eef |
memory/2512-91-0x0000000100000000-0x0000000100184000-memory.dmp
memory/1780-93-0x0000000140000000-0x000000014018E000-memory.dmp
memory/1780-92-0x0000000000510000-0x0000000000570000-memory.dmp
memory/1780-99-0x0000000000510000-0x0000000000570000-memory.dmp
memory/2596-108-0x0000000010000000-0x0000000010187000-memory.dmp
\Windows\ehome\ehrecvr.exe
| MD5 | 545f44f9525e5d685f1cca30c6d427af |
| SHA1 | 50b4b36e477302ae646707072d4d1d83e0225541 |
| SHA256 | bd82e04dfbc37a66eec6399fc98058ee70a0f9b153440cc2867ef31260a2b557 |
| SHA512 | 054900fc11e6b3e188a9b8b53a54414e1b8d49c98ddde8b37adebef5350268fc96d5e69755543fa18a1f65190dd97076158b2007c05dc49a9039d54facb229cf |
memory/2576-112-0x0000000140000000-0x000000014017D000-memory.dmp
memory/2404-111-0x0000000000A80000-0x0000000000AE0000-memory.dmp
memory/2404-114-0x0000000140000000-0x000000014013C000-memory.dmp
memory/2404-120-0x0000000000A80000-0x0000000000AE0000-memory.dmp
\Windows\ehome\ehsched.exe
| MD5 | 767c9f0bba5fc1f930e5ebc34b886668 |
| SHA1 | 00266dd5f33af3a39d1f1fe12b1c8a790e45b376 |
| SHA256 | 424f1b19fd82f4e41ef0b82199dba0ec6fa102e94aeb447f53e8eb576516179b |
| SHA512 | 8ac89cafc92ae44123776f1a8ed4396a8ec21728c4870b0492c51fb5ffa49dc5edb37faae55df7dce7f041a13f22fbc3dee3acff3066618a00f85a3a31c8329c |
memory/2836-126-0x0000000140000000-0x0000000140192000-memory.dmp
memory/2836-134-0x0000000000B80000-0x0000000000BE0000-memory.dmp
memory/2404-140-0x0000000001A30000-0x0000000001A31000-memory.dmp
memory/672-142-0x0000000140000000-0x0000000140237000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 3c7144213924ea0aa16b9b55e6016258 |
| SHA1 | 1d024d2de6dbec4b1ad22a127f2738c59f011968 |
| SHA256 | a1758430cf095f52dbd80218a38b0cdab5455fc682ba0dce11dcfa6340584240 |
| SHA512 | 5d05fb1d7caf7cc2e44128c49a872d9c18444d7510823a984f48a415eee4e8a9ad62d62596fb8c511422bc5244e3cedab9f20709b01a149bd3e294c625aa2881 |
memory/3020-150-0x0000000000400000-0x0000000000588000-memory.dmp
memory/672-151-0x00000000008E0000-0x0000000000940000-memory.dmp
\Windows\System32\ieetwcollector.exe
| MD5 | 7aab63941629ed787b0a7e3153735546 |
| SHA1 | 1f54892714441e010a6b46246055a774bc6ebc3d |
| SHA256 | b7cbd3832a6a0e4e93d29e9f6e9567620c09b7f8f616af326576b3020328dc6b |
| SHA512 | 77e64dfb912ed532aa4efa310549a6d914c2d83b5e044dd80de8734a26611f64fc395283d2122c7f0509e678d7c15726ce15e11e4d1d9bb1526cd3ffca323c05 |
memory/1988-157-0x0000000140000000-0x000000014018E000-memory.dmp
memory/1780-164-0x0000000140000000-0x000000014018E000-memory.dmp
memory/1988-165-0x0000000000850000-0x00000000008B0000-memory.dmp
memory/1692-167-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp
memory/1692-168-0x0000000000FE0000-0x0000000001060000-memory.dmp
memory/1692-169-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp
memory/2404-171-0x0000000140000000-0x000000014013C000-memory.dmp
memory/1692-174-0x0000000000FE0000-0x0000000001060000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
| MD5 | b9bd716de6739e51c620f2086f9c31e4 |
| SHA1 | 9733d94607a3cba277e567af584510edd9febf62 |
| SHA256 | 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312 |
| SHA512 | cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478 |
memory/1848-186-0x0000000140000000-0x0000000140125000-memory.dmp
memory/1848-187-0x00000000001D0000-0x0000000000230000-memory.dmp
memory/2820-192-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2836-194-0x0000000140000000-0x0000000140192000-memory.dmp
memory/2404-199-0x0000000001A30000-0x0000000001A31000-memory.dmp
memory/2820-201-0x0000000000700000-0x0000000000767000-memory.dmp
memory/2820-202-0x00000000748E0000-0x0000000074FCE000-memory.dmp
memory/672-205-0x0000000140000000-0x0000000140237000-memory.dmp
memory/1712-212-0x0000000000240000-0x00000000002A7000-memory.dmp
memory/2820-215-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2820-216-0x00000000748E0000-0x0000000074FCE000-memory.dmp
memory/1712-217-0x00000000748E0000-0x0000000074FCE000-memory.dmp
memory/1988-218-0x0000000140000000-0x000000014018E000-memory.dmp
memory/1692-228-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp
memory/1692-230-0x0000000000FE0000-0x0000000001060000-memory.dmp
memory/2708-231-0x0000000000300000-0x0000000000367000-memory.dmp
memory/1712-232-0x00000000748E0000-0x0000000074FCE000-memory.dmp
memory/1712-233-0x0000000000400000-0x0000000000588000-memory.dmp
memory/2708-234-0x00000000748E0000-0x0000000074FCE000-memory.dmp
memory/1692-235-0x0000000000FE0000-0x0000000001060000-memory.dmp
memory/1692-238-0x0000000000FE0000-0x0000000001060000-memory.dmp
memory/2928-244-0x0000000000590000-0x00000000005F7000-memory.dmp
memory/1692-249-0x000007FEF4E90000-0x000007FEF582D000-memory.dmp
memory/2928-250-0x00000000748E0000-0x0000000074FCE000-memory.dmp
C:\Windows\System32\dllhost.exe
| MD5 | c398b45820b94b127297fe385e787141 |
| SHA1 | 13673c0b88880dd5ed9a76076478a665be88edd7 |
| SHA256 | fb26f201cafed2b61411b9a6abe16cdde56e0bbde53a3ce6a8d3784f5a5a44c5 |
| SHA512 | d19ca92f25affe51f928a4b91b6bae4024c604eb1b792cbca9b95f15189bcd59a908d77e254ee8439cf4b2a993d3db1566ffee13293f7420aa3b86f4a2447701 |
memory/2468-260-0x0000000100000000-0x0000000100175000-memory.dmp
memory/2868-267-0x0000000000240000-0x00000000002A7000-memory.dmp
memory/2468-273-0x00000000008C0000-0x0000000000920000-memory.dmp
C:\Windows\system32\fxssvc.exe
| MD5 | 921be4bd5e0d157d8532d4ed9704282b |
| SHA1 | 909e9055ea3fb7b9020c53a1d3dc6377b09bc991 |
| SHA256 | d5eec5dbe3be44666b57768f327c2b5751928bd71e18ee3299a360598e1dabeb |
| SHA512 | bb044471233c784bb2efbaaebef86a0f4289c45501c408022813f96c9feb8440bfb3b8f1367d96fc136857e5d9f71db2b50efdc4ca04749afd48f0560b7caef7 |
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | e65f9170af042b8b178b15db2a46cbe7 |
| SHA1 | 0fe1af369d1f339ca9af5db28f8f5792e6fa12fa |
| SHA256 | 1c68524462a18330372a0026c4f2ed06b7a4cb10f904c2c54e4fcb6fbdb94547 |
| SHA512 | e155bc8255480c45551370722a71c4f45073eec7421b610ea8a51ef83cee2b555ac642cf1c38e23d542e2dfbdb67adbb10f79926dfb896edd4cb8e4cdf8fc6d2 |
memory/1516-280-0x000000002E000000-0x000000002FE1E000-memory.dmp
memory/2708-284-0x0000000000400000-0x0000000000588000-memory.dmp
memory/1516-286-0x0000000000230000-0x0000000000297000-memory.dmp
memory/2224-290-0x0000000140000000-0x00000001401AA000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 089d3616ee857000607267b0dc3decb2 |
| SHA1 | 0dca5177ad4ed266643cf22862c188e1901b7c6d |
| SHA256 | a3dc29818408ae6a02404f6a6f0fb228e383f895c0701007beea2e967029940c |
| SHA512 | 5306921fdfdd6c5c2e5d92f21d08dc6e832f46d4d45bb04fbacd51ae9a990ea16362429ab5c7b63dc01713b8243f95256847fa29f49a041827a0bddfec3008a5 |
memory/2708-292-0x00000000748E0000-0x0000000074FCE000-memory.dmp
memory/2868-294-0x00000000748E0000-0x0000000074FCE000-memory.dmp
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 4a1d8aefa4a995c26d5216895f605f6a |
| SHA1 | 7609e8382c63d683080f439adf2a1f4d910a4041 |
| SHA256 | aa1df2e7ff12b1d9d383244995d6bec37f6223a9daedddbd58e95a47e580ca78 |
| SHA512 | 2dd9e22fb3a6044e1c73204e5d519c9267fada66a821a01839a221cae5ed1272fb9e970afe359aceba53fc00767a2af3e93d61d0c8a82e35b9b02a3f0183efc4 |
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
| MD5 | e9793675c341c67bd43948ee63982932 |
| SHA1 | 5d9efb132fd3c853384da979032ceddfaaf6afd5 |
| SHA256 | 8f9b2c00ccfd24cea04f97c931d43b5dfbddba71452c67d218e1e61fdf1e0ba5 |
| SHA512 | 9bc203117c8353b91386f6e872599b81b474f2886bb6b7bbcafa8a4d77bbcef8fe9cf45ae2f8e98a4521239d60f3bbb61176528bc6dd09adb963e6553079f9cf |
\Windows\System32\msdtc.exe
| MD5 | 199ba9673f5565635458799cacb391fd |
| SHA1 | 006838844c31a116808d8e187197104f3b21ef64 |
| SHA256 | 9f7508d1b8287ac6bf92f5842fc7d8f277fd2abcadcc2fe76283a2734c27c018 |
| SHA512 | 267a90b99284deb706f4268d330ffc5559c9825516de1dfd87dbe149a965b5fda0e113e3f7d20e5f5cf586cb48d02d44d0a57480f97967004da03be6c3a8eaaa |
\Windows\System32\msiexec.exe
| MD5 | 0169220bd3cec0dfc23f46e5fb76e235 |
| SHA1 | f4fbcd9867c6e64397debc2aaacf1c1904968415 |
| SHA256 | 7bd60d79163db9adc40bf29abdddaded26c340dc757eace7acafc27cc33adf83 |
| SHA512 | e9dc8c629c79357f57a99c4938c5091dd1e76794d50b70546ed881fdd4000705478f6d5784f0b9ff006c1202584c2cf5fccf5487db316d58da625ab98e93d61f |
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 4c45fb776e29dd355e3d95467bf4e31e |
| SHA1 | e3559465de2e260554f7783af63bc6a98c50ed23 |
| SHA256 | c167ea4bcbeb03aa0d07ca011ebd73b66c2ff67c9c34e18c2f20fd1d900b85ff |
| SHA512 | dc11e433a97866f9b8a480fd25df58a979fe7db5e9dcedd7572f96826610eb641b69d6227cfe98ccd1e8422a74e66f574448504d513d896d66628d56618a426e |
\Windows\System32\Locator.exe
| MD5 | 69f449cc8d2cc53d7841a15a012ee2c9 |
| SHA1 | 3d04d0a89a2f291cf2ab0217316d6741784b1817 |
| SHA256 | 162cdada4f5b00f1426b7239a9bc844619ee1db9f540eca96448eeb6c93dac21 |
| SHA512 | 44f62861cc0335f450515fa13a52d068ec7ce9b06819f2bfb2b9ce581f93acc6f358d7f6e05dee4311b83e6465b1036101f590afc95cabd739d522d305f8cfb4 |
\Windows\System32\snmptrap.exe
| MD5 | fe3b327fb72ffdb268ea3e33255bdedd |
| SHA1 | ce01678a47fa1aa2b1a21810383e519428a0785c |
| SHA256 | dd304be0cb77aa0a53d09ffc35725ab4a9e3bf74ff1b1e9126f448d4b95e6bcb |
| SHA512 | 8a37115718d69bd4ba79066c3ca2cd73e5a3cc4350fe2fc6bd74a90aeebf220d32d7ef62ccc3361fcf52204f3abba62539225b3306a63900d94137142b8d8a5c |
C:\Windows\System32\vds.exe
| MD5 | a4013d69b8e30de722d7ed4d906f505a |
| SHA1 | 62ad00d4509cb0146a96a48b3e8420f07c768cdc |
| SHA256 | 0bb1e7730c5981640127c73117d1b4fa9762ffa19e033ec6a040fbab0015dcde |
| SHA512 | ec9880986525eedf2dbc552758e3c8bea27bd1f50470d07673aa9b0d49097427ac33f2fe5bfd524ef6f62bfff4a78226a6f5c3c367b90ea46b95cf9848884155 |
C:\Windows\System32\VSSVC.exe
| MD5 | 601e9d9c533f37bba9e2db3ff15bcfaf |
| SHA1 | ad2a0f205911b75cf86eeadd2bd0f8b88e8300ea |
| SHA256 | cf3fcb01c17162fc342ec57a922c862cc95172905082d74274e1b7a190d50ddc |
| SHA512 | 9549707ba61ba0579e00c8fb0909d91382babc5fe48316705316b2f1bb7632941216e4c1386c78cb778ab7f01003eb60f0810ff0da8e18740c0d6b219865e346 |
\Windows\System32\wbengine.exe
| MD5 | b17f2b2deef3b27ee2f17ca1f2220ebb |
| SHA1 | b1399ddb68502d2c025cfaea3b4384c41b00b2fa |
| SHA256 | cef17641cd67a6bec90261c3c327e1879d9629e01421f07ec58b35c7b7a9b42a |
| SHA512 | 141fd996167ed0c9c9112d80b5fb792aa32412e9c2a5b4b49dfaaed5789b7c1f3456a9c884a8edf399ac32b152567f9ada3dfa0d3dfdf0201a1eb7e08d5f25b9 |
\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 8c6b82fc863eb6ec14225c152a083fc7 |
| SHA1 | 28deb8bbfeb7b34c2acafb83c36668005a71bf53 |
| SHA256 | 1229e8cf3f7c302bb2c864dceb09b2809f8cb25e08493db2960d92d3cc05280b |
| SHA512 | 87d25e191de531069850cf9fb55b8a0998556a45b488d9f285511e30223272f899ea8a2d558b47404299819419aa4cdc7998fcc5634aff391b5e4434371bc906 |
\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 2c14d49a377451ef232f4b24da5f3d2c |
| SHA1 | 50784a66d954a1e40843efa46d9f77a7d7bcba2f |
| SHA256 | 1273c11c48dac2bea3190b8734de38dac444bf3efab08c4c87d55b939bf984f6 |
| SHA512 | b8db19b904db9b70b5a88a7cb7c8a553d15f563042cb1372e8857dc27168140213936e32f3ccf307a6d7d32156fa231829462a13a60e2e995f26965bf515e0d9 |
C:\Windows\System32\SearchIndexer.exe
| MD5 | 3b2de82864def7481a29a485f1f15dfe |
| SHA1 | 3cdcec3cae3a559ac401389697c3ef69123039b7 |
| SHA256 | e0320c25a4164bd60573d3b5ff78ff88edf338e05b4fd117892aac17dc397081 |
| SHA512 | 6df0cb45862c22f0624f7ffa0539b771fd4ea55b8c10966a3972f5a46e4b9e63e601bf8998a9fb3d3157599d637e6944f6953c65eadee013d58f084c52837016 |
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | 797286f6bd275073e20ba1d6dfc4ff1d |
| SHA1 | 1f889d4ed1188976f33ea15dd44f652dfe1225c0 |
| SHA256 | b52c6ee028dffa1497cf118a32b54ab7c9e5b56c774ad2d3799bc7257b9de459 |
| SHA512 | 6dbd54f0cc16b9fc9dc479a9fc5b00573c1fd29e65cd6c8870794cf0fc5879ee7b05cfe0211fc3bf84d3caa695dd826562e7db1ba08f1b3e978fbdf4ebedbfc8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 05:06
Reported
2024-04-06 05:08
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\alg.exe | N/A |
| N/A | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| N/A | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| N/A | N/A | C:\Windows\System32\msdtc.exe | N/A |
| N/A | N/A | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe | N/A |
| N/A | N/A | C:\Windows\SysWow64\perfhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\locator.exe | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWow64\perfhost.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\dc8f5f4b8642d83.bin | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\System32\msdtc.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\locator.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\system32\MSDtc\MSDTC.LOG | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\system32\AppVClient.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javac.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaws.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmid.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmid.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_e5874500038ebae29fe765f303978138_ryuk.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | 12.82.128.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.61.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | 138.71.29.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.218.225.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 224.32.91.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.78.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | 245.229.41.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.13.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | 7.206.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.13.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.94.160.21:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| US | 8.8.8.8:53 | 46.225.168.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.160.94.34.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.168.225.46:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 34.174.206.7:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 34.162.170.92:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| NL | 35.204.181.10:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 34.29.71.138:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.168.225.46:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 34.29.71.138:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | 10.181.204.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.170.162.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 34.29.71.138:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 34.143.166.163:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| NL | 34.91.32.224:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| ID | 34.128.82.12:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 34.143.166.163:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 34.41.229.245:80 | jwkoeoqns.biz | tcp |
Files
memory/1204-0-0x0000000140000000-0x0000000140125000-memory.dmp
memory/1204-1-0x0000000002070000-0x00000000020D0000-memory.dmp
memory/1204-7-0x0000000002070000-0x00000000020D0000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 8522822dab5ac8c5d554f30f453af072 |
| SHA1 | 00aae8a624941687cbb3e919bf7e284c2e8465b8 |
| SHA256 | 051ae805d1d1add6d6afb388b9d9bc7beaf20f6ec1068878109677d16d507da9 |
| SHA512 | dd29a44719adb41565577cb4a589904d808749518498476637af1a7641b95e8e4bc273618637a8df59b5897b4d06ae4def30803853576a1be6101e4649d659bd |
memory/3540-13-0x0000000140000000-0x000000014018A000-memory.dmp
memory/3540-12-0x0000000000710000-0x0000000000770000-memory.dmp
memory/3540-20-0x0000000000710000-0x0000000000770000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 4038cb9250c7c412c61d4c636cbd6d3c |
| SHA1 | a78609b083f76393da106d85e06e666aee34d64c |
| SHA256 | 1a0dc6f1a551c5c9be05a2474253a3304af405d4a6cf7c8b77700596923320aa |
| SHA512 | f06fc2a3c85c05288602b0a5180601790e22e6b12e6d4be2444425455b142cc51ffc5b047daac0efd8b1ecd6acf670f34168ba010fe7b661a8f4afe32efe9604 |
memory/3700-26-0x00000000006C0000-0x0000000000720000-memory.dmp
memory/3700-27-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3700-34-0x00000000006C0000-0x0000000000720000-memory.dmp
memory/3700-33-0x00000000006C0000-0x0000000000720000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | ff414134262ff43284ab194545d5f12f |
| SHA1 | 679354521b83817575640bd36281cc5031974f16 |
| SHA256 | e95edb7793fb697d611bc9e594d48500ce98a51a252866d8281d3e20bcf29d07 |
| SHA512 | a7ac00bf5935c2509b65cf50c275e1b5494df093cca470d9bc89393da078dd1e637fa28ebcf38cbfc68a4810a8a1c3d5422471bdf8c55ac25937c58489e917f4 |
memory/2748-38-0x0000000140000000-0x0000000140135000-memory.dmp
memory/2748-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp
memory/2748-45-0x0000000000D60000-0x0000000000DC0000-memory.dmp
memory/2748-49-0x0000000000D60000-0x0000000000DC0000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | c3eb0f1d32e5d9635327ae3ab65bde2b |
| SHA1 | 29ac4d0252e3c3e26f8e864f50c349bc934ad6c6 |
| SHA256 | 9b2144174859b9bd36941d84747cd9ee921c094bd6ef2351a0530669e226cbcf |
| SHA512 | 7a7586b67b8aebff83acf92de3aa8f3b0ea5363921ed39a06b2718ddd8ff72a0b3604b28da0b5ad71cefde11a77ddecc64057c1371d9a4b06b95f86bce752b84 |
memory/2748-52-0x0000000140000000-0x0000000140135000-memory.dmp
memory/3652-51-0x0000000140000000-0x0000000140237000-memory.dmp
memory/3652-53-0x0000000000DA0000-0x0000000000E00000-memory.dmp
memory/3652-59-0x0000000000DA0000-0x0000000000E00000-memory.dmp
memory/2196-63-0x0000000000890000-0x00000000008F0000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
| MD5 | ca5f1bd4481fed66e4e4bfec275847e5 |
| SHA1 | 67fe174c35dae1af953a13743f96a68bf84a53a6 |
| SHA256 | a02e7cdb5eb15b42ea8f3c22d2c75c8b00e2f0c7b15fb7b3586c0b6bfd57a24d |
| SHA512 | 875e71e8bf7df9ca9a5b0c2a4c5a485d9242d15138547ff60253b4cd56da44495c456fb7974b21d28c2ce94f7c073f0d78e5554c23b85495b64162eb15fe9ce7 |
memory/1204-64-0x0000000140000000-0x0000000140125000-memory.dmp
memory/2196-66-0x0000000140000000-0x0000000140245000-memory.dmp
memory/2196-72-0x0000000000890000-0x00000000008F0000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | aebeffb17652f5158c69bfcd2a7c4e09 |
| SHA1 | 83924d56b582c7fb813bb428aeebbe71e300bcad |
| SHA256 | c8be8d0d33fc563dacc4545f64bf43fb55e3b9ac18ef201c06b241972344ddb8 |
| SHA512 | b7974c3e58658045581318aba8061074d178c55e0ac4f727984fc2472ac3ab51c15d720aa9f31f7e437df672005a18b3c0c45c3798594e6372f1861858badbb1 |
memory/3540-76-0x0000000140000000-0x000000014018A000-memory.dmp
memory/2036-77-0x0000000140000000-0x00000001401AA000-memory.dmp
memory/2036-78-0x0000000000C60000-0x0000000000CC0000-memory.dmp
memory/2036-85-0x0000000000C60000-0x0000000000CC0000-memory.dmp
memory/2036-84-0x0000000000C60000-0x0000000000CC0000-memory.dmp
memory/2036-88-0x0000000000C60000-0x0000000000CC0000-memory.dmp
memory/2036-91-0x0000000140000000-0x00000001401AA000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | e4c434075c3b47ae4dfb6a3d68f9f5bc |
| SHA1 | 093e17cb3d5f7955c4b0630a6bfbb794469681ce |
| SHA256 | bd07aca85f0539655c9efb49dce02d49d72525a9625b2c728b6b058e267741ad |
| SHA512 | 69d8d9456c71991efc72da129842abcd76d70cce47d8a735110f796640616bdbb7e8a4e29f6e13b4990763a15e35c231c88aff8c7ee7a411764b5372890b417d |
memory/3700-93-0x0000000140000000-0x0000000140189000-memory.dmp
memory/2224-94-0x0000000140000000-0x0000000140199000-memory.dmp
memory/2224-95-0x0000000000770000-0x00000000007D0000-memory.dmp
memory/2224-102-0x0000000000770000-0x00000000007D0000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | c10f8afacec632c00249e1ed775fa8e7 |
| SHA1 | e40883c178bd1ccd0c6b6a32dae6f097bc32ac75 |
| SHA256 | aa4111d0ae321f41f1790998f26121d8f766eeeadcd4434f6a431f820e60861c |
| SHA512 | 50b6a885a0d0c1f7c3daf11ff2dd70a051b185dbb0c8e0a2a16278ca5b5e5268b6a83b129d2c5b7c6fd1df9a8c37270c26325da771700b8315376eeeb9e1a56d |
memory/4480-108-0x0000000140000000-0x00000001401AF000-memory.dmp
memory/4480-118-0x0000000000420000-0x0000000000480000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 6be684584b458b40717efc70c47d9b33 |
| SHA1 | c63bd0dbf92b17555ec1662ffb3b0484c425b9d7 |
| SHA256 | 6e587cd6b44efe34b27b75ddff4f37c7b7665ed1203f860e80e013145dec4be1 |
| SHA512 | f85cf2822dd807bded608568385f1737d6e8fe9d980877932c6d66de756f5f052ab3dea8ed1b94efba286c84cb8cc9653f198846930decf215f3a021665b7e86 |
memory/3652-123-0x0000000140000000-0x0000000140237000-memory.dmp
memory/4192-124-0x0000000140000000-0x000000014018B000-memory.dmp
memory/4192-130-0x0000000000B30000-0x0000000000B90000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | c0d68d899d02ed25e6ee77847c2776f9 |
| SHA1 | e49e773799591858d16213f01fe52f72ff5e15cf |
| SHA256 | 9de8f7ef62744941b9fc6966bf5158b946138930a337e7b247d752888f389a72 |
| SHA512 | df15219fbfea9416c440cba5effe5c9f8c26d0a04649886f9ba6d7b8406a5bc1cab1c8003edab72cb5c381f4b8d646914298836c0e148a7ef1f21ad5649e44c6 |
memory/2196-135-0x0000000140000000-0x0000000140245000-memory.dmp
memory/4200-136-0x0000000000400000-0x0000000000577000-memory.dmp
memory/4200-143-0x0000000000600000-0x0000000000667000-memory.dmp
C:\Windows\system32\msiexec.exe
| MD5 | fce5a00040b28d633f002692634261ac |
| SHA1 | c212561f67ea13f910b60238adebd69680f7a600 |
| SHA256 | d87f50369f5748283e4a5281aa36c022f6fde4e0e3549704ae877dd7ca604ef0 |
| SHA512 | 938bcbedf9fcba7a0475cf81d9500db26f6281cc6bd3ba70f0b7b8a6ce0758896d3a9337ac582140b30f36728964bd084711dc9091c215f72fa3678f830b401f |
memory/1204-156-0x0000000002070000-0x00000000020D0000-memory.dmp
memory/4432-154-0x0000000140000000-0x0000000140175000-memory.dmp
memory/1204-153-0x0000000140000000-0x0000000140125000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | 2d56c45c7e0d46d24430d985ca6af17d |
| SHA1 | 5f4d7da695bd8f3e683aeca1687b8418fe68c2e4 |
| SHA256 | b38976d44098f563d425d0712a755091ae1722d2c2d2be0484edbcae961b4ef7 |
| SHA512 | 9f02a6991c75d0bf27d114af9dd72322836210b3a42bc83de95f802a53c56be9985992ae2e1121d263633fa013460c48ce475ab5173a27e881bb243703a02b98 |
C:\Windows\system32\AppVClient.exe
| MD5 | 8440fbd1bbcfe39931834523cfbe0ac9 |
| SHA1 | 281504e98c723643296f7c5fdf8175757c39444a |
| SHA256 | 404806d4ed23a0da0af69f90aa2b2ca1e13a5cb778555082ebaa2ba488f72499 |
| SHA512 | fdf8448a32108115829b2b59334a2e31e6652173db6d228262ff1008f76216f9c9e811fdc7d7f68d530e98ad0f62416d1b43a013237cfede1f2dd5a8766b68a9 |
memory/4432-172-0x00000000006C0000-0x0000000000720000-memory.dmp
memory/2224-233-0x0000000140000000-0x0000000140199000-memory.dmp
memory/4480-319-0x0000000140000000-0x00000001401AF000-memory.dmp
memory/4192-322-0x0000000140000000-0x000000014018B000-memory.dmp
memory/4192-323-0x0000000000B30000-0x0000000000B90000-memory.dmp
memory/4200-324-0x0000000000400000-0x0000000000577000-memory.dmp
memory/4432-326-0x0000000140000000-0x0000000140175000-memory.dmp
C:\odt\office2016setup.exe
| MD5 | a33dc0062ec3e87e10904e405d69bfb5 |
| SHA1 | fce904818a3ae0f40d6872c5c7ff1f2369ce3298 |
| SHA256 | b6dfa530d2fb86a49358424bebeaf3577bd124fbd566fa8d0c7a7939d8920e84 |
| SHA512 | dc56ce491ea37ea95d277f4bf6e3e11ef8579d62e1f2790589a9bf9cc9da617480344ded9d47c8d76f574ffaf7cf8c6ff9c802c06c0cf7a3c4894f90cae8edfe |
C:\Program Files\7-Zip\7z.exe
| MD5 | daf2289ee65bcb81293935deb6ba0074 |
| SHA1 | df7f518f006368d38fc51bef7805511f77aed474 |
| SHA256 | a7401d749b3f2bd4ef2f0cd8a0e9721035a9bc3b15d661710caff908cc77b138 |
| SHA512 | e42aa25be7f2f4c7b389111dc1ee9c55fc3e2c84a360bf1ba629da75a2bf8a085a90293a355f678a3fa5daea3c4ebecf85ba72d91873024895638dbfdb8f389a |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 268b5f54305ddb0b0563bb5724d5ebee |
| SHA1 | 446ab90de6017bd99e3d7b508392e752d989dc7e |
| SHA256 | 50f9f1b02778c1ba77bbe60d32befa50cd68c10487c06c537335762e0352bc4f |
| SHA512 | ed6fb6ee515399b9b77949d965105a45e11d52ee325d7fef142b27d9faaf365d980ac817570c6db4be4098f03bb3ac4ed36d77160270ffe6b92f3dbaebc5a3c7 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | b860259a4ad0fb8d555462f81b924a6d |
| SHA1 | 380ca13d62d9697f2bdbe4ad7f1f8609c1cd36e3 |
| SHA256 | 23d3f0955eefbf166fad3ed5ca88b5545ac40af1d3e9913721f42d5edd3914d9 |
| SHA512 | 33abe4ef1494979d59a35e9f482d32cbee4b61bf3ef3159c2a26bfe564bf5782ac6df1cf027dc6e1a9fe817d1bcad85598812f57e85ff327c8de59673be06857 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 2abec2ac2688fc7a578951539b451229 |
| SHA1 | b53f6cce4f693b96c03587886b9f5d3cf7d2ca95 |
| SHA256 | 9fc2299e048741b6c73b181f56ab297b3a5803c81d7a9adc1d0473d22d3055cc |
| SHA512 | 76fb35b63832e9acad73788478549e7485fdfe2b50c2f3cc41b4a69b3101b97980a484a7a8bc5f9facde215cb7e564702a629d8cfc041a4a28f4aeadce554d9f |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | c4b7826f7fb58020541ed6b30f857477 |
| SHA1 | 568f193dc1e5f92f233f5f48959e39a314fd8964 |
| SHA256 | 8c7b9e260cce939200f0d7085d051fd755c3b74d5b2d79ccccae7864a2e6173a |
| SHA512 | 4c594e79a07892639dc4b0754dc95e8f40b171d55e01c6d4a461e7a76753edd30ab8583ac41c0a569056fb6c45781b2f60a27bba5cbbacf791790fed75b5709b |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 7b9f7fe0ea51cb2fab0f7771a29e1016 |
| SHA1 | feb02822669655d79f297bed77b8df45d5394f0f |
| SHA256 | de54b28501d4834166e01c4454996fe5befaafc4a54f398614ce42c7fc43a796 |
| SHA512 | 0c5b0e103830deb290ac94d9ed8ebc08bc2585793d02b6df1f6cd2ef70532b38404783e3e01059fff534de0ec8b1e8e4942f6b251dc78b5efc570b092b6f5d6f |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | b1210e371503dc06f717dcd3a4b524e7 |
| SHA1 | 95ba25f2ffd65182390d8b6dd8980cd17da40a57 |
| SHA256 | 536725c32ff2f5122b701e0b32ce2a08920c891fe9bbbb6c8b3f74daf3af7782 |
| SHA512 | 34583a184881e106baf7e6a5ab82e51cdd0c678c1b64dc74c2efb775044c2d76041423c3a8483a3f53e94513946ac06cf948f612fe5a0672c0e8f554b415a4cb |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 9e3b6a406916c8ea0505c6229f696021 |
| SHA1 | 2b1e7993a65f8f0649c88c2275bc36443a50f60c |
| SHA256 | 0552358000dc7ff623242fe0d6e5bb2046ec307b25f06566faf497a5c2277a07 |
| SHA512 | c5c33ae0858355123b06341e5ada75f3635d13c39fe1803ae146dc86d83aa2a6834426abca669b97f672094fd06d315dc230160ac948a35f7dfc10d3f737953e |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | cd427bdf5e4b1d02979613fcbb35a24c |
| SHA1 | 5c6fce47f2a5443f5be6de47e660ddd0af3292d6 |
| SHA256 | bbb01c2dc7cdc67b9bc2635a94e78b5f3724f526cf7f5aa88c50d6c52c32f519 |
| SHA512 | afa9be709dc3eaa5d2e04447c010a6b575ce4b7c70036c7973b54050672159f681f3669a8dd43afa86ac98a7cb2f06af8b8b87c4e0ae261fd0f56621f8302c8c |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | cd1ac3f8d422d80df06b7670966dbd2e |
| SHA1 | 523bef8520f6bb787b402334fc5843d9138d6559 |
| SHA256 | 36c13815c65a80ca5c85c313bf17ff7283b46c031426132db73aa2b8b2623fd4 |
| SHA512 | 57fc2e807fc7d17815f472b48eaafc78b80b278321e4a803afdb074487a3896f5e224a1b31cb7fbafb3596b6446a3e894e35983129f756f5c12eec3d97ac8e6a |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | 890142616d4fb91cb80bb855af66f327 |
| SHA1 | 830604f05d64bc3dddc27d9523ce73ad31a801eb |
| SHA256 | 3c28e6e4500f50c5e4712c95e2f01d9ea0dbe8e49e0fcc310e0c64da4c0597b7 |
| SHA512 | f1906d30441e9749e7b77d4cc87b9be3c3b3804bdb1d5397e2e3c7d5dbfe10e155e5dd88cea517c3283b5d69464c4a7b399d1a640108a9b70b297b2630959ceb |
C:\Program Files\Java\jdk-1.8\bin\keytool.exe
| MD5 | 1f6fd077ea025edd956d820e82baae7c |
| SHA1 | 3ff3042237e89cb1c3190922e9c8a72ddc3ac77a |
| SHA256 | 25c63acf730b0ba000090302aa7508d1c67e2c3ea98bf55b9a8c89c79f8a9b51 |
| SHA512 | fe8973c463dfea4eafc1693c0d423448d74459e1e2d6271eee7552c822d51490246b0c7906c68f52d85b4bd6b6c34f6421283a4d0c151425e9b5f28e7612860b |
C:\Program Files\Java\jdk-1.8\bin\jstatd.exe
| MD5 | bc5db2cb1943870a5be952555ffcaf70 |
| SHA1 | 621855d545ad72ea145e38a686737dcf0d3523a8 |
| SHA256 | 13625e9e2c99cd13a0b77b0b940c38b669e79f6c09e1bbb6bcbb358031eff587 |
| SHA512 | 287ec91e6f7fa2f46b31ef3d49096199a2987cab183803da79b95bd3621120e7de579a3c66c1ea2a0d449c8c1298bda4155bf89c295aee96c1d45baa00a86a54 |
C:\Program Files\Java\jdk-1.8\bin\jstat.exe
| MD5 | f2c9785e25674a75eb86c5ad3e512c6f |
| SHA1 | adc5ef2b2b26375e23fc206be97016765bb36f7a |
| SHA256 | 657de3eeb0d49cb10a90168bcc784f124223edc9056cf01466931caa2b300cce |
| SHA512 | dfd10865d4a6cdfccdc547ffeb19bb5b00098cd3e4ed44525b944a537a7a77412c8484642064c9a180dbf8c53f4bd7892f0f9eacbabb2d6369f490328178ea44 |
C:\Program Files\Java\jdk-1.8\bin\jstack.exe
| MD5 | abb132f5b06c6b1d95fe1b4cd289c630 |
| SHA1 | e47797ecca347cdf3a021c3e81b728545aecd3c7 |
| SHA256 | 85ef3685613c3362b42f0c34834956f2ac09c94a083eb112629fd8700e99f067 |
| SHA512 | 3692b1531fd7966a51adca7b8ad45c7e8e9ca66fc638b3dace2cb646e0d1188fc159eea72e32011fc8f1afc65decb86632829be23299d96267737cb217f4cca2 |
C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe
| MD5 | 4ca9aeac988a814a077f69f6e161bf85 |
| SHA1 | 82821d17ade717d06f1c198b3e1d67c12d4dd56b |
| SHA256 | 1e2e4f75a93cb2fb3c71207967e7f7106e630b75c3e9301f827c8668200a4590 |
| SHA512 | 6af82d45bef1a6166ff3bd8c40407fb6a5137dfb2d33ae6f827d498c58fc3467e5266e5a1df80e54f7b1e811a0a9c988ab0c2f627175fc45a507fd6aefe50399 |
C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe
| MD5 | 2e22dcf66fc1aa6f7f7c31d2c46588ba |
| SHA1 | 69e3304a6fd1ddd73dabec282adae5c8d0ec98ef |
| SHA256 | e432b08b4f7e12207769982f641597d67a977531f7b4fab90ac86265ce0cbf37 |
| SHA512 | e5e04141e75625fd32832955334d73bf22d39c7d8ab15949d463eaa6b3ae471c499c7283db6718046f4d2dcfcd2d20771dcde34971df9f4147a8fdf31859a1eb |
C:\Program Files\Java\jdk-1.8\bin\jps.exe
| MD5 | 3865050c8f349a60cb431cc8dd5199bc |
| SHA1 | 3389852954309d34f857393167ac57029a392cc1 |
| SHA256 | c5f0e52f18dc9af92bd4c5420a39a850243613f3ea2f40ef9286e59f4fc0a879 |
| SHA512 | ddc050e9bfd725ff8dad01be13e17064fcf73640dc633784116646cddb883858ac0999ec4acf1e5016bd2c6e51d51649af01f5a626f25f9971de65861bb360f2 |
C:\Program Files\Java\jdk-1.8\bin\jmap.exe
| MD5 | b268960a4ba5131adec0daa739df82ee |
| SHA1 | 1d8f7b494d57bbac6d3473da26eb99859ccf62a3 |
| SHA256 | 93a35d2f1cb6494e324fefb4dd12d1e1c5474441b08fd52ba727e89ee0549123 |
| SHA512 | 0607c8bdc4ef16002200209f24f9cef4ae1e67cb1f95cc188f1698df213dd25290b821ac5a4d09702d4e11c07f019d5f5dfae1de0579fe649075c39a746a5e70 |
C:\Program Files\Java\jdk-1.8\bin\jjs.exe
| MD5 | 1668b57cd649e2224064229fd58fdb5c |
| SHA1 | 77cea69cf7deed916964044e1873ea8110dd2b47 |
| SHA256 | 280ee67a02d0a7bc5fcbc25563ffc438734c4d601a4db808bf8558fb5026ef20 |
| SHA512 | d3d60c26e47d823e82b8a31ce0ebc409d50839c4eda1bd5aae455adbf8fdbbb3028455eca2efb903f522d82e2c5f444bb4ec04c2fe06e60fe8852a466ec06634 |
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
| MD5 | d6902412e2332734a0461ca9430f785a |
| SHA1 | 9717c634c0eb18daacb0f1b4716ea0cf87b1f205 |
| SHA256 | f50dff7ad040478a23f9a3b99a5ddf7cf63c4db3a79c8f44cfe1c8723c3c9f12 |
| SHA512 | 94814ac6fd41a172f912452f4ad677295d788059622e1c4f2441c173e8856af1724324dbedca889ec3ebe27d0f43ced3b9d854ed6324ad514e656740e0502c13 |
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
| MD5 | f66b65000f51646a229b8198b36074e7 |
| SHA1 | b7a39659145ec5c3637954b14a44e433c51441e4 |
| SHA256 | e6a796e42a68cc3e926033b093cb7f640b120aa9804d2f9b6ffd44313159f265 |
| SHA512 | 67a1cf26aebb2e276914e87532fd522e830ccce2e29843ec8f956e5eefe20af0a837b4df251c432636aae119b40a4b41567f163daeeba860a576f99bc7b9a120 |
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
| MD5 | fad7b133ca64352ac291b93e230b970a |
| SHA1 | 064e2ba4a5a10d0042a4c3e1d45031bd7e28e03d |
| SHA256 | 78e1aed88a89394e7dbfd21f7f66cfd2d51b5bfc2034e3be89ecd0be92a22039 |
| SHA512 | 5e93c3d37b149393395a7ede0e483f92b6cca8e164ae4abb83b1f1c5eac37228232d25c1c6e5d88e3fb6f2468fd85cb7828e8705a9f8aee32175fac9f938b7f7 |
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
| MD5 | 0d402dc4bd03e14df4e09119b4fc4281 |
| SHA1 | 7038c1ab9864006532b6b0b8a439b26b9f59fc83 |
| SHA256 | 5fcdcfa4f842ecf577057f343ebd5fc06ff030ddd449fe3ebfe8f4762b4f7d99 |
| SHA512 | 0bb907ed3e246259824cbcc1c619ad1d6669eaa6d3d70c50584e3d1dd3fa63161b9a209aa88387d71468b7db92e99935a875ae6834d19e0556e4b1f892ba4c04 |
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
| MD5 | 15a824618587785ffc257f39d4e22598 |
| SHA1 | 462c0a92ef75b40d51c5c8ef08b379db113c155e |
| SHA256 | bac2e5be72621917d2b2a6048df99134b4591781a0b5aafa49546fad202b973d |
| SHA512 | b40e3d0d0b11b8daee1da110747025aa99432301d6a450784d496a7058867531092ad464464c724d197adc697237e9d09ed609d1ad694ca89fb8d6eee9d23773 |
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
| MD5 | 1ae7e4598a16b07706b77578d22b6b6b |
| SHA1 | a07a0ab75c1a77a73b53d24897f8168cff383f9d |
| SHA256 | 920d1bb9fcadbb8f8035b0f051ed9f2f3625d07db441275807fa24f8144e8254 |
| SHA512 | 5e60f94d5fc1dbd00b631f5162f3ea0ee0b1dc9ad11403d68131b59840aef89890b3e5d26b706a02f6b6375180b84aa9009f7881b45e12c9f28ef0686a48c6c2 |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | f929d5423e7dfaa057cfa588ac1bed57 |
| SHA1 | 20a58ac2913d2e602ae733ed696772431f2d7d4a |
| SHA256 | 93ef1826bff1a4e798442a30be809f35cdb9c45fc33172b0ae5647dea5f591f1 |
| SHA512 | 9011ac9baa6fc0f9166065c8616fe1d7876defa57e32af67ee866b4448b5d00124e6c16b76c23fd3ef863f24b6b84b3fa950db8fdc6676c6e671c739e91cd9c4 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | 3ff67a9b6008d52c98dc6ff9a477d240 |
| SHA1 | 79737b57d85b52c79f6890a863a5e4ec3d9afe39 |
| SHA256 | 0c6a6dfcb3761da53800784e0adce7a3b91b1a8ec0a99fa29ad16f7f59f37b24 |
| SHA512 | 52fabd906c34192d7a656ec6214c70b36b197cbceeab8bf006ac74e48ac76734553af048245b5857330ad10c072197d844a6d9c6d7f436d235c3687b0e4fedf9 |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | f62e1ec0ac7bd6a5e6030d6f53c42a8b |
| SHA1 | 899c8a56acbaede56bc52cd2b77321643316fd03 |
| SHA256 | 31a673773fe9eeb1a24a2c1a42d8d51777934605f48bb323f06df45b9308c072 |
| SHA512 | f25c91b11cfc85739c97bd2e9729a97fb2d2daea36c14b78ed337cf4a5c3e127274e5e5eedf7fde4580c3d8b7d9cd2b9ffacbf83c303ada907cbb8f7d08199df |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | 2578b6100a8669b6476ace48ae8a4dda |
| SHA1 | a807bfba7bea8db828c2a274f4ce7b12f879993a |
| SHA256 | 69ff54bf67079f1c382ff8b93809103e5fe72fd76141c2ca135a692d7e2b8c35 |
| SHA512 | 78c5f67faf115e25076e8f97a919d024a3722d528c9c81c2fb56177cf546a60797a70e22ffc00a1340325daeeaf4d8ea1a1dc1c18a8c7a3f98d72a8217d72c12 |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | c8ee85b597f051001e01ae246046bab9 |
| SHA1 | 50e286729709c7207cf72665e0c75fd1647dc32f |
| SHA256 | d7b5e62a76f0bd56880964dd7896223936af3d3873f78173a038693cf0f53ed9 |
| SHA512 | 848c1d91780939e206485321f3c5ee0afbc447bbfa0d77bb5e77cff935b26817dcdef66878b0929b3017c46079b33b61487989336eb1d0f8e950cd9c8087ddbc |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | df3dc19ba72f94f6eb254def29f61b5a |
| SHA1 | a7c99e76a519ff23886418c647b3bdfc34e70761 |
| SHA256 | ad77bb02b799e741e4c2eb28114bbede06c908cf6e22adca193e9c5620d9a588 |
| SHA512 | ed3465f3835f57d429ac75232a394a220fbf124103fa23cdf098529e551a374e804b7fd8a6768a60707adeb49e0e3006dee682b88c4b13a745b4da1933becbcd |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 3bc844b7b0ce27f8e0ca8428fa56ffea |
| SHA1 | 9de54ff43c3bdcb9b14ce953b2a37949483c669c |
| SHA256 | d7558169b19d97ea9f77aaac6f11d7c519bb8b25b4e5da0d527671fb1f1686cc |
| SHA512 | 661ae49d656d0b8e957b26b947a89c1c5af6b05c12f96281abb7ba859912d69f2ea66842e5dacf4011b361f5fb2f52a2960a20a7d8cf8f2fe96b60896d2067df |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | 3ad0fc5083e0210caf934df875de5337 |
| SHA1 | e52c26812af98d14ce1f841114a8758ae1b0d380 |
| SHA256 | 55075a8bf5efdb2f5caaa1f8e98e004436d05c5dc4cca59b81b220a5efda27ca |
| SHA512 | 4e21f166850758b885e515d9cd271bf834197f2055f9c1c514649eb8562a5cdd0e70ac6a2c2c85a441dd0a1d2c69a82ec919487f2f4e9a5a1486d0192378c7bc |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | 9ae5818ebdfb0ccf7803ae7026147dc0 |
| SHA1 | 890b0e084670ecd48d139fd6d7705cc64a3172c7 |
| SHA256 | 61e49a2086ec47b20b5a0e34cfd576e6165b4f4efd33108dc7fea93ee4d05c72 |
| SHA512 | ccfbdd0d131f67126233d8c648c77f89a71e33ccf268a27d3e710b48323c3dbab4bc297c8085e9e724c3a0678435df8c48fefa9e9c0bc7bb6f6209b36624d230 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | 38c799e1be97bd48e7fc9360e23de008 |
| SHA1 | 39f64fba9aec24b1d5cdce8dbcd877fed8e501f3 |
| SHA256 | a802db4a53c24506fe05130fa6df281d4270e6fd9ebd1a3c9c50fab3216f1aa3 |
| SHA512 | 49e6cd566cbd064fca320ba7795348b7cf224db2aa6caa228ba78706992893e6a8fba4eca3dd216cc9f9afd7400672d04097518a435da4f44d1f217ab3540188 |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 715900b6c28666a1eb7062a5660e7af4 |
| SHA1 | 570400224c9020257dbceb23f3e4cc12122d200b |
| SHA256 | ca4415f3d5ae41495ff054222cb72272e3e711e7d7f720f389dd4229fcff8160 |
| SHA512 | 86baa34af6ec4bc3cc5ef9f7305d3fa0555a44b5b96c474d9edacba5383ff45f27eeabe66d739a634e3d09692862955c04892661910e6233afb54e50e618ac29 |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | 9c1727919fa1a30af8383ccf9f091516 |
| SHA1 | fac0cef68c8e820a8ed1e4825952c98581db1834 |
| SHA256 | 0292bb93db2c5beba3178c543e5ddb37c2166170182f9e7f14a81741c0e035cc |
| SHA512 | 3a2957faacec66704d2c52fe0225174f12c55af7277fff8ef46ec1a38357f04501ad29a85a9d3347fedbb144d2e030cf2abc892687890e8f4b55347fb6a97c77 |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | ec1189eda7e376b97a90c62c00e4fd8d |
| SHA1 | bc890a8ffa994248fc7a5f28ac5f7a833d62c86a |
| SHA256 | 43c8bae99e69a5de1c886a4b22a9a6c3b5c5d640c6e55b4ceb937a8358e0d295 |
| SHA512 | f496fe27e7b35cbe8a279347ae666b7c135e0f0bb35da15a6b5379fad682f8503fe3ef92e3219a32e6ddac0f63503c0173027c1726472e812e45db2cbf7d0f47 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | 101c0c6a3dbed968d6cd494dce4b755d |
| SHA1 | cc2fd76e45c4483ed87a546b143b56f1c83e447b |
| SHA256 | a414cdde16f6c39d20071164378329a37fdf91b54da7cd744f51330f481fa69e |
| SHA512 | 69b050e29eed25d53b156107f8fb87dda41162e5d09369056e26a6586ee4a75025179eaf41e21efb9a9331f10ec6c1cbe3571ccb6b1246cf4d501f910811d801 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | 2f3bc25e8aacffcb3575364a851bf343 |
| SHA1 | 7ac570f1daa4a10d90b6508d40388ce5312f7ffa |
| SHA256 | c3aca7615c55f5cd23346848d8c2f9fdeea6d3a1c53540de3f7c00ce0639c4d3 |
| SHA512 | fcb56c7eff505d74618f987e0309923247ac1c8afd130495b28dfb2ea2a205ac75950061a36eca7cdff990c2b76c98cc33fe2a372d4a8ca8a4f7ee727274c657 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | 6399468b4681fbe53e0904cc09aa968c |
| SHA1 | 56df68083c15974f2f83a492f0953df449844db3 |
| SHA256 | dcd90f7f9a40a0aa030952ec6fee72e9375bd234afd43ff154cdca9d43c557a3 |
| SHA512 | 7001eb711e095ad75ce6e3009b697ccd93be78a25be36f5b641b134c39dcaaf56db80665502ce014d382185e0eec9c887a40a2341c86d781995650dccbeffda8 |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | e952b8d4136ee2393b410f165657aa5c |
| SHA1 | 6bf34d2bf1aacda7ae3535efdd1daa859d84eb33 |
| SHA256 | 999603ca82160310a455ed48153949fef289ea482e3e3f22c7f3767e49833ff9 |
| SHA512 | 8c6dd4fcc31775921b7c11155a29bf4d04223a7bb8e07552e72394e0375d4a3c54334a59f6a435004250a9a48637c7813e439d1c3d1652015a0877fe9620caaf |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
| MD5 | ece2c8c8ffe952eb3a346c38e5d56bd0 |
| SHA1 | 64a89faae10e1028550b71612d0061585fbbc4fc |
| SHA256 | 0d24e8c4120a0bdf6bfed5866f26f404e3be767a92eeedeed8f82ad26cc8cf12 |
| SHA512 | 896f0b30ba2551fd55ab01f6827df44a1578fd3aaa121383c1c246bef8a931b2e5f78825fa506f123c4ecdf2fba196a8bfb165f71643742fec6e7fe25c562f64 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
| MD5 | 55abc28cb200a2b80935697efe61ff8f |
| SHA1 | 177819d406f758f06b0678fcedb06f7ef4b70f0d |
| SHA256 | 3ceafac2d806dbeccc370e5e249285264d086b405da00ec8c960a82b7b253bf6 |
| SHA512 | 601071dd05a216fa3a5c9e590ea2cea11d4dcb20a71597e0c0a25a0b5657c8d1d1387d7deedef5ef443b93912bb72d9c3cde9c8f98d6ea725f449a56af590a5a |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
| MD5 | acfb76ef9854d712ec00f98627eb28bd |
| SHA1 | ea576c86a55235a9c85121c06705269ea582ccec |
| SHA256 | 8d38c1cc79479c0449ba071e1e78fdf2996b953950310024e6edb0764d4bfbbc |
| SHA512 | 39084120e7edd306de1c94fd65b6c42042034611b4b845adf883077be998692f0f7ec32b323d6ff06b96ff9933f08f1f70c1cba216cc68d40da56f88cc20d6a9 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
| MD5 | a6683233a99bd3b01d35a46a9294ecc0 |
| SHA1 | 14922471f6f0aba4d3abf5c9c2deb1759bceb9f6 |
| SHA256 | 93b6a880b1fecbefb44ab624dc6a18f8598801e828aee600d8f0e6e9799a0322 |
| SHA512 | 673ae3921a8f4ddf10c18569eb637da38893a2fa6e172d3b8000aad7b7e310ca47407ed32e4de3fba713a534dafa185b90af742decc851fae543fc892c597470 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 6ea9522f871d839d3c526bfdd77223f4 |
| SHA1 | d6f804589ba1475595c39e6676118f9aa883ab33 |
| SHA256 | a03dda779bb812522acbb8f28ba2cc7b881da36de5a99925628eae928ad93ce5 |
| SHA512 | 4fdde2f0a57a7c344ed8b9ef60414354819dc192e025a606020a9bd05ee75129406dff9385334658dc1e8c868302609ba9e243f6afd8b34dd803291b744b2937 |