Analysis Overview
SHA256
0ca3531e74c3e93f7f313db6fd2dd66db5cf279f869c0c64688854a8b2f08a0c
Threat Level: Shows suspicious behavior
The file 2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Checks processor information in registry
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:34
Reported
2024-04-07 19:37
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe"
Network
Files
memory/2908-0-0x00000000004B0000-0x0000000000510000-memory.dmp
memory/2908-2-0x0000000140000000-0x000000014096F000-memory.dmp
memory/2908-8-0x00000000004B0000-0x0000000000510000-memory.dmp
memory/2908-14-0x00000000004B0000-0x0000000000510000-memory.dmp
memory/2908-15-0x0000000140000000-0x000000014096F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:34
Reported
2024-04-07 19:37
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77375\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{AFF521F6-AE33-4DA9-91C8-593A92655606}\chrome_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\servertool.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jmap.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jconsole.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\serialver.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jps.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaws.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jjs.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Windows\System32\alg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f24b68d42289da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001b12cd42289da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df4e2ad42289da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ffe3ad42289da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1864 wrote to memory of 4140 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 1864 wrote to memory of 4140 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 1864 wrote to memory of 4632 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 1864 wrote to memory of 4632 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-07_5fcd19e43a5fcfe20f6dee239392f78f_magniber_sliver.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.82.128.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.61.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | 138.71.29.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | 6.218.225.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | 212.78.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.32.91.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | 245.229.41.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | 7.206.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.15.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 104.155.138.21:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.94.160.21:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 34.143.166.163:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | 46.225.168.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.168.225.46:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | 21.160.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 34.174.206.7:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 34.162.170.92:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| NL | 35.204.181.10:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 34.29.71.138:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | 92.170.162.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.181.204.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.168.225.46:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 34.29.71.138:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 34.29.71.138:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 34.143.166.163:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| NL | 34.91.32.224:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| ID | 34.128.82.12:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 34.143.166.163:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 104.155.138.21:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 34.162.170.92:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 34.174.61.199:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| NL | 35.204.181.10:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| ID | 34.128.82.12:80 | eufxebus.biz | tcp |
| US | 8.8.8.8:53 | udp | |
| NL | 34.91.32.224:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1356-1-0x00000000007D0000-0x0000000000830000-memory.dmp
memory/1356-0-0x0000000140000000-0x000000014096F000-memory.dmp
memory/1356-7-0x00000000007D0000-0x0000000000830000-memory.dmp
memory/1356-14-0x00000000007D0000-0x0000000000830000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 8d458006554dc908e1b16397ec3444c1 |
| SHA1 | 1c5d7dbf308db641cbd99894fd4003ce44bad5b5 |
| SHA256 | 98f9ebde07595be0e82b7e7b6640aecef1c961e69c049182a7062a5bbc562804 |
| SHA512 | a79c99412c19efa643a23c2d68dbfc51331524247d86e5d7a7b2a6f57a3c870105aec8d87faf281688dba9a701fe6f894bced8af42f8533bb6e6d1e7a1aa92d1 |
memory/3312-16-0x0000000000710000-0x0000000000770000-memory.dmp
memory/1356-18-0x0000000140000000-0x000000014096F000-memory.dmp
memory/3312-17-0x0000000140000000-0x00000001401E9000-memory.dmp
memory/3312-24-0x0000000000710000-0x0000000000770000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | b6e8e74301974205c79c59d18119b8aa |
| SHA1 | 68c5363e64289e3977a6f4bb5730e5526a3c7c7f |
| SHA256 | 9b22326e0dfecbb71f563dc97e021ab985900f34e6124cb53f9c2c336aa4a3f6 |
| SHA512 | 36a8ae64818a3d6d42acb2b1538b6bd4a03d7c37bbd32f01e55d7d87b88fedea2ea4b23d9b9bad1c0795831fd5f92c08a83d9078fdf8d658bd78dcdc312c10cc |
memory/4924-30-0x0000000140000000-0x0000000140237000-memory.dmp
memory/4924-29-0x00000000008F0000-0x0000000000950000-memory.dmp
memory/4924-36-0x00000000008F0000-0x0000000000950000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | 75708240cec69146b14c1cc65651d083 |
| SHA1 | 9109db72d613041e57b536b94e5fbea9991ba928 |
| SHA256 | e870555e0c1a9993b84c47675bafb5c0bfa7bf236ad9de20e420541245010c49 |
| SHA512 | 506aab68d0bd34299cd89de911938489f047300d4c4705d1ff86169b2217cbe6acfc3de51147f71adf37072952df257d0c2f8195cc5b0fcb04594d0bca257530 |
memory/2864-40-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/2864-41-0x0000000140000000-0x000000014022B000-memory.dmp
memory/2864-47-0x00000000001A0000-0x0000000000200000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 0fedc9cc79043f2df87401ec52284fa1 |
| SHA1 | 0914c27fa470f6b6c4a58d98054c9b30b3f7cf27 |
| SHA256 | ece54f9d2e74e2176d7391b5d07a0034c62ac9b22e74c7b43b7d958a6ddc43ba |
| SHA512 | fe3388e946a7aec64779efded0b7c4cacb426e2b6179cdd395bbee53cedfaa1c4903dbbf0c6a370f4d7cfad8f3a8702e824e6fd9d067fb86bd237d856b44c1ea |
memory/2892-52-0x0000000140000000-0x0000000140209000-memory.dmp
memory/2892-51-0x0000000000C00000-0x0000000000C60000-memory.dmp
memory/2892-58-0x0000000000C00000-0x0000000000C60000-memory.dmp
memory/2892-61-0x0000000000C00000-0x0000000000C60000-memory.dmp
memory/2892-64-0x0000000140000000-0x0000000140209000-memory.dmp
memory/2896-67-0x0000000000510000-0x0000000000570000-memory.dmp
memory/2896-66-0x0000000140000000-0x000000014020E000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | a507deca35043f50e7be95fe4487886b |
| SHA1 | 94c1eb1b1938f00ffdc0be49051a25d649ca4ecc |
| SHA256 | e95233856e0fb53e85e0b70e77ec60d8180842066e3a577e0d573afbd670517d |
| SHA512 | 7693b37e4c0164ba150e9fdb7ed51e0e33f00e79f18371aff039adcd3dfc73b848cbd2e2efd8b0e055bdddb0cee7c62ac26ea70c62a6a61df7277a0971df7cf2 |
memory/2896-73-0x0000000000510000-0x0000000000570000-memory.dmp
memory/3312-213-0x0000000140000000-0x00000001401E9000-memory.dmp
memory/4924-235-0x0000000140000000-0x0000000140237000-memory.dmp
memory/2864-236-0x0000000140000000-0x000000014022B000-memory.dmp
memory/2896-239-0x0000000140000000-0x000000014020E000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | cddcdc5399de088aca32652066e176eb |
| SHA1 | 2eb95bfb80c976fd8ef608ac74c81fa277881840 |
| SHA256 | fb291ac9551919bb7129f1baf4809e632e6f54d6d9fb5b44b4267d2fa16717b5 |
| SHA512 | 1d5b289e6b96c7f845f53b428c80811002cf2ad5f38400f87e071424190df8e57a6ef82fc4d2433b871e0b5e0fc7e8584360b62417f23a30ad078a88b80c1c15 |
memory/2448-251-0x00000000006F0000-0x0000000000750000-memory.dmp
memory/2448-245-0x0000000140000000-0x00000001401E8000-memory.dmp
memory/2448-244-0x00000000006F0000-0x0000000000750000-memory.dmp
memory/1412-256-0x0000000140000000-0x0000000140135000-memory.dmp
memory/1412-255-0x0000000000EC0000-0x0000000000F20000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | fba9b3ed02a346514f2cfa6ffa44502e |
| SHA1 | 775f7455036db5912991928bb8e651d068414145 |
| SHA256 | 8673d64e8047ed4edd9f449d34be4b131908eabedb3cc7ae19fcfced258a1b0b |
| SHA512 | 4034a3fde7bf0bde31c4258ac1c344edc50ee2c2c56919b8299361a99b24420172a5c5a282fd7490b8245f05c374938a432b0a1795684d71ffb6abd5961d4e75 |
memory/1412-264-0x0000000000EC0000-0x0000000000F20000-memory.dmp
memory/1412-269-0x0000000140000000-0x0000000140135000-memory.dmp
memory/4464-272-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1412-271-0x0000000000EC0000-0x0000000000F20000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 3c01ee404fc0055a0b37a33a926ce44a |
| SHA1 | 4ea4f88185f28fe265291a6573a69182a2a9a36a |
| SHA256 | b625873e613de5cd02dbd5088969c1a087763f3b0f2094b706610aa553df4af7 |
| SHA512 | 2d5d71d98719d9239b4484e14e36f9abf856da01aef693901836ee2f6fa6f04b5eaa87d28ee1ba35bb4340bfdcac8dc4de99baa04566c466fe448c68095e4c4b |
memory/4464-281-0x0000000000CF0000-0x0000000000D50000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 1983a0583e3558b6c807bd50d59088c2 |
| SHA1 | a01493d76e9389443a0958aa94771501727d13be |
| SHA256 | a42adeb90fbe0e022f618726b9b491788f59c6c59f7e895ec4fa379824307b85 |
| SHA512 | e4011f125d21d38355c2d54f9c4a7690515d7e187297d4fc458ac762b779b1a9a6096dea30f419c3b7cf362ffbbe02623c63880c417638d11adcee72662c2505 |
memory/644-289-0x0000000140000000-0x00000001401EA000-memory.dmp
memory/644-297-0x0000000000600000-0x0000000000660000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | abd444d4b689045aa1e3411655a468db |
| SHA1 | d6bb319f88bce47ff9071968afcfaf391964ffff |
| SHA256 | 833471297cca4ce535e491bb7014c25b43b7037f3d096c852b49619ec2717a2e |
| SHA512 | 997a7d3b9732e5fc381c6098e230c059a2e6d61bcbc0b50d7f6bafcd96dd5ead4a02bd511d29d4c454a4ae8eb019adda93cb30bf40eec229f65e14d6f02821ee |
memory/3888-300-0x0000000000400000-0x00000000005D6000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | cba5b6b053339a25006c6596be96e931 |
| SHA1 | 0f99e7e245f78836b2621ac6ae219ee25291dec3 |
| SHA256 | 9f79e4310c60c8fa9da012a3c2b3302abafa758b674e1e9a10dba2a54c56cd2b |
| SHA512 | 225bb81bcec1f737f6c23885ec4c1e6ae4382278835f4c25fc574a98bbc440cbe99003c751ebd9528bc3f9eea95b3bb566ed5173c73dea9089b94e8934cd2fa5 |
memory/4244-306-0x0000000140000000-0x00000001401D4000-memory.dmp
memory/2448-312-0x0000000140000000-0x00000001401E8000-memory.dmp
memory/4244-313-0x0000000000780000-0x00000000007E0000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | 75bbbdc4c3b7fd26fed63f01f9dc0d6f |
| SHA1 | 436be25b7095506cdab63dea970716806f8ecada |
| SHA256 | cf63b4bcd96d1b77ccdede5a1fd07f958fb26804e3b07c1d0d0eb4fc7783200e |
| SHA512 | 0d7c8972240cff3e9eb85c7d3ec852eaff85cffed0d9791422b0a13f2f967694f277f240866eec4c57d649e33e00cd50a7fdfe8603c10325b613ac138c2e763b |
memory/2676-317-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/2676-325-0x0000000000720000-0x0000000000780000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | a159fa7681e5e0194b7379818405a5c5 |
| SHA1 | 811a868e1f5ad175f6466269fd0a09819c7c466e |
| SHA256 | bf590dd42196b434c70381271b923f6dec67d66a616ae5a29e9dfb93c794da54 |
| SHA512 | 40e82c82d94b8732b68ad593f0a47fb6890a8bbc734fe7b6fa78863580c5fe8678c53ec5cd60bb0c89d4203f3a2f9d058da31c9311ff4379b0c3b2cbf7d11b89 |
memory/4968-330-0x0000000140000000-0x00000001401D5000-memory.dmp
memory/4464-339-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/4968-340-0x00000000006F0000-0x0000000000750000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | a1879ae2abe448a586c29af69c310194 |
| SHA1 | f7787c2389dd29180a6dd72b19b495d62bd89b60 |
| SHA256 | 7089480813b27138aaab81aa165d0d47da419647730296d556be507e532b9137 |
| SHA512 | d047d21ec2f2f6ea13442105cad4e7fd7b79f2cf00d90afd0bd224519e1141795879278b1af58eb479b5113ef1d6d6f057aeafc18ca5602a0dce831e405a3512 |
memory/2592-342-0x0000000140000000-0x0000000140169000-memory.dmp
memory/2592-352-0x0000000000660000-0x00000000006C0000-memory.dmp
memory/644-351-0x0000000140000000-0x00000001401EA000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | 8f5a4af2cb5fd26e3c548c75ba0d1e51 |
| SHA1 | 0c85f193d3e99d037f35b098384b4a42d962785a |
| SHA256 | 0a0a458ee4a036cd4d72ef95b3457431d36cefa471e72191f8ac891eaf2b1973 |
| SHA512 | 270e86e9d01f18cea59fbb173febdaf3674daebc625f9a59a1ded442d013e470a943541c9bce7a7ba01941fdc3375615a650e4875b5895e0f1ad10994c12ec5b |
memory/3488-357-0x0000000140000000-0x0000000140241000-memory.dmp
memory/3488-367-0x0000000000E90000-0x0000000000EF0000-memory.dmp
memory/3888-365-0x0000000000400000-0x00000000005D6000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | 986085e7625418bc692ec430f9ee1c3c |
| SHA1 | ae7953e9434ec51e3eb6fc2adeba6423454e7a66 |
| SHA256 | 990432baffa1b2383e384f7bcd623551701d4b47a68d684c848085060aae2243 |
| SHA512 | 55332f184ab084aa237db39531939a27c9aec5964b43644643ed2d592315dc7e800968f35a6bcc3a79f8459c55e7d2697640348d5991588b09236aa32da18f0a |
memory/4244-369-0x0000000140000000-0x00000001401D4000-memory.dmp
memory/208-371-0x0000000140000000-0x0000000140221000-memory.dmp
memory/208-379-0x0000000000790000-0x00000000007F0000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | 8578c41e7db761d8f5be1a8e60c066bf |
| SHA1 | 7d6f6906a3101724d583c5ec11b2b4029605880f |
| SHA256 | 8323f338304df75b2aae4804c9d032447479c663ec83d76435351201a444a1df |
| SHA512 | c52adceacd78971fbe5109c6a676ab07be9479b3d269a10b209d485fb6819f044a87a34f29f730ce7da616c7e2ac2767e28c6e0a6e52dc03127df1753e1c313b |
memory/2676-383-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/5064-385-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/5064-392-0x0000000000BF0000-0x0000000000C50000-memory.dmp
memory/5064-396-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/5064-397-0x0000000000BF0000-0x0000000000C50000-memory.dmp
memory/4968-399-0x0000000140000000-0x00000001401D5000-memory.dmp
memory/2288-400-0x0000000140000000-0x0000000140147000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | eb822172a474ed54921efc1b21247a7c |
| SHA1 | 331adb4625d9a1fc5932b9e04ef9bb831a2300dd |
| SHA256 | a9780c112ff8e9b3d5dd07000c0e0fa0579cf68af278d6a328983cc28fa19229 |
| SHA512 | df7ce5bd10a81dc376e9012ed6a148a3187d80fc602b886006d57c224118ec0e66923f7b8b8b361084fe2f465d4d09f2d046b6808739a61ad4d26bfad76ad721 |
memory/2288-409-0x0000000000BC0000-0x0000000000C20000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 99fb034ebb33dc68a0b8b5baae73cddb |
| SHA1 | 476a05cacb7e31952fe4a44c94e8409e7acb28eb |
| SHA256 | ddfc458479211ad2f499abef007d867e5908d4b5f4dd07a8e5d1ff39840306b6 |
| SHA512 | 7edfcd6df14349ad539086f967112023a6d2d819856326229ddcfa5873afab5f6ca1061bdafa701ef8fef71c30bc702250257d5e39491d583949b9a9aff0fdd7 |
memory/2592-412-0x0000000140000000-0x0000000140169000-memory.dmp
memory/2840-415-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3488-425-0x0000000140000000-0x0000000140241000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 4eb477c1c00db38be29621b6a5c2c8fe |
| SHA1 | ae8d64cc06a78cf11ba03ed721ca8d3c4011e1e6 |
| SHA256 | dbace5e7134402b40a7452c1db08811a9a1c39caf3b987e2704bf815e71736ef |
| SHA512 | c3774651899a852321f808a3e7b9e4b68ba84bf3692f6f876ca051db7d32afe66718cb7dfa150709364ff84ec8c1e60c180b724ed78452b95eac5d1777760090 |
memory/364-427-0x0000000140000000-0x0000000140216000-memory.dmp
memory/2840-422-0x0000000000500000-0x0000000000560000-memory.dmp
memory/364-434-0x0000000000B00000-0x0000000000B60000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 47781c8d0a2139863a633ae65ac0b594 |
| SHA1 | 104dd3be2b51700fa86e90e267a7462a08ef877e |
| SHA256 | cfc589e1960f06082ee929eb3432ea191f1910d3bcad107f91bf71e911e19cb3 |
| SHA512 | 25dd5dad69a384f93e5726e5e240ff16b490dee38d368da1f89fd50c3e5d95703d77f11dc34aeda2f5c9afd42dcafc9e5757ecb1c80bf5e845d8a76a50f96f70 |
memory/208-438-0x0000000140000000-0x0000000140221000-memory.dmp
memory/4508-440-0x0000000140000000-0x0000000140205000-memory.dmp
memory/4508-448-0x0000000000540000-0x00000000005A0000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | fd4083b6e93a95108b9b1bb5b1b74139 |
| SHA1 | 89507629d24759ad6b5d72a344e7162c92fb830e |
| SHA256 | 7ed93d4c35c4d4b4c1752bf72a14b4e8ee09e23de209b1137944ed9766f6863b |
| SHA512 | 73b0a75c015e0f1f5838a6b7aadeeb2cae03ebf1237ce925b67beb48a5060c0b29fc9c41b5e7ba44082d8cd660633738750ebcef89a20fe895104d410e0e6b35 |
memory/1864-452-0x0000000140000000-0x0000000140179000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | 587b7d951b4d53a72e2b4efa89f3ceb5 |
| SHA1 | 286eb63dc53a5f6e070fc0282d702ca9a00f6881 |
| SHA256 | 55fd0539453a2f93a435ab824fffbadfce00199da01c350545e1ac169a4b5ff0 |
| SHA512 | 889f6db7f579ca51509041879016e16f1debc4f4c766ada6ccd3d01230075acda6f530fb5545728881120dd1b96300c8910f8cfade1eb7df887ec114be9805b7 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | 15863d621686602f0075ed08f1ae222b |
| SHA1 | 5ebaf4a7d7fb988749ffe2bc1b50aae362dd1349 |
| SHA256 | cce59d52490adbe475a7bc183251e31dc67000a894ecf91aa307f719d27c9c10 |
| SHA512 | 152831bc4bad4f2115a7e0f41d44659bb9db49929013697499795726bebe4e62a5d2f66320f14d52a5c9cf7c227363d97e22d37141edfc342c3b2d3e8b0feff0 |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | 7d9acad6aa7996c1b1fab70add68df65 |
| SHA1 | 91eba4786c6fd30c0573dde6c46f596857410bd8 |
| SHA256 | de509bb02e34023c19add1810f32b49aafb90bed942ef954007df980e936b70e |
| SHA512 | 146bf6bdf9d5d4283e2822cf593f1d478b571cbdc10502c72d5c9bf54915c99bbc1b73ec7f6fbae1525d1205326a0a14612939b1943ad030fdb8464be5a9363d |
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
| MD5 | 934c4fd80f0f049c75db93fdf1dd8d5c |
| SHA1 | d05483fdef24758c39190971c8cd6a92396451fd |
| SHA256 | 3702e18b6b65cd440205b12bdf521c188adad5a0c2f08385ddf55484909afb67 |
| SHA512 | 8985b81fd9644966a080bd112aa59caf83894814a2e0c27f86a158b9f97af1ffa8cfc8b7c994bdc1bd1d62ca3b8611a2fb75e55f9058cba9c05fd7854feaff3f |
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
| MD5 | 55ef53309db181fde2497d85b12c83d8 |
| SHA1 | 3347d5f1100ec1242de733069329aa7008815c5b |
| SHA256 | 0d44854b81f1db9095df4dfd2e5b649d5a81f426d6947f6eb44f218c39304f98 |
| SHA512 | ab91ada708e007ed209c83fc90c3f3505674aabc833cc8604e3978cd48f6174b9f1ece28a340538935f4fbb67713add2ebb1d4f4403589bbb49e8cc6608dda7b |
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
| MD5 | 9f3446310360c1d5746ba0f9879397ca |
| SHA1 | a225259e297ff4787626adeed8c42febbcc76575 |
| SHA256 | cc258291312df82083edff19ff7febb9be266c0b86579cf530e10f255728e354 |
| SHA512 | cc4049fd0ba0ef96c720ba51b6b40a9983d7c21ab105ef2a5957fac2c7a1c485fed4f9113cb335e9f7ef75bd97f3ddb18b020211309e6f5ce1433dd549904ae7 |
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
| MD5 | 88cab4660c780e6b8b2796f0d60e179f |
| SHA1 | 903ec748eb0e44559008413c80c04635d8e854c1 |
| SHA256 | f3e595cf4e51fca4dec180b09117282c8e736802811a92ccd60d0e915621411f |
| SHA512 | 44296e9846978893067547bd6fc18e7a1e029106cbce160380bcdee7403d3a0026a396434392b17cb0593f8dafbee718088ee225956b75a7530815717f8bd92f |
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
| MD5 | cf0f2d68a819af18f7f9f7293adcd8fe |
| SHA1 | 6558b7333f4ae16ce383045dcb727d9ede39251e |
| SHA256 | 6e00f31bf587a8d679c3b095f827e899a872de17e530c753d23a50f200bf98ec |
| SHA512 | 3e62250defc421e6fa7d9d106f8a5314b7f007307c2a36bd1446f92a4a7f35612a7035ac19d0d538ca6841c40202eeddba5792db66216c9a94abed0b9a3fc270 |
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
| MD5 | 75cce27a4ca546a80bd6f0031426ff21 |
| SHA1 | d6a25b936777ef711cc2da1cf3b5cdebeeb078ee |
| SHA256 | 6dbc2ab9587e5294cca8a61ffb529eeb24b8dcca505d681e61db00031122b2d3 |
| SHA512 | 9129a0f4bf7aa133ee0ae6e8a26c1066b10f94558b69df4ec73eb3ff36a82d2d32c4332aa5a883645e6245d59acf50950304b3324a706c67da80e7db8e6077b2 |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | 6febc52c5579c2fcd2e158a51f21f39d |
| SHA1 | 73fdbd2e68b454f25f284c22e82c0f3fafb17007 |
| SHA256 | 083036c3b865ad9b205a2d73084a8565ed181afc85d52d8da639ebb3d3104067 |
| SHA512 | 835924e31a829ce71a9cd75d5124f4116294c9090d02f4a046ecdae572167eca2e4d8c42fe6b1852b3a64cba65cb6aadf73e8d626f454154b220f12b7a271d93 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | 6b4ede017e29d6d916729d48baf25b53 |
| SHA1 | 9b5cb9d8496b50f7a692d123dd2ab9fc2e478c55 |
| SHA256 | 5ada1a30aaa78497b0b7dff0a5593faf41877f15b7694f08578fdc71cedb6478 |
| SHA512 | d12eebc50fc309fc5f377cd48c882dddd6d3295fbae88bc11e952775c767bdf2b864501495cbd4ff4b97007c09ecbe7f27a8933b52bd1b1af0ab0994f9a214da |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | 7cc3353bdf3e5f0f0de4814d916e5c38 |
| SHA1 | 4a52dff8b898120d338c78787e284feb82942051 |
| SHA256 | 1b72d0cd8a4bb3502def538ce29e0978e5d59553280886008ec738270ad8ae82 |
| SHA512 | d54654d8bfcd67830ff0456231070ff43aa1caaeff2097a7c1ce80625a5db67f2e428cc5dccdc3e9d939db44d5b3255a90b7207fb1d50f04fd7682fd37585053 |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | e23876040bc00d8e9b6a603308928c03 |
| SHA1 | ec442b47cde47230ed6cc6c6661e7048fc7dc478 |
| SHA256 | 09e02ff8c35d65205b2b7e8ba7516f06538f06f7b42dddabb7d41e784a54d9e2 |
| SHA512 | 67b7bbbd64626e749bf5aac6f4f7ab5303596672d6ac35e98a8b1750168dd6cc953c76f39795059614f8d4e32f8c65849411528bbd9b05c4f57ce4b2b2fd4ca2 |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | 2bacec987975d3306423560fa1c538dc |
| SHA1 | bfc90ac78d0bd75d4854beede685e10241abb79a |
| SHA256 | b5b925aaace9afebbe899bcf7623d55f42353f830d327dfa3ae088419d34b0ff |
| SHA512 | a56bb2fc542dc17621413988b44165feff91e9d5349108483a5213c69c841ac6f1f86103160a6b0fed439b66cb622a81381a558d792a9740dee92320251d51cc |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 59e9b2096d0de0464cecdf1a725e8ab8 |
| SHA1 | 03b10e59bcb4e68191deedcf26b38537a46402a6 |
| SHA256 | 3349b17f1673a5fa3940f8ec6ed5b0a5e83677f88d6d0d1c216eb80ec9cfd7c1 |
| SHA512 | 915eb808cd032f00e6552cf72c8c2f5345f8b180ac882e17f78f0b0cce10e11858e587ce08cec2d7c58f769a1610c5d4a19e1919b3ba7d4a27de6abff8d79ecd |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | c5d1fbaee9517d3f47c55951c9340013 |
| SHA1 | 1446d6a27bd1762280fe849ef77f3c67a816ec02 |
| SHA256 | 9ba18b621fd678754c47c4bbb1838e289ac04b078828045d34678487ae33437e |
| SHA512 | 8b9879feaebba9db1241e385978dde40ab63616e451540215bb0ee4718bb24f5d40b1c3d65d3f829562ff6bb2a96035af13be966d93ddfe44ae55aa5d89df557 |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | 65d1d6b44c5c4f67006cb6486cff62fd |
| SHA1 | 4ae36b7a3344c30ae39fcfb9b2e3d085539c8416 |
| SHA256 | a78b71e50837c95348079f09687c24ba5d7a792535f3bbcd16166bc16a96ca45 |
| SHA512 | 636c9d71d06161ae993c8aa3998cc233ce458253d0e99aa04bdbcda67370fcf055c58bc609f3359c5bfb39721bf28030c8b02904e9fafd0b8313a3b63f452137 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | c21db8990e119536c869bb9361fe071b |
| SHA1 | 6db4fdf0c2cb45d2e2de7f190a8411067dfff755 |
| SHA256 | 98d82d858eb0c8690e05c794bfa088a88498c7d778f41f5a7eefabd8f7874eb3 |
| SHA512 | ceeff289acbcdf9878d92ea3ad336282275cb84972597e4eacf3f8cd1673fc885f6e7ee8cffb47195f9cfd8f344e0612d90b77a38b39949382bf755d2577b6f7 |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 291fd0748cb024a5eba4a92aeb7553d0 |
| SHA1 | 70f91d45ecebfe46b240eb924da46279d88b958c |
| SHA256 | 3e95fc0fd54dac8b7d72b8e155d5c20c86a1e74ea7f89315fdc507c65568d3e6 |
| SHA512 | d47733e8629b42aa85bba05b929e0607f4ed154738b5edeecdbe5e0159a9497b628d153315bd08463d65bdf25dc4e7a0878730ff451fcc6464bb6a5d79f430b6 |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | 1394be67266883c06f83de05ce57b4ec |
| SHA1 | 4cae4de8a1ba9d8176993a8c711d9ba3519a229a |
| SHA256 | fdbf76c1087a3372093412bf7cea54337990503d59ab0080faa3a600826b1fc4 |
| SHA512 | 9a4a319f80359ecdfc6266ca0bebdafe77e88281fd286831c3c14437580256c79e0e0e2d0c759c75f5618a2366dbe764b6844052af458e17756f681255d8727c |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | e6fbd9fecb517fa1283ef8d562adf7d6 |
| SHA1 | 40a3847a8a47ad7db934116dc63bf89236e0d515 |
| SHA256 | f09ae61b8e2933343b08ebf49abc0b2ddaca6b239fb5be588a11e8b0a14b1d46 |
| SHA512 | a7a9250da58487ed730fd6ca938d61c44b6a4af6e3ed94eb093092dc31c5231c80b94b94bdbbea0925aab0e9d7e02bb572f262d1b2668597a94fcb3280e0ea40 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | 7a4832799cd8206266dae1b4903fbb76 |
| SHA1 | 25ba0d5ca6caabfe6ee4bc3ebb3e586bfba4cbcb |
| SHA256 | b273f85fd97a101f952b374ff549b65d8a23015dbcd28ec4f739666627b66906 |
| SHA512 | fed50c4ab9069b82e8e128804d68dc3b6baec0c0d834274d69f06447b47b9231282189956fff3f600fc56df85ba9a33a2fbb360c5b50495f16319e8457f59d71 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | 83b2faa5cdbc41d8c55a0de105ec36db |
| SHA1 | d1e52d095142dce2714ea9c5befcaedb3cf2d2c2 |
| SHA256 | 829483976ac4a0cebda9caf5191d133aedcccf61472d0300f137328738c88dcd |
| SHA512 | 53563a95039e0346d742a876469585ed8a9e9b173ab25e2ead47834269054d57cd14ac2789519ac95c77535590f63977bbf12f885d3e549aefcb2f698aa37271 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | 28767cba1630809e245e8451f65050a8 |
| SHA1 | 987fcf770f889022cf039f0c729aa2f2e6061ad1 |
| SHA256 | 9f01beddec437c196b41f3ee6d4e77a0ad9863c221049ee27ed5d5a3f1124fc4 |
| SHA512 | 12e1c9a9c2b5acd85ed642ae094972edde61f28f0d0c33f2b35ffca3d9950e97be582fcab14370d51b6ef4fcae7464a3aa5eed1dfaa07a9c8296b9b54b632db0 |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 7e36afa76202a30140f41e63d93b9455 |
| SHA1 | 91c094a486e415787a86aaea66fcc662d862577f |
| SHA256 | 6b48bfa3e6df5c6ae098fa51a03e8ce2957866fcdd7d69759563569380192727 |
| SHA512 | 09d8eb713abb2990b1296b7d34e88fe3baba44d17976ed286075f93cf90f24807d8aa158cc1a4d5e9a677742340927659bc3845cfbb60930c5937ada9f749114 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
| MD5 | b1fd13195f72f832208e6777fa782f8b |
| SHA1 | 50714b0567f495c6ba912feda99003507c460424 |
| SHA256 | 293736dbeb387d771f9f3ac8348a26105b6129643f4958bdc097dc3e8e97b65e |
| SHA512 | 5a9d09eb43287fa83d8f876ddef441509bf7e51514b885b910b96ed3958738241b090b0c97b6a9853642c460e2deee011577d4deff1afd629aff860576d22c99 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
| MD5 | c98116c0b2408afec64001f2816f120a |
| SHA1 | eda56c330704533f1d2d0086ff29c792238b5918 |
| SHA256 | e6041a2900ef923caaf9b088387fa4d5b4e1cd740c6db64d79611ae48309082c |
| SHA512 | 63a07b4cdbff097ee1d2e31954be6a8ba56700b37fa03dba1326a0d5f6611004d7ea1b07d280864f0bcf35e7c558c2c916f8ef404944001d1ba34231b8b4a414 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
| MD5 | 61b5016e55b342eaebcccb926a91be3a |
| SHA1 | 1667f7976c0e3ce2e04f2e9480b7663a3fde850d |
| SHA256 | c9489d83d0aeb01f6b9cbf98bf1de05eed2edcf9483ee949010bed373712865d |
| SHA512 | 80727b320bf288c7232caf17f0158d2c8a2a28625405ba4a24a98b5a735af130fd0d818c56d1d172f2677a2fbb948d5095385521a8ebb222806995df6899e595 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 57aafda5a895aa09f5b26c4e5dfde275 |
| SHA1 | eb3374cb7495ad964558fbd876a649a225775157 |
| SHA256 | 5ca2892b18d67a1343056792149b5e1b35380c33d6eeebf68e1ce6929ae1502a |
| SHA512 | 2460e560226261110561ef3376bfa951a9b3108d1ac990799d11fc33d0194f407c69e699f882c0f83553254757e92c53db12624681f80c1c235621d884e4b460 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
| MD5 | 85fc87461b2837d4ae04aba85a8a5382 |
| SHA1 | 49433a86fa4fce520364a56b096085c5c089f846 |
| SHA256 | 9409aaa338779ce52315d60ff6c6bb5369af90d3c9f215c045d4f15f43ac7ea7 |
| SHA512 | 6d683f72984524eb44331f87ee686545f577b401ae878728bee3e57dce3f5851fcf3c2ba1d88384a5745ca2b5473a917599008693b3177f914e34c7ed0c81bca |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | 91596f55f065958822e2dcd52a5d79a6 |
| SHA1 | 2c6052388a19698033f9de70b1e7e348732ca1e6 |
| SHA256 | c07b4227603b6706a5a020e83643cc419b0fdea687a6def9f215b2688e965980 |
| SHA512 | b2c6fe23ca51dbbd09c598b7fd9e8be601e0990bba83c93dec981d2b1f127e48c8f70a853c1128cdef95cd2aa222a3bf02d547ae16912b680b72a19845d847cf |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | ad1f5768d07bcdde7f65655a7e88b394 |
| SHA1 | beda583a3d593681f20a117f1eb6692a5b584f1b |
| SHA256 | 873065ea03c97c30ebf2859bdfaa443cb8a6263b20b517456e30601fe9f78c14 |
| SHA512 | d295f6b2111d0f4c0d7bb8c9cbf274c637b36f35d3aefd9d606bdcd2b390f4d3d802250b89e33cdaa9497f3c652545a4af76ebaa0a0304f4868f863f4a261cd6 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | 2d0ee264d87a17daaea846697dc8a067 |
| SHA1 | a7d8380742f105f7dcedde9e997c21fb555f1d86 |
| SHA256 | e9ee8043ed8634889115a61d995bd582f64f39e6126279f283106b04133d60a2 |
| SHA512 | cf788d710935a03f39db73c593f14dfb78db59aff51e1f149587582ef5767526eb1651b2ab0b1b4f49f6085c01dff4cbcd0b692bd1517ef43f7c5c37a0ffec90 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 2c142faefa497b33765f2056c516a30c |
| SHA1 | d00c0609f2e0caf6898bfb50119573385b36b232 |
| SHA256 | e3d1f698190db7b0936be12a5c3ab91aca393c325e6c91f0993b429e7a420ae2 |
| SHA512 | 4e396ac4caccf48f16519311bbaa77df4201849ad666598a45ffef16a125aeb014cb7e1c1d7b955ce820d46fb58c15262afd63ac14d800eb0a2c1a20e12984ba |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | d3ec538c494198f41a237042910b272b |
| SHA1 | 05e0e6b4bfe8a569bb2ee47b4469527802dc7ccd |
| SHA256 | 0e4895a24d21f27b9cede400f9b2545e2d40420a86ac4e010189905443f905e7 |
| SHA512 | ad1a0df96192b062dda777aff17e82bc392efb28ceeb7f6c9936335a3eac73d37ec3ffc987d3e0224ed8c213933022c5cf4662339e03532b05afb42ee213439e |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | d99205d7b5d93d874a63a49329e81b63 |
| SHA1 | 7490cb394ce6ad5efea3078ef3984ded9d437eea |
| SHA256 | b38971a580b1821ace6100aeb1b20654c6ce57f0a1a33b0c2ff51b664af96f36 |
| SHA512 | ef474093ded945f8943183480093927afb61f8b5286a3373a40eb8075e7c7f530a10bbfb0a3b66d5b5dfa7e8c35127f27003b90065d91dff0cc7fce829b79fd6 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | ec895e4a9aff36796667d8ed34158d1e |
| SHA1 | 2151c3461b6faaf4736ed2e06640c2a906aae6d0 |
| SHA256 | b9cbc99275556721d4f3c97ce9cda88b35b81d1bd893326d0f1b2e58f5387fbc |
| SHA512 | 5b527057d9877064193e19f349fa320515a82e6ab1e7e728d0d946008f9d4a63cacc1e10b1f8bdaa3a116597c468f3a792f207f9f853a5afe801f10ac99354e1 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 52ec48cb9d3a49d15b4e028b6216e271 |
| SHA1 | f6e3fbcb5d86bcca980c7ec67895563368273b6b |
| SHA256 | 348b5fe780ad2dfa6efa7666d69346e5d121f4fa5932867b40ad66d792bd8e2b |
| SHA512 | bab43b2f9a7bed7328b36166e0e0ecdfc9ce255417103c6929e4657e2e1b884d69e4f54879e8c7c1d08aba788103b5ee34081679f6d926cb60af29e3ef377572 |
C:\Program Files\7-Zip\7z.exe
| MD5 | ed6fa8a26163832fef6b38bd5a65f25c |
| SHA1 | 0e95b7bd38a61034af21274a81f79e9684501ca3 |
| SHA256 | a570c4e81fc724925d0e9de8554c75c10a1eafe0ba16c092b346f4b35c1c0949 |
| SHA512 | 6428f5d885476948d1d6848724d07ceadb51000a0c99ff3bb4255280bb2bfb5eb9f980813f75e2d8bb351158dcffd4648e478154be55fb2501ec32dad2678f60 |
C:\odt\office2016setup.exe
| MD5 | ec5ce3fb49db6347d5f7c808f144b2f7 |
| SHA1 | 3a0fddc0dcc0bb2b3ecfa741390e20e1599c8c14 |
| SHA256 | 1de2000b3b5aa2f65e0fd51d6daa4ecf78dce7c21d141f36cd6e503a7c6be6ad |
| SHA512 | db6bac9fff327d09bda5c269309015997bb0139bd168b9592fe7a7cb6492d89aa852d2be0d89f2ea10c9a0c83d6691195ffa937b49a01435a6c166e7d08c6c0a |
memory/1864-461-0x00000000008D0000-0x0000000000930000-memory.dmp
memory/4632-548-0x000001F8FC890000-0x000001F8FC891000-memory.dmp
memory/2840-559-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/4632-547-0x000001F8FC870000-0x000001F8FC880000-memory.dmp
memory/4632-542-0x000001F8FC880000-0x000001F8FC890000-memory.dmp
memory/4632-541-0x000001F8FC870000-0x000001F8FC880000-memory.dmp
memory/2288-540-0x0000000140000000-0x0000000140147000-memory.dmp