Analysis Overview
SHA256
89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68
Threat Level: Shows suspicious behavior
The file 89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy WMI provider
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: LoadsDriver
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:05
Reported
2024-04-07 23:08
Platform
win7-20240220-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\30a930673d2ec148.bin | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\system32\IEEtwCollector.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\msiexec.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\vssvc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| File opened for modification | C:\Windows\system32\fxssvc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\System32\snmptrap.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\wbengine.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\SearchIndexer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Windows\system32\dllhost.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\locator.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\System32\vds.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\WmiApSrv.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\System32\msdtc.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\SysWow64\perfhost.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\system32\MSDtc\MSDTC.LOG | C:\Windows\System32\msdtc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jabswitch.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{2C18FE73-0135-4FFC-BCB7-4B0A9050B077}\chrome_installer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\javaws.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1B06195C-EB2A-4E1F-916E-778FCCAE4671}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehsched.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1B06195C-EB2A-4E1F-916E-778FCCAE4671}.crmlog | C:\Windows\system32\dllhost.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngennicupdatelock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| File opened for modification | C:\Windows\ehome\ehRecvr.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{AB32A373-7096-4C4A-9FD2-9117EFA451B2} | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{AB32A373-7096-4C4A-9FD2-9117EFA451B2} | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform | C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" | C:\Windows\ehome\ehRec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\ehome\ehRecvr.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" | C:\Windows\ehome\ehRecvr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer | C:\Program Files\Windows Media Player\wmpnetwk.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" | C:\Windows\ehome\ehRec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" | C:\Windows\ehome\ehRec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\ehome\ehRec.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe
"C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1ec -Pipe 240 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 25c -NGENProcess 244 -Pipe 1d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 238 -NGENProcess 1dc -Pipe 1e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 23c -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 264 -NGENProcess 1dc -Pipe 258 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 250 -NGENProcess 26c -Pipe 23c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1ec -NGENProcess 1dc -Pipe 238 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 274 -NGENProcess 264 -Pipe 270 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 244 -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 27c -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 278 -NGENProcess 274 -Pipe 24c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 284 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 274 -Pipe 288 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 274 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 1dc -NGENProcess 264 -Pipe 280 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 294 -NGENProcess 284 -Pipe 290 -Comment "NGen Worker Process"
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1dc -NGENProcess 298 -Pipe 284 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 2ac -NGENProcess 27c -Pipe 2a8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2b4 -NGENProcess 2a0 -Pipe 2b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 1a8 -NGENProcess 1dc -Pipe 278 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2ac -NGENProcess 298 -Pipe 1dc -Comment "NGen Worker Process"
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.94.160.21:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 34.143.166.163:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.168.225.46:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 34.174.206.7:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 34.162.170.92:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| NL | 35.204.181.10:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 34.29.71.138:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.168.225.46:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 34.29.71.138:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 34.29.71.138:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 34.143.166.163:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| NL | 34.91.32.224:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| ID | 34.128.82.12:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 34.143.166.163:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 34.41.229.245:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 34.162.170.92:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 34.174.61.199:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
Files
memory/2468-0-0x0000000010000000-0x000000001009F000-memory.dmp
memory/2468-1-0x0000000000330000-0x0000000000397000-memory.dmp
memory/2468-6-0x0000000000330000-0x0000000000397000-memory.dmp
memory/2468-7-0x0000000000330000-0x0000000000397000-memory.dmp
\Windows\System32\alg.exe
| MD5 | 0531ebc90eb9f34d95e82f61c97c3c0b |
| SHA1 | 57d0fab0b7fff2d9a766986cb87be109cd595e32 |
| SHA256 | 8001bd987f616b4bd71bc79ddd2a576514fdb1bea95c6b109db949f159a50ec2 |
| SHA512 | 31a115a477c312a68ac1366565258a1bb89aac431a8a3795f8978a264d25e84df87bba477a8ab1dd822afe2610e62c477636acd2fc07e6c709c0ab8d11f93534 |
memory/2920-13-0x0000000100000000-0x00000001000A4000-memory.dmp
memory/2920-14-0x0000000000840000-0x00000000008A0000-memory.dmp
memory/2920-21-0x0000000000840000-0x00000000008A0000-memory.dmp
memory/2920-20-0x0000000000840000-0x00000000008A0000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
| MD5 | 44d8d46b47d1433f585cbc3ff9f64e8d |
| SHA1 | b30cb3c7ed8587b806a89bb00819dd1efff99708 |
| SHA256 | f11c5977b9943ba4efdfb479e4e5bf7bdcc698c8438f697d5d3d44f0024d7a8a |
| SHA512 | d639b67af7450a0c8c96dd12fb332e396ee067b1cfd22c2d66646632962d5f8b383e59128bafbb2d1139b6bd3cb5a2d11b4a501626acb3345110189b0e3b5099 |
memory/2620-27-0x0000000140000000-0x000000014009D000-memory.dmp
memory/2620-28-0x0000000000A80000-0x0000000000AE0000-memory.dmp
memory/2620-34-0x0000000000A80000-0x0000000000AE0000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
| MD5 | 735952014105119e5c464f7f67090121 |
| SHA1 | e610ec4d70c89afac78b5d6003fb837b9007f2e8 |
| SHA256 | 3899afaa68b48198421d7943a3057fa3c0c3b30fe1dc4de7cd126d6b0c36d8b2 |
| SHA512 | e8a598997e16cece38faba36d3a07e65aaa1bb2050bf4de98c0d72c1c5f57c67ae41352032b6795ae197dbcab52d8f40b9221476ffa53040f0f2c1869355d447 |
memory/2732-38-0x0000000000230000-0x0000000000297000-memory.dmp
memory/2732-44-0x0000000000230000-0x0000000000297000-memory.dmp
memory/2732-42-0x0000000010000000-0x000000001009F000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
| MD5 | 21b3b24dcffe4678fade9493c44cbc30 |
| SHA1 | 38ebc68f1f27946a7a61e8a4f0af6b1acaafc23d |
| SHA256 | 71598db4ad49e06c6252a2363f8da31e1f760dbf643aea823a870146e0dfe72f |
| SHA512 | c520423430a7f8835f14eda8c6c3284482d0a3d1ab6f7fbdb7d955fb2ddb679fb72fa70f0dfc81b47fc8d7a5f8a47a988891d5b20067bb2a1b2156f332ec7d21 |
memory/2400-52-0x0000000010000000-0x00000000100A7000-memory.dmp
memory/2400-53-0x00000000004B0000-0x0000000000510000-memory.dmp
memory/2400-59-0x00000000004B0000-0x0000000000510000-memory.dmp
memory/2468-70-0x0000000010000000-0x000000001009F000-memory.dmp
memory/1420-71-0x0000000000400000-0x00000000004A8000-memory.dmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
| MD5 | 92b62f68d4e19804e176ed05a8640f64 |
| SHA1 | 4fba34f64b06dc733e7335b5c1a016739a3605c3 |
| SHA256 | 28ab597442d16dcc520e62badd4d1792c3fd0e511f59dbdc50c76921f8451468 |
| SHA512 | 5e9254ae1dfac065d33dfe3c51647a22ba5805db5ef8c30f188d3bfc499e8a623c6f1f3212b74654407de6fd02a383956255f74fd47357b73d5ae1deaf98c676 |
memory/1420-77-0x0000000000380000-0x00000000003E7000-memory.dmp
memory/1420-72-0x0000000000380000-0x00000000003E7000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
| MD5 | 8f8b4b519226f8a0dbb05ce41fea3549 |
| SHA1 | 8043e1dfe4c2764eeeece737fe70d8ea33aa3d73 |
| SHA256 | 00a2e7ffb6aff687b74282b13939037b527665f944ed3746ce6735d0f9e047a9 |
| SHA512 | 6aab85b8d537c4c2a5f6eb894d203578589fa45aa28468a83b70111fbdb16208dcc383ec6bb2b0f151da9df976e2ed30ad7cc8309361df5001af0adaa250c617 |
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
| MD5 | 16100d92e122e82d19741be350a136c5 |
| SHA1 | c84c694a040f6dd6f7117697e7a563112811570b |
| SHA256 | d9a786751d558669fe9c9e79f73f0b01cb443503466ddee1a5bb15878f69628c |
| SHA512 | 0c806f0a412762e96121d5e92322a26380a3119df81ee450f5e5ff7074874ebf9f054152fa30019c69222dabf480a7f2001e682a56feb79791fa61901f51ae6c |
memory/764-87-0x0000000000610000-0x0000000000670000-memory.dmp
memory/2920-93-0x0000000100000000-0x00000001000A4000-memory.dmp
memory/764-95-0x0000000140000000-0x00000001400AE000-memory.dmp
memory/764-94-0x0000000000610000-0x0000000000670000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
| MD5 | f9b0525e5378fd2abb51caae60485eb5 |
| SHA1 | e5d7af5cd5f2396e90d3739395e107be4d513369 |
| SHA256 | 4f83ca04f3a326f41fea1b80dd87416944f2f73f33d57b1a56eda7644ee1c6d7 |
| SHA512 | 41b35f25705883db71c60c1246e9a1f2647176872fc9cd526a1a3bf858210cec6fd3ea8ad9af0ba7d06b3cc65dfe1bdc6e4d29965864a769738d29a2653543e4 |
memory/2620-97-0x0000000140000000-0x000000014009D000-memory.dmp
memory/2468-101-0x0000000010000000-0x000000001009F000-memory.dmp
memory/1672-106-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2732-112-0x0000000010000000-0x000000001009F000-memory.dmp
memory/1672-111-0x0000000000230000-0x0000000000297000-memory.dmp
memory/1672-114-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1316-116-0x0000000000280000-0x00000000002E7000-memory.dmp
memory/2400-117-0x0000000010000000-0x00000000100A7000-memory.dmp
memory/1316-119-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1316-124-0x0000000000280000-0x00000000002E7000-memory.dmp
memory/1672-128-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1672-129-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1316-130-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1420-131-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2092-134-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2092-140-0x0000000000B20000-0x0000000000B87000-memory.dmp
memory/1316-144-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1316-145-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2092-146-0x0000000074140000-0x000000007482E000-memory.dmp
memory/720-149-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/720-155-0x0000000000AD0000-0x0000000000B37000-memory.dmp
memory/720-159-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2092-161-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2092-160-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1876-165-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1876-171-0x0000000000390000-0x00000000003F7000-memory.dmp
memory/720-173-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/720-174-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1876-176-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1980-179-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1980-185-0x0000000000AB0000-0x0000000000B17000-memory.dmp
memory/1980-189-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1876-190-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1876-191-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1876-192-0x0000000000390000-0x00000000003F7000-memory.dmp
memory/1152-195-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1980-205-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1980-206-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1152-202-0x0000000000230000-0x0000000000297000-memory.dmp
memory/1152-207-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1304-211-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1152-221-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1152-220-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1304-218-0x00000000009F0000-0x0000000000A57000-memory.dmp
memory/1304-222-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1608-225-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1608-232-0x00000000004B0000-0x0000000000517000-memory.dmp
memory/1304-235-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1304-236-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1608-237-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2492-240-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/2492-246-0x00000000002F0000-0x0000000000357000-memory.dmp
memory/1608-251-0x0000000000400000-0x00000000004A8000-memory.dmp
memory/1608-250-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2492-252-0x0000000074140000-0x000000007482E000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 75b7588636d8bd0a1c0c9b9068cdd183 |
| SHA1 | b48603652638865ab2ad9e9a4668dfba77e42c08 |
| SHA256 | 9cd4dd36eeedd9f336ccdb9f7bea1d4c88e12b6b964a1af94cd36cdbe743e427 |
| SHA512 | f31b4d6337fc12550a8cf4dddcb0e94e56ba995c89cb18b5e999a2bd77b2b0efee46cea49b07b2b83773a206db716b689d5016a8102be37530600fea33697687 |
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
| MD5 | 8efc3f1ae06177416f5a1bdce1a30f93 |
| SHA1 | c918bd8bb920d7a8d30cee8de2d2a97e644bb59c |
| SHA256 | 667d9a3d94110b3c38d318d46e866537e6abbe9f67a04d662b10baad48d71a6d |
| SHA512 | 9f01b7673df80d6702ce55e1b42aa029b3b3dbfecde765af7c5d892900e69e17034415bcf1beb8ee410aa127b47d1abae2a6f79e0bce94c73df209b3e5ef0428 |
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 03874771be273b1fa01ae51ba5c852ae |
| SHA1 | 1206021ac73a5c3ed958213e6832f7daf1d5e7ea |
| SHA256 | e4952b840cf6f2b1308a64b1353243c5ce9d4812e470529c9d05e06630959664 |
| SHA512 | 279ec72c140a59d648d95183814f6a22d5813c6f4fe8f2b766f8e4cf7df80eb1bea173bcadc7c4e5669343a4907a0fefdb16bbcd15a54d6840446727508152c8 |
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 4d6cd4b84d512f443f2c02ca83b26605 |
| SHA1 | 5143acce495bb660f275b4508196b287057ea3fc |
| SHA256 | 5efa10bcc0351c81b3619a8cb55682dcfc705487b55c469a4f51e1c46dd27f4a |
| SHA512 | 44947f636a8dbd66038c3d3f918f7e35d26a69b280bb92a7876b2eb0c189502d8f10bdfc39ead9a5e68ed31a55b8241593d0fa9c2ff5557e2a70ae4505bbd9cb |
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
| MD5 | 08b8af5d1a9fcee973f5f48b119434b5 |
| SHA1 | 6c926382776d5156a2ea4d514407077a636989aa |
| SHA256 | e86d518e10897a4ff7ba9e4505672b37d739642e4d4ea595c6b15b12a7fa563c |
| SHA512 | d5d7f722e86b1d26f184132e06a2775cd6b24fdf6e6ae8fd0c881be3bf95e282b313d35b11180bce134cbe238d9d0998608348851f33eca093c4766e9b5d1980 |
\Windows\System32\dllhost.exe
| MD5 | 89747caddab8ee4696397de7f84bd213 |
| SHA1 | 0c1352fa572c5ce2bcb5cb2521ef3d0cff9266dd |
| SHA256 | 181afa5b1af6c30876db7865d99048e020883a1568136d3b94f72f71e0bf4a44 |
| SHA512 | d8f8dbdce19e0d0f8e49d0b288bd74af3841f3cafde21900d1e054fdf0c07e9861c7a8c4414932d87e714a86f4c0bad23402d0f446b2218a0f4353ed608d922a |
\Windows\ehome\ehrecvr.exe
| MD5 | a2002a930996f3285e19d3b04e76fb79 |
| SHA1 | dcbc35c9f6c6d642d4f5b51efa4221730e29df8d |
| SHA256 | 740c3cee499a4485d25343fefec8dea78372cb42ceb23da371622f69990d7a0d |
| SHA512 | e1024363fc5318e438d7af4d4f29f0378da15d9d716713e7ae7e7d248646e8097aa0f89b9a33e3725cc46a5acf3bcb72f3b92964d0389e85aa80ba7029630f5a |
\Windows\ehome\ehsched.exe
| MD5 | eccadb956aec7cc637473d06ca063781 |
| SHA1 | 5165abb1b3142bac2c8d46697c79fe9548bbf468 |
| SHA256 | 91bd11deda7d4ea7552b2c01a4c310a7ca49a44894000934d35c9c22df991800 |
| SHA512 | 6cbc448d777187ce0c696982ff379b27492c39495e5bd7a229063bc0388c83ac8421878f52d7b6d9555b7b6edfd07efb4d310778e9c6fc1c61283573d2a33d27 |
C:\Windows\System32\ieetwcollector.exe
| MD5 | 96f4cb51493edd1bebee51b4724c0e12 |
| SHA1 | 25f1560a123d093337848df9c4c3fd6fd89654df |
| SHA256 | 0a1f0ba82f57f9d5da7cc0c768d09908fe06ae18a8e9a86428086be7499af0a7 |
| SHA512 | 24ce1ca2778468fad82c68755166330d3b3d0a5802529a7cb8d05834c66ad5237c377938bd10ff4468c35930298ab13d0b5bd5762b94d77be2cf113239f3329f |
\Windows\System32\msdtc.exe
| MD5 | 76f44e9a028cd7360b1937334b95ab9e |
| SHA1 | 48150d777569ccec52040aab2e415d2fdfeb48e0 |
| SHA256 | bed38ce41419aa4f311f05c78d49d1f70b69dc33cce2f16f690d85b713e03cab |
| SHA512 | 0df2028e3b779fdf1320c56a257d9a58af1c7486e72c7b4fd260e39aa7a02ec2d432825ea2f7a4509d5cbdc0e65c5e1cb205fbea078dd437a8ddda9c2014f3c5 |
\Windows\System32\msiexec.exe
| MD5 | 54a8b8daa030de6f8f7ec2f421d5137f |
| SHA1 | 6e79c9ed0c52d5c390d60caf86207c5674750901 |
| SHA256 | 69b938b03ac0930e1f2f8c65bf52166086478a8808dc9d78e964b8196474cefd |
| SHA512 | cff7f0f0eb73613718967cb5f62e54e49e84e647b68effc6823e67f7319bcd5f097f5f00a60ac33e82eb4d380beaf892b06c62544d4a54bb4d94e6f16d164c5f |
C:\Windows\SysWOW64\perfhost.exe
| MD5 | e876971cda58c7cc763a2078c7dc017b |
| SHA1 | 66be18bd1aa7946da8328b705e14b2856af8eb77 |
| SHA256 | f4d72c4f474b185d35c7c0d0d3eca6725a7ffadd20d28912d012957007b30ee3 |
| SHA512 | 4b3b59af33f52adb290aa97e277215e1aa29e6ad3f4589811d90dc904b6590669b9e947b06f9fb7d7dabad9ac463f54cc4a54ce1a51ccf433f765c2abfd4af3f |
\Windows\System32\Locator.exe
| MD5 | 148e378cb726ab4e5872fb0be13c9ebd |
| SHA1 | cc0eeb228b64c445af9e17d14252a1cbfb80b192 |
| SHA256 | 2d4efaedd4bdfb3eb4bf0f3558541aad96f2c931963ab465c0ef6d70d11c5f5d |
| SHA512 | 7c3da95a9e8f06dcaa1006cfe2ac52457342e249876f7b18890703994f96b47f7528f40561ada946639157d8078837499660817654e2f6c4d5d4ac0471042a41 |
\Windows\System32\snmptrap.exe
| MD5 | 8d911427361638dcd79a08360ac96d4c |
| SHA1 | b060ab6049c5318bed1952da6000876271ab76f7 |
| SHA256 | 4622142a7c855309dd6c9233d35285616dc49ba87901dc718a638c5f26c2e298 |
| SHA512 | 1aade2986acd7fbd308bf2b0529e6d0a1bfdcdafbdbd7a9dfdc708f1bd3907e47db4fa7abf7121144ac7e5fdc080e4ac15992e78aafbf4aa8c377050f44fdd99 |
C:\Windows\System32\vds.exe
| MD5 | 392a105c7f0458db07052c280a6044d2 |
| SHA1 | 730a8d4d7dc949b1b7409d099533e555de7559ec |
| SHA256 | 887b95c496450e70dd1c8d36d82b4f529410cc844a35c5d5cd51d9e1a7576ef1 |
| SHA512 | e8dd7ad9f9f217e047a137169eee62f93f370c630870f4ddb38bfd85a7a1aae2998eff3d261a1ad31a7a3fcfc75b326751a1c87d2cef2136cfa617efbca1bd3a |
C:\Windows\System32\VSSVC.exe
| MD5 | e7f371fb2f9fcadb9dd15ae8b773cf97 |
| SHA1 | 3647f99e748c894505771d764861dd93b2ba2732 |
| SHA256 | 150179e180e3863be103db49f410dcc55cc8a9d66b5bdd3b8e3d04b4dd0af7bb |
| SHA512 | c7048a90fea30b40b17eda9e2be67a08c121a39affac50b7addef7c20a5e2f7a154c4ef9c95511ee29617eee6f1c08e2b97f641f8620300a7ed39ddd7bb2c6c6 |
\Windows\System32\wbengine.exe
| MD5 | acb776fea7261c81b69ba581d3d41d9e |
| SHA1 | 7448d616a77f5bcfde406f88f75765ce0292e58c |
| SHA256 | f9393aad7720f4096617ec3cbc44cdf6e4e27429fc50207bec994d9ec5502dfb |
| SHA512 | 4b1ecd37bbf0c86a81837e26225b1a099969c15103754551c95e909998606a85ab2c1891351c33b42bb33e6a5918eb63703cf47071337bf721df8723fa8a5af6 |
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
| MD5 | 10b29ab6a20f00bfb34f115d114c9f3a |
| SHA1 | 12fe0187e6ad0382241bf272f4c876d5cfb84cda |
| SHA256 | 618d9073b5daaa227bc665901cb63eb5399f5e7c6a530fd298dfe8f90f4acd65 |
| SHA512 | 8dcc96c7a2959f07cb9ef87ae512a84f00cbeaa50a9a92b121fe5557664b3ec6b36c49e443ad654fb1dbd06f6f9147913805b821d8b9e025e89ca9ff28c61f35 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms
| MD5 | b9bd716de6739e51c620f2086f9c31e4 |
| SHA1 | 9733d94607a3cba277e567af584510edd9febf62 |
| SHA256 | 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312 |
| SHA512 | cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:05
Reported
2024-04-07 23:08
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jmap.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jps.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\policytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javap.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\schemagen.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jjs.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javah.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jps.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79656\javaw.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\keytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001696b6244089da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b0f6f244089da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8e2e3244089da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058aaaa244089da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007959da244089da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024d392244089da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000482382244089da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1444 wrote to memory of 4976 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 1444 wrote to memory of 4976 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 1444 wrote to memory of 1848 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 1444 wrote to memory of 1848 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe
"C:\Users\Admin\AppData\Local\Temp\89586006208bfff1f54910f8e2f1f042124e5884691526b4dd7a60b8f3986e68.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | 12.82.128.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | 199.61.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | 138.71.29.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.218.225.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | 224.32.91.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.78.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | 245.229.41.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | 7.206.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | 20.15.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.94.160.21:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 34.143.166.163:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | 46.225.168.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.160.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.168.225.46:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 34.174.206.7:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 34.162.170.92:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| NL | 35.204.181.10:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 34.29.71.138:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | 92.170.162.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.181.204.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.168.225.46:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 34.29.71.138:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 34.29.71.138:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 34.143.166.163:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| NL | 34.91.32.224:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| ID | 34.128.82.12:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 34.143.166.163:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 34.41.229.245:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 34.162.170.92:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 34.174.61.199:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| NL | 35.204.181.10:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| ID | 34.128.82.12:80 | eufxebus.biz | tcp |
| US | 8.8.8.8:53 | pwlqfu.biz | udp |
| NL | 34.91.32.224:80 | pwlqfu.biz | tcp |
| US | 8.8.8.8:53 | rrqafepng.biz | udp |
| US | 34.29.71.138:80 | rrqafepng.biz | tcp |
| US | 8.8.8.8:53 | ctdtgwag.biz | udp |
| US | 34.174.206.7:80 | ctdtgwag.biz | tcp |
| US | 8.8.8.8:53 | tnevuluw.biz | udp |
| US | 34.94.245.237:80 | tnevuluw.biz | tcp |
| US | 8.8.8.8:53 | whjovd.biz | udp |
| ID | 34.128.82.12:80 | whjovd.biz | tcp |
| US | 8.8.8.8:53 | gjogvvpsf.biz | udp |
| US | 8.8.8.8:53 | reczwga.biz | udp |
| US | 34.67.9.172:80 | reczwga.biz | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bghjpy.biz | udp |
| US | 34.168.225.46:80 | bghjpy.biz | tcp |
| US | 8.8.8.8:53 | damcprvgv.biz | udp |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsvqjg.biz | udp |
| NL | 35.204.181.10:80 | ocsvqjg.biz | tcp |
| US | 8.8.8.8:53 | ywffr.biz | udp |
Files
memory/3140-0-0x0000000010000000-0x000000001009F000-memory.dmp
memory/3140-1-0x0000000000B90000-0x0000000000BF7000-memory.dmp
memory/3140-6-0x0000000000B90000-0x0000000000BF7000-memory.dmp
memory/3140-7-0x0000000000B90000-0x0000000000BF7000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 078a718078e170c22e6fece04b31dffc |
| SHA1 | dd2d7149e71db9f8e0473f54c6aa9848c77cf9e7 |
| SHA256 | b1eddf60fbef3102f63b51607e004f304112fcd0b5bee9ebf2d6c3b81b8b418b |
| SHA512 | 2fea17e88873e5947bde75989e66bdb262f6244a0ba67ff97a715f43eb232a0187548371a91ca9ea5918af6f682ad88b5b01b3a51961b5467ef6d724bbc3742d |
memory/1348-13-0x00000000006E0000-0x0000000000740000-memory.dmp
memory/1348-12-0x0000000140000000-0x00000001400AA000-memory.dmp
memory/1348-20-0x00000000006E0000-0x0000000000740000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 2abb295849988921ec3bde31b4a7860a |
| SHA1 | a7029a6bedafcd9e4dc7f506b5ddc1564ec8479d |
| SHA256 | 937614ded14ae963748195a523296f5060e916c41bc692776606be15c75d284e |
| SHA512 | 74db27f001477f8835aac9bf788d5a51a8d6de235187928c15e596e346d8d8fb733f042c8e70be31fc198acf3e14d512ff5b8170fbadf046542dcd38f788ad15 |
memory/2096-26-0x0000000000730000-0x0000000000790000-memory.dmp
memory/2096-27-0x0000000140000000-0x00000001400A9000-memory.dmp
memory/2096-34-0x0000000000730000-0x0000000000790000-memory.dmp
memory/2096-33-0x0000000000730000-0x0000000000790000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | a9a197b261b0d67b6f88997c9ed13ac6 |
| SHA1 | 914b946725a3168833962fea7c569555f7c550b1 |
| SHA256 | c899007032eb5c80bd20cf6a65bf8fa5444d5a26f236ea03c7dbf0b131ec0bd8 |
| SHA512 | fc1510648a8a7189ed6f7c704dc0c73327a85b1edacd95e9b5ad77928820c232703ea3c40cc53bc34270c80771039af1c45ba2d9984e068326b947470ab51b4a |
memory/3864-38-0x0000000140000000-0x0000000140135000-memory.dmp
memory/3864-39-0x0000000000D90000-0x0000000000DF0000-memory.dmp
memory/3864-45-0x0000000000D90000-0x0000000000DF0000-memory.dmp
memory/3864-47-0x0000000000D90000-0x0000000000DF0000-memory.dmp
memory/3200-52-0x0000000000C70000-0x0000000000CD0000-memory.dmp
memory/3864-51-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 2f866627f40f4c79998b5181db14869d |
| SHA1 | c80c77634900ff372df279240591ab0c3ddbfeb8 |
| SHA256 | cdb9242dc08c385004dbeedd1662d24bdaa98788056771c6c5d77d6716f653b6 |
| SHA512 | 89c7f6e9c76a82ade2f8983c98d6be896aa819135dba336fa1c1b1c72416371091fb06343711a52018aadd7b2f5cd0a851ed503919b187e5674511f952bb1580 |
memory/3200-54-0x0000000140000000-0x0000000140237000-memory.dmp
memory/3200-59-0x0000000000C70000-0x0000000000CD0000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | e82a907a26dd9a7d021997f3cdfe0e06 |
| SHA1 | 067c33d4cd8dedca4fb6abeb86a98edb9777802a |
| SHA256 | f109fe3d6ff05faa441aed2fd9bec9577cef643bf3c0d7b13e8261f2d957e78e |
| SHA512 | c056e63c9af40f864d5db147d1f89f7b9f150d8a4b614fe006bc1b797655fed0305bb78d1cdb20d877f97d3e4aa689c8afa241e48853c9de408f53605b4f3c19 |
memory/3692-66-0x0000000140000000-0x000000014022B000-memory.dmp
memory/3692-71-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/3140-63-0x0000000010000000-0x000000001009F000-memory.dmp
memory/3692-64-0x00000000001A0000-0x0000000000200000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 91c42902ed9c9c6c77c4b15af8475b44 |
| SHA1 | ef75f94a595c56db8a772e9c0843611d60697c95 |
| SHA256 | bf8f7057827c2e12cb05f48e5ac1cd468ec58734d74b78116bb4722396aa43d6 |
| SHA512 | 30539bf2a4077beac1618504a502f13dfa45a698bcd64bd8f3afeebf0e4c12f7ac5b0eafffa19e0219c7f10bcc2a80134ea9e4b8c20a23859ad262b3bd9f1db7 |
memory/448-76-0x0000000000D00000-0x0000000000D60000-memory.dmp
memory/448-77-0x0000000140000000-0x00000001400CA000-memory.dmp
memory/1348-75-0x0000000140000000-0x00000001400AA000-memory.dmp
memory/448-83-0x0000000000D00000-0x0000000000D60000-memory.dmp
memory/2096-91-0x0000000140000000-0x00000001400A9000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | b4790c46fa3042ae8e59f5fc4a00ef4e |
| SHA1 | 8e27f401fae3e3c751e4c04b1dccabff27af5a5e |
| SHA256 | 9721f8fbebf5e063b04771081243d40040ee841a1064f1bb28bba1d0b5d50185 |
| SHA512 | d967c2eebdfeea656bd76194d52388bb92f367ab80daa3f6654e7c080bdbb159d25737a1427a65ef7b6953bf3895d1efc44c3e27e19b0420767d98732c95f2ee |
memory/448-89-0x0000000140000000-0x00000001400CA000-memory.dmp
memory/1208-93-0x0000000000780000-0x00000000007E0000-memory.dmp
memory/1208-92-0x0000000140000000-0x00000001400B9000-memory.dmp
memory/448-87-0x0000000000D00000-0x0000000000D60000-memory.dmp
memory/1208-100-0x0000000000780000-0x00000000007E0000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | c105c95d99fb4251e10fd2b0ddef0d9d |
| SHA1 | 7166d0072648b8f13545117b61fa145273c3f7bc |
| SHA256 | 2f627a11f9fcf8afcfdd6dc76b795af0e5b1c934f0aca71cfd1a72ebc83d29bc |
| SHA512 | 199fbf8e6b6ae5b45cc33870691f0625cd13e49ee01b5b3fff6eea9dc11c188b2737a265e401abbc8326d3d161c35d072267a0884c517a72f99ef83fd5d5f2ff |
memory/456-107-0x0000000140000000-0x00000001400CF000-memory.dmp
memory/456-116-0x0000000000810000-0x0000000000870000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 8dd2f11fa9cbdf83d3369ae4f3911691 |
| SHA1 | b6da67e6047bc9d890279b5e8756e27086062cfb |
| SHA256 | 5f171845926264df1ed637f9ab89fb5d2c131f530f14900e41c49878a7458fc6 |
| SHA512 | edd7272cfeaf423200f6c6858d828ca940b74a8843866d9d994edc57cb24fc62fdf4deb3e0913168cdb6e1792b63cb0205a8af0e6722b8974ec27da8ac650188 |
memory/3200-121-0x0000000140000000-0x0000000140237000-memory.dmp
memory/1460-123-0x0000000140000000-0x00000001400AB000-memory.dmp
memory/1460-129-0x0000000000570000-0x00000000005D0000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 1e38d7478528991d35a0c78459033942 |
| SHA1 | ae40e08637d78d0be6848027089a8a8f0c791e48 |
| SHA256 | 3dde1aeb594e5c4308fcf815cb7892267aa6649bcd26c82edff96c71965686fe |
| SHA512 | f13c5b51b94a5c11f231b559a6ba0597c704e68529b8bf35b0a63b472cc060deea82dcc3037f7bd5e4658b0916c799e36429342c2925e7e8da7a82136c2c24eb |
memory/3692-134-0x0000000140000000-0x000000014022B000-memory.dmp
memory/4580-137-0x0000000140000000-0x0000000140095000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | 326f6b8186666f1a84ce288a630f52a5 |
| SHA1 | 45f0851ecb016c9817c4674058723ecc048277f5 |
| SHA256 | a0b18c37b80ba87516dafbc555ce63ed607259b0972afcebc436a0e5c8096f74 |
| SHA512 | 7b9df3cec179f4cc8592e3d0ec1def51cbe878692e63a19fa503320e218a9ab98c76536d0891584c65c59ea96985d113794bd857b72e169d8ab064ed0a991540 |
memory/4580-144-0x0000000000720000-0x0000000000780000-memory.dmp
memory/3680-135-0x0000000000400000-0x0000000000497000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | 770c4f3b2dee06f4ef395b9f17b2afb5 |
| SHA1 | e8be3272fa67f4e3ed19e22d345552714ef06603 |
| SHA256 | 5f7a7146ca6ea599313cfffc9c2abd42aa0ab48224a816883ac0749cf9178a5d |
| SHA512 | e087fb214f486c402d8cfd529732edde61fc500629e61d76230805f5c3a0d7e2dc2508e4e08a5d6dfd460ef855b6d180689c6e7db5cca764d3cf0ffe1c0b36ea |
memory/4504-149-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/1208-158-0x0000000140000000-0x00000001400B9000-memory.dmp
memory/5108-164-0x0000000140000000-0x0000000140096000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | e2ff9b6119fecd787bd1e14c02e5cd7a |
| SHA1 | 3529f0e9b9e39bd72f3999e01db54948ba5d5e04 |
| SHA256 | 8d39a3f5e134b9c49ad57078ee0a8d18b7ca391aa1bf62d9d3c6c98f1334df56 |
| SHA512 | 9d92c6063d9776ed53ef82b7df1635b91763baa941a70181afeea6358d11d4619954ab7f9c05f922413d9a1964914465030eb7950b4a5d337310ff1ef78d3c47 |
memory/4504-160-0x0000000000730000-0x0000000000790000-memory.dmp
memory/5108-173-0x00000000007F0000-0x0000000000850000-memory.dmp
memory/456-172-0x0000000140000000-0x00000001400CF000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | 4c2cc42e4dee878d8a1e6aa7397404ea |
| SHA1 | bf3eae56b36a9dad89f552ace934878891ff9d2e |
| SHA256 | 03e670aeba6c2563d843683a4931847a16e5984bd0bed9cf8c7a09de5bc55e50 |
| SHA512 | 3cf374c6d1404e6234ad765330324f9eb0b12b8cbb351029b35039cb054771b6414e7a37695c0ef8cb82f74b04eaaa00832e43fb890d37274adadcfbec79f3ac |
memory/4440-176-0x0000000140000000-0x0000000140169000-memory.dmp
memory/4440-186-0x0000000000740000-0x00000000007A0000-memory.dmp
memory/4292-190-0x0000000140000000-0x0000000140102000-memory.dmp
memory/4292-198-0x0000000000840000-0x00000000008A0000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | 6acd5b96af6221991fdfc2038dcba663 |
| SHA1 | c925ff101a493952a49da9a09539ddf6c763b8d4 |
| SHA256 | e09579a266a3af19ee81bfc7dbe5082cc1fab1d00412f450020af3409ec6ab98 |
| SHA512 | a79ab1180f7a57ddd8dcb33a523b26121792dbadaa2aa153e1082e126a0a011c929e41956fdb822cb13dd412533d4086e081ce6d96a6e1ee18f53d38be77aa82 |
memory/992-205-0x0000000140000000-0x00000001400E2000-memory.dmp
memory/992-212-0x0000000000850000-0x00000000008B0000-memory.dmp
memory/4580-211-0x0000000000720000-0x0000000000780000-memory.dmp
memory/4580-202-0x0000000140000000-0x0000000140095000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | a408b3cde12d6f6eb05b1e8ac03b349f |
| SHA1 | 453744c139ebc632eb3de716bc7cd58b1b13f628 |
| SHA256 | 28d73cf5ddb26f89d021967eb8cc5a366a2de9fdf46483fbc98b3adee8c96e9f |
| SHA512 | 9f171f1ead941e93615c4c7d3ab3777cd989ad30a59b421152174266d00ff1cbded4b35fff63ba8b00cc69f3b34ee4568768d213135a6d12b99e46e1139aabfa |
C:\Windows\System32\AgentService.exe
| MD5 | b974f3263edcc6212b0724705cd7a989 |
| SHA1 | 689135e5e75b41490cd876e5121371f1b337b644 |
| SHA256 | 017007b9bad519609f446883237b71ecda0a58cd0f118884823bf563b8f40a83 |
| SHA512 | 76e4575ac3e6f2d567331cce5af4f3d8ef6a0bbe9f962eb18b8842265e86c5cd1ec04a33a4db42328541db2fefc3dc22b84dcbda9c5cd8cebe03246de4ade7b4 |
memory/396-218-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/4504-216-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/1460-185-0x0000000140000000-0x00000001400AB000-memory.dmp
memory/396-225-0x0000000000BB0000-0x0000000000C10000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | e50d0f7ab3827e7b31f73ad3e4bb225a |
| SHA1 | 853ff239d271cb6e8c12e24fabd6bd5c3fbfecd3 |
| SHA256 | de930962699475cde7fd6f003fb7bbae5741516430672387c15f6a6fbd360192 |
| SHA512 | ec2a0e0ac541d837cd61933779e258ba43cdb5a0f99792596597de4e01cdf2e3001f882041347226edfda6780ee02a6fbd99561d5741279115863bcf4355d560 |
memory/396-231-0x0000000000BB0000-0x0000000000C10000-memory.dmp
memory/5108-233-0x0000000140000000-0x0000000140096000-memory.dmp
memory/4144-236-0x0000000140000000-0x0000000140147000-memory.dmp
memory/4144-242-0x0000000000C70000-0x0000000000CD0000-memory.dmp
memory/4440-246-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3824-248-0x0000000140000000-0x00000001401FC000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | b0160713914cebf3f0cebf22cfd0fa9e |
| SHA1 | 9d33f36a0d0f3891e630b4ed2ff0eb15f6a88a2d |
| SHA256 | f3b50575d1bd79a917418bde65f0dead33a89ec98b91fce7f4bebf5a18bba0cd |
| SHA512 | d54745130f1437279cdffd7d038c4bdb38314b5903caf4ce241c3201f84a4196e50d2fc40771e173015f7b60280b8d94b0a9616dc00facb97b8a2f5986f6e0a1 |
memory/3824-256-0x0000000000540000-0x00000000005A0000-memory.dmp
memory/1664-260-0x0000000140000000-0x0000000140216000-memory.dmp
memory/4292-259-0x0000000140000000-0x0000000140102000-memory.dmp
memory/1664-268-0x0000000000C30000-0x0000000000C90000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | d1c3e4cbddf030336df760271bb9d26a |
| SHA1 | 20c6631619953712e62117a20978d758a101d29b |
| SHA256 | 3d4270bc293b5a03160f7083236f38239b591ecbcffb19b471e483d36be80f6f |
| SHA512 | 7445be4c1a730378c361dae549618e9140e8a275e148b326669e23afef486ab79f51cf8989fc6bee6222605e6d089af61017c9c820be68c574c31ff60eeae0d8 |
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 2f5f2bfd471ca2ce3d795e049e7395f5 |
| SHA1 | 85f07031cb28085db31eecb70999dc3cdbf13217 |
| SHA256 | f59d27755282f07198cf829a60b44b971c07c7d9eae025b0fc103cfea8f116d5 |
| SHA512 | 1e1ca0e2fe2a15b6fcdaa1c7491f82340ab1ef023328dc3de6ef32f0e346b0e18b65df777c3432c7542df9db430edb97c48bd79918c0054956c69ce67aa9c486 |
memory/4664-274-0x0000000140000000-0x00000001400C6000-memory.dmp
memory/992-272-0x0000000140000000-0x00000001400E2000-memory.dmp
memory/4664-281-0x00000000004C0000-0x0000000000520000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | 7099a7e2e0c4595183c33d4470908bec |
| SHA1 | f5ee2a8e7a5483c031a330daca43cc32c7ea7698 |
| SHA256 | f9a6002ab920584a6e490b9628f54f63df098d4ea8b3d62fee1df4873a1fbd94 |
| SHA512 | f2bea0bc1fb471e40c44919453dddc05a7a540fc76bfec11f41b1213404d8c357d02ef3a17487cd553cbff3026a75f277c1c01753b11ce3fda3a886e3233deee |
memory/1444-288-0x0000000140000000-0x0000000140179000-memory.dmp
memory/1444-293-0x0000000000810000-0x0000000000870000-memory.dmp
memory/396-230-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\odt\office2016setup.exe
| MD5 | 2cac7f6f967e644fd16ce25e59cec034 |
| SHA1 | 526486b81c3849ac375a00265889f6e86cd7a71f |
| SHA256 | 34707fe1d29b70ae2bcf1834e96c7223fe4668462c869491eb10f5310a18373b |
| SHA512 | 0e2d87cc4eaa0cb5cc507a36c21c03e0a3a8c8d473718206ec0a673e273399dd1fd43c779b7db83b7ac169339299ea095c4f18b7c94ac32218c2dfca5c7ae1df |
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 07f38fc8d9503941277e07e3e4c09ad0 |
| SHA1 | 505c0018f5b5c817734c2bc119e0ae1e2de91eac |
| SHA256 | 29fac70cf3947f51578b42a9f05311530629c64548defe34250196cd411b53d9 |
| SHA512 | 86bedc094816dfdece8aee86f10cabd4d2f2689eed52e556f9d0011ae71bf62e9b96df8a12036162f7b1f37e4d555d0c634760e94a2fb207bc74c94a336b3443 |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | 92072d17ba0835bfb0cb9e73b63dffac |
| SHA1 | 8d6f050a8473fa9789017f8a89cb1bdaccfa15d9 |
| SHA256 | 9e9bd07365b6e146189e8881f55774e52b3953f31678368cca354fcf0c701a17 |
| SHA512 | fa994dd9601c8a001f7f1365ba5a1fab29d6ca528250a5b57190666049395e94dbef757d70aa3ccf875f9366fb0c6364ab280e7e512bf2f305701ce6b1294ef6 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | f5e5c7dddf92657708a0ee75a3cf8aaf |
| SHA1 | 9d2bd65ae95e0a95317ff11137d0609161c70e7b |
| SHA256 | ce622fd08717a835a1c269096371cde6be4699d7fd7d391c8ec800ffe7f4bae3 |
| SHA512 | bd1b76f4a40a97ed79b5a4bc5745b8d05a0275b3d7b3d56de1cfe32b7940921794759d0838a1ff6b23357df33e3d0c3f02d8c3ebd9b2aa25c564acba60bea16c |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | 0e79f4e6b4bdd6ad7909f0542ffbe698 |
| SHA1 | 8f167aafd70abb1fc0f9c605fc5fb58c15adf61a |
| SHA256 | 69d9aec27df44597b9740cef3efc5b41fd6c6b969d60166b2cc5b4f210c679e9 |
| SHA512 | d8edfa6de2ee9033f373d0c51aaeb85cf566b95181a7066cf02069300a0c7c364d11dd52321bc160b8170d795c2660b10a6c2c8c71887c49c8113b5eee9d1c88 |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | 53e8e0e0b78bff4ab0d35137a00a5e91 |
| SHA1 | a588191a65bbb086be8f0c79324b3522b66f1af9 |
| SHA256 | ee916b2021fa2834a30b8f15f7633eded0ab30ff738006ae42b9bc200228d6a9 |
| SHA512 | dc3bb10b2b48dfce63374242f745118828120859aa72d93ae517b628be606be040e4c698558e33690e1d21423a1a307da53f9b4f487823c5bdacf9f4670e657a |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | 69773f227e6b9bffd160fb28bf63237c |
| SHA1 | e126105b276faf0936fefcc72b9a5cf13eeb3ec9 |
| SHA256 | 76f458b89cb407daade886f781b58c15c071f06012a4b6d39bd79c52cea93dc0 |
| SHA512 | 180deb98ba6e6401ce4a4fc446bae4fe608dde29419e4c77cef6811c080fff399f435c106cef3829e174962f3b1069574211cd2c99d850e06ee186cbadd2b35d |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | a1eb4d5a0df9c4519c1e8b6b24b9668f |
| SHA1 | 63a39f0f12d4f6f69f56c9bed1d9ffa78aca375a |
| SHA256 | 9694cd271ba1666e18ca671cf357be8a4be9f8d57db8b7ccc42ced87e3fa438e |
| SHA512 | fd0896efefb1b3a445250ce0a5bd4fc7cd0304eac131e2ddc1dec1983b9da71a892bca9a854ac9f62d9de79e90f41d8e134df711fac30fcc07dad5ba1ebf45cc |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | b393c5762bd6835be6294f733ec5a5ba |
| SHA1 | aa774e15896004ecb1cfe940dfcc965ceb071cee |
| SHA256 | 9533df290303a2021d79e19e2d10ed433336f4e9a8df2acafa69157ccf43ca3a |
| SHA512 | 2785865deb7815ca8e41d8802377ceed779a0a70cf779b4e804432b3a7b9a2b1bbf3ab995e8dc28d20d9ba5034beeb009f2c2833b035c40060c8efe51a796357 |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | 4577ae966cbe2be63cbf29f005371c4f |
| SHA1 | bd7af7e71b92edf57ee7c0f6a0e1b347d8f01f5a |
| SHA256 | d1edb42c2e4b0e92a164cf5dbec2b5a3e9d3ed4ae2e21b1d4e44fe99495d91ea |
| SHA512 | fa2df4531d4e2f5da854f83448e04d4b1305d97d8714f315cfb7a566fdbe2ba5cea4982a5c1a18b65dd9921b46794af97d92ec4fc5abf7e8083130f9a8da6b7e |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | 8fb7acf06df6386245cab6f8752b20aa |
| SHA1 | 63d258a57cd62dc4fac68949cb6f23a8348646d8 |
| SHA256 | bde7acd290ebabef2aff8552f3042a0cc73fd14370ab3bf6f5ff490c0ed23a12 |
| SHA512 | 6edd31f768157f99d80bbfeab314f3d07fecd0fe8efe160b6d8c55e926ad94c3c6802e3e0781db38470048de1cfda36e6f2cc7a1a328b737bb9e0bb1528f1345 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | f62b066ed3d0c0660c7e1bb58390dd81 |
| SHA1 | de354cff37836c4000910b66f74bf921ba07e77e |
| SHA256 | 4361fa0099f54ff127908a8f5a20bb6faaee994ed733238e8bc76f19115bf7ca |
| SHA512 | 9304634e3396544cd985d73199fa6c42951808d0b09541b5acc966265d8a693c937928a810f646e88987cc17d25c561c3e0b31316c163b6cf4d17a562f2ff169 |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 99a41f9c9255f11b5c115d31c0f47b9b |
| SHA1 | 9f13a05dfe158d29a74a59b12c79423c9b1ab87e |
| SHA256 | 2d27e6116ce66327edff7ce37ab31486d3b2168eb10e88f5427c40778758edfb |
| SHA512 | aaae872ab84379738374f6e2ef8c1ad71413eb50150f37438c945bdb8193890390618012f9218182a790b1239cab1ee2ed59aab6a1ccf1e842152e492df3e8c8 |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | a2f260086f04c5e390c85860edbe0833 |
| SHA1 | 1cc5bb31b6b7fbd88724928f6a965c5bfa251258 |
| SHA256 | edd46a7d89ff4bb1819260a9878e80f239820e6b4f6e1530122d37a992f8f9a1 |
| SHA512 | 1228a11703b8d1a1c015d9ec38825c076daee2a9d7b01dbbabaafd9fe8984c493684769cda98e5f619ffa286dbb6ed5673daf38ba570f7bebb126d27d46dd69c |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | 952a12b201e2a6afd6ab0874a937b208 |
| SHA1 | f023fe8ac738abbdd6b161f89e196fc8227508b4 |
| SHA256 | f65d720bb9a919ef018d251fbd736918dbc629fdd6d78ffc5284caf9cb19d957 |
| SHA512 | 03f3d70f8d6785eace1b4a77e01d4f3db9b799742fc82607846e26376f4bfcb00a92f89e5f4665920b1fb6b699c8667506a9afcc7aaee94faf178f75a956bdc9 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | 641b686e617da9e7a12348d22b4a62c5 |
| SHA1 | 017c25c7424c17f8d67ad44454d0460a7afe0e44 |
| SHA256 | 09111afb2ebac4b92fdfa09794f8cec1a23f724d006366f2228106ecc0bcf1d9 |
| SHA512 | 87076f9b49ef0b0bf3dd8879f15653a73a7f13f96cd837d4a7028e8703415123466704f80ec62fbf6be870a4e0566ba9a79dd30e4993489b05b780ec141c0bfd |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | 917476a3d3be5f5c8b1777545b6dbd66 |
| SHA1 | e8eda5a93d62ba0ba88a5d3fab4acc4e14e38f57 |
| SHA256 | d76f238d9d1a4907ebafcd808f1dcdef4f2827d6ad7eec2205c696eafedeb8c3 |
| SHA512 | c696f0b51380a0070ee28765e90e783a616416c7370cc09165a8dfcbdcef3bcf58448e1884c4b0280b5517859aad15e869f749df1475d7f75ae8796189f339ad |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | 56f93aef0a49a6e6a4fd7296f65e82c0 |
| SHA1 | 77431ffe58e998903d2d505423b005ab419e89f3 |
| SHA256 | 90f76b2c839ebabad8d3c0ba738e5643238f43af413ca53b3b452ba84dbd494b |
| SHA512 | e7e2126404bc5e044a144b4de77a3148d5baba72121d32d32cfa11b70df6b5f6e07afe46356f0f023410d7da6639a5d138bbb8dd6c2eb02a4a89e64fa02d3559 |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 5d938ee0751dd5d51dcfe2160bc45b71 |
| SHA1 | 0699310b88a75322224fd4a9d5fe5986cca408df |
| SHA256 | 12868127e06205bfb73161001da06290a0753ce43535f0b7c038e51058ad103f |
| SHA512 | 2bb6ea90626a37b247c9fb91e5d1977b427f9cf129aa186292509aca4fa4748364e3a688625582c889e1879e1c453d5b19c35466e702e4984bfb5861d63b8d1e |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
| MD5 | 9912599046df34c8b5fe91c6dac7fb2b |
| SHA1 | 0931ca740bfaa57504c8f61bf567de3cfe5b21d0 |
| SHA256 | a98abbded118883ae494f76a163190674afebbfdb960395a5ba03c11b07246c2 |
| SHA512 | 456324ec8a929a12bcb8afa8338ddfe1f5cfaa6a8ffe1f13662ffd4404d2605b454e862d303deea241503c418d5d44d7c5ad065204cd06ef9b96449730388707 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
| MD5 | f1b060cc6b9f2e2d7a6653ee321f5429 |
| SHA1 | dbc016a616a43934edc20221297e77e6b4ea3f8e |
| SHA256 | 0d2895daca21bd602131603ba2ea2ebfb5d7ae5450bea6470a21acea530e179e |
| SHA512 | dabca72e7097d011aeead28f7a8f66f0daaa37de20e51c43c579f9cda32a2391ab772c8c1061cc11ee914d31a92e03e8a079ce9afec99381a40f47af7e33490d |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
| MD5 | 23202b97cbbd5fe5aab42f3f62c66062 |
| SHA1 | 7d33642a755d2f17592d02a79c6cfd4697e93b6b |
| SHA256 | b43dc20aeaea8fd91009db5f5cd058a50020f4d12296d87627d389120b8fd2ff |
| SHA512 | b3ea73c4a9a85ebcfa3aa6aff7353afc306f11e25da471fe85e4dd32ac575818e299aecfadcdf8c3acd408fe770358294339d67dfbaea8bffae6f4c4b01aecb7 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
| MD5 | 2aeac07c741a2e0f14f2cc418a65a490 |
| SHA1 | b3cccb9df4ab3d62221adfe10f759471fa51003d |
| SHA256 | ab23f1090f2a6a18acb5a391a92e9c318a407e2224514b3679ce6c4c49d66e70 |
| SHA512 | 1ec756bf8ae0162c6e74ec7055032381edbdfc3788799ecacdf8a1d6048764339e531692e47893be84b9f92921e503c25a2f8dde8a5715491119c1d0eba0e21f |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 50f89a006ba6abd253f4c899878d3dd0 |
| SHA1 | a3bda96a7a220ba419e54f3515b9654ebf70215b |
| SHA256 | 2f8da8fb9fe718bed7f95a9a08d4dd57f9b5199fdf297f2ac1acf397b906eb56 |
| SHA512 | de3e4954f1b33deea307f8a307690bfcc71a8f8707416d426ad5378766fa85dfdd000866eaca3755af1300e4137a651ba27f506e81d7a24c6c24e83853f49927 |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | b93301fc7e40098f54a2507dfa48f2b1 |
| SHA1 | cb6ce6124245ce55bfa9d709b48f2baae3a73ed2 |
| SHA256 | fc84ed5b11c934042b9a4d4a8b4d3b78ad108497cb3d1768b922acf1af5d43eb |
| SHA512 | c1a29a0048b6d3e0a38b2d5a030d12b4d8042623375a9b548aeb77a6747cddedba94e680cec3b1b5351ac24750c48d0964c950c3699b9d908e7d8d805fafac67 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | f1c27ecc232a7407502b646dd25e3f43 |
| SHA1 | 2cc6d02c958ec1885fe519ce23bf388374043b1d |
| SHA256 | c5aeb05210919d4a1e4ed28e8721e4ac3395cf1e901c33a879f4347ee79c1659 |
| SHA512 | 8687db98b483779be67d8b2f8684955548661de71f41d97ecbf1fac8aa0db519a62ab38466c8024dc4f2bff257d0841a2f5800a37a0bf3e503e4ea72b4606f7b |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | 4f1f56d7b39285b6a3500096101f1a04 |
| SHA1 | 6c9535eb8164c14e535ba58cb239daa5c265982d |
| SHA256 | 15ca2c06b940d4d414861be3488b282da30bdebf04d86e3479d0847b9b50ce32 |
| SHA512 | 3f5381359edc8b49656dc01e845a14214d9357531711fbd6bd139a9a7db8db5ea191f48fb7d8f26b78c2d36cd8a2cc873d9ab8f38114c18e53853311b98f22e5 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 0419e829cef473f26e99bbc06346504c |
| SHA1 | da9978a9610344a19071d2be6718639c6c0cedfc |
| SHA256 | 3fedb137a5fbc8df50a1df7ebc54c29255c7007e6a6587495e89faf8e55aec19 |
| SHA512 | cdaddc8d68eb1ecee17c75aff1b89d3164df037755959c0836e45adca38f0c7b3267a1347d6ec5c0afb279713dc20651b70109ba9f50548de0a8d47e704fec9b |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | 4a41384957503173eb736dd1639f9ac1 |
| SHA1 | 99b6983c2b3190774d944ac1385d93e9b297d83c |
| SHA256 | df5a81338d7358139e64a6ec193fc19c33dd098342123a28ec1ef84edebf6f7f |
| SHA512 | 80ca4d5c6a19d5fc60b0d8a31ac04ccc74bce79286608b89cb479c2bf660dd3628d4504157c7ad412f0a214697e5bba23d67025b79261687a063572ee72fe71c |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 88881c060c0fa03b943a9dd42a0d5a52 |
| SHA1 | 5d707784f4768e9432383ca2f44bf8a747c1cd85 |
| SHA256 | 50ed3698afdf92a690c7a0e30401bfa74ca37b2e5cf66aebea5ff38ea9201fb2 |
| SHA512 | dd557c1ea3ce3c33c0538ec5fc68ca4ec1308cc8e4279081178e55ad6de78663fd2fd954fed842583e93a478a5445d5db940f8aa8d5e84b0f11633a384ff2944 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | 8ac409c5f46df394d74ff53c4198a624 |
| SHA1 | a3b29670a47cccae28e6f58eab054d47f4c1892a |
| SHA256 | e01e7275511347e1fab5db09cc1b0760539b85ce38de0b30cf0224506f7016e5 |
| SHA512 | 147b35f77fb1ff2c3cda5607a8f6dfeb18776afc1b271aa7e9e5756fbe946d7d9ef5638d37b4e00d226bbccdf3a804c2013188ba1684b5002e65f432695b9fe6 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 763bf19cf7ad74982b81fc613ca486d6 |
| SHA1 | b455d4e3bb721c36acc65c15ca647de1ed59507b |
| SHA256 | 0392a5f92fdeb56c3b9e309082238e7076937d7048c8c34b42230a268527657e |
| SHA512 | 6946eec3ad7ad0b1c3fe1d1b103a27d6ff7b40048ee1920b9b8bfc2b25733c0680471a5556cddbe26b5476de0dca14f321c84c60244f1cafdf18300ff0b549fc |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 634f9250f656010792850a0bb43e8545 |
| SHA1 | 7e11c9cab1483a9b65fc50ea2866a8429e706013 |
| SHA256 | 8340da93bd22fe69b0cffe6ec351f16208edbdc07c6decf139e0db1b5ebd05e3 |
| SHA512 | ec9a296fa18117d0ccfdaa84b18ca5880cde305cddb1924468cda6e06108bdadb260a4e4b8ae772adc4c3cb67bb1f0d8953979472c751636c79b8813e1164838 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 4d354c9df499b43cf9aec2da70daa487 |
| SHA1 | c36f3b1a27d136d66e313c10acaada34f21bcf69 |
| SHA256 | e13c5b6a5597b35f6786edf5cd4be0c963d092dd9170bba83e33e8eeb41e8045 |
| SHA512 | 5e5389c132e2bb9495c1871dafd0042229ce89e45a5c474fcfdda67e0aec8165834240cdb90d60a9ac00c6e40eb78b6fe3e08c0c38f2ac93da40a033217101fe |
C:\Program Files\7-Zip\7z.exe
| MD5 | 7ce359d9bcc088497364d5ab23de6b9a |
| SHA1 | d577c978c7dfcaea46c219fb9ab63368e5cb9bf3 |
| SHA256 | 81f7b3ed73756dade8b808c58a9abc3262ff161c95e056e47a82eda5e6d9e6ce |
| SHA512 | 3f717a88419556e1b42b54363a7625229db89b8e3a42d335fa37447c5e7f8b219f7e3b0e1b717e6576062591980d11736be2ae7e4b081c9786d52712bdd6b52d |
C:\Windows\system32\SgrmBroker.exe
| MD5 | 0d573632ca71e124b911749a4e8e53ec |
| SHA1 | 536ab2ed729d7df2ffb6411c36c0465724ec838f |
| SHA256 | d60e292c75869bfd7f97bf5c8b009058e21f223ff31e2015f3884f81eeec440d |
| SHA512 | ad4f8e7c4829a8e823f89162524c05455111884176c6daf792c11c4f9defcf86438c0f916a171d8ab9ce61306dd0e08110bb39677ab01f29a310b0a04cea36c0 |
C:\Windows\system32\msiexec.exe
| MD5 | f8ea81d5665718e73df6d3ba52075c83 |
| SHA1 | 1be387c0b68a8e031bf529f99b0ead1dd1f95e58 |
| SHA256 | b4b56c36f76e547498783b40778038f33c593ba2eaaabfe9bd912ad42aa3e76f |
| SHA512 | def23ed9815f0dd3d376ee019ac27d39afa61221e18e1e7082ee6c16bdd9e4e3b0391a0c860538783aa93c984d916cdfbbe387ffdf64abe508a8f5939614bc47 |
memory/3140-414-0x0000000010000000-0x000000001009F000-memory.dmp
C:\Windows\system32\AppVClient.exe
| MD5 | 05bb3b830368f423b297b1eb2d8487ff |
| SHA1 | e93c1e281a960fb7387a4d91d25a4c5ac4a99c1c |
| SHA256 | 468990ee51151e718c1f559c634c49b5ef722d0f751a23d6a057e92a5911c6f1 |
| SHA512 | b90a78d18609c4766fc1cc42fe3a846a5e342900d2e8d833e323bbc77d195e5e64b3854cf30ea33a495b74bc77f7654f534abfb5c0ded7d5b8da5956e7b3bad1 |
memory/4144-509-0x0000000140000000-0x0000000140147000-memory.dmp
memory/1848-540-0x00000188DBAA0000-0x00000188DBAB0000-memory.dmp
memory/1848-539-0x00000188DBA90000-0x00000188DBAA0000-memory.dmp