Analysis Overview
SHA256
bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a
Threat Level: Shows suspicious behavior
The file bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:58
Reported
2024-04-07 20:01
Platform
win7-20240221-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\alg.exe | C:\Users\Admin\AppData\Local\Temp\bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe
"C:\Users\Admin\AppData\Local\Temp\bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe"
Network
Files
memory/2100-0-0x0000000000400000-0x000000000054C000-memory.dmp
memory/2100-1-0x0000000000550000-0x00000000005B6000-memory.dmp
memory/2100-6-0x0000000000550000-0x00000000005B6000-memory.dmp
memory/2100-7-0x0000000000550000-0x00000000005B6000-memory.dmp
memory/2100-12-0x0000000000400000-0x000000000054C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:58
Reported
2024-04-07 20:01
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jconsole.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\servertool.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\unpack200.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\pack200.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\serialver.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zG.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmic.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\updater.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java-rmi.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Windows\System32\alg.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083a1912d2689da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e60122e2689da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000883dae2d2689da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066c5d62d2689da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9ef9f2d2689da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cdcab2d2689da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b03942d2689da01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\alg.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1948 wrote to memory of 4200 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 1948 wrote to memory of 4200 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchProtocolHost.exe |
| PID 1948 wrote to memory of 2860 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
| PID 1948 wrote to memory of 2860 | N/A | C:\Windows\system32\SearchIndexer.exe | C:\Windows\system32\SearchFilterHost.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe
"C:\Users\Admin\AppData\Local\Temp\bc16b0ca89acc5c553279d7454e120f7ad416a28dc3955c853aa9d7a8e3df41a.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| ID | 34.128.82.12:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 104.198.2.251:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 34.174.61.199:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | 12.82.128.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 72.52.178.23:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.61.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
| ID | 34.128.82.12:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 34.29.71.138:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| SG | 34.143.166.163:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | 138.71.29.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 34.67.9.172:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| ID | 34.128.82.12:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 67.225.218.6:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | 172.9.67.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.218.225.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| NL | 34.91.32.224:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.174.78.212:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 208.100.26.245:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | 224.32.91.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.78.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| SG | 34.143.166.163:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 34.174.61.199:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 34.41.229.245:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 8.8.8.8:53 | 245.229.41.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 34.174.206.7:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 34.41.229.245:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | 7.206.174.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.15.160.165.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 34.41.229.245:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| ID | 34.128.82.12:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.174.78.212:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 34.67.9.172:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| ID | 34.128.82.12:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.174.78.212:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| SG | 34.143.166.163:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| SG | 34.143.166.163:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.168.225.46:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 34.94.160.21:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| SG | 34.143.166.163:80 | typgfhb.biz | tcp |
| US | 8.8.8.8:53 | 46.225.168.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | esuzf.biz | udp |
| US | 34.168.225.46:80 | esuzf.biz | tcp |
| US | 8.8.8.8:53 | 21.160.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gvijgjwkh.biz | udp |
| US | 34.174.206.7:80 | gvijgjwkh.biz | tcp |
| US | 8.8.8.8:53 | qpnczch.biz | udp |
| US | 34.162.170.92:80 | qpnczch.biz | tcp |
| US | 8.8.8.8:53 | brsua.biz | udp |
| NL | 35.204.181.10:80 | brsua.biz | tcp |
| US | 8.8.8.8:53 | dlynankz.biz | udp |
| DE | 85.214.228.140:80 | dlynankz.biz | tcp |
| US | 8.8.8.8:53 | oflybfv.biz | udp |
| US | 34.29.71.138:80 | oflybfv.biz | tcp |
| US | 8.8.8.8:53 | yhqqc.biz | udp |
| US | 34.168.225.46:80 | yhqqc.biz | tcp |
| US | 8.8.8.8:53 | 92.170.162.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mnjmhp.biz | udp |
| US | 34.29.71.138:80 | mnjmhp.biz | tcp |
| US | 8.8.8.8:53 | 10.181.204.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | opowhhece.biz | udp |
| US | 34.29.71.138:80 | opowhhece.biz | tcp |
| US | 8.8.8.8:53 | zjbpaao.biz | udp |
| US | 8.8.8.8:53 | jdhhbs.biz | udp |
| SG | 34.143.166.163:80 | jdhhbs.biz | tcp |
| US | 8.8.8.8:53 | mgmsclkyu.biz | udp |
| NL | 34.91.32.224:80 | mgmsclkyu.biz | tcp |
| US | 8.8.8.8:53 | warkcdu.biz | udp |
| ID | 34.128.82.12:80 | warkcdu.biz | tcp |
| US | 8.8.8.8:53 | gcedd.biz | udp |
| SG | 34.143.166.163:80 | gcedd.biz | tcp |
| US | 8.8.8.8:53 | jwkoeoqns.biz | udp |
| US | 104.155.138.21:80 | jwkoeoqns.biz | tcp |
| US | 8.8.8.8:53 | xccjj.biz | udp |
| US | 34.162.170.92:80 | xccjj.biz | tcp |
| US | 8.8.8.8:53 | hehckyov.biz | udp |
| US | 34.174.61.199:80 | hehckyov.biz | tcp |
| US | 8.8.8.8:53 | rynmcq.biz | udp |
| US | 8.8.8.8:53 | 21.138.155.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uaafd.biz | udp |
| NL | 35.204.181.10:80 | uaafd.biz | tcp |
| US | 8.8.8.8:53 | eufxebus.biz | udp |
| ID | 34.128.82.12:80 | eufxebus.biz | tcp |
| US | 8.8.8.8:53 | pwlqfu.biz | udp |
| NL | 34.91.32.224:80 | pwlqfu.biz | tcp |
| US | 8.8.8.8:53 | rrqafepng.biz | udp |
| US | 34.29.71.138:80 | rrqafepng.biz | tcp |
| US | 8.8.8.8:53 | ctdtgwag.biz | udp |
| US | 34.174.206.7:80 | ctdtgwag.biz | tcp |
| US | 8.8.8.8:53 | tnevuluw.biz | udp |
| US | 34.94.245.237:80 | tnevuluw.biz | tcp |
| US | 8.8.8.8:53 | whjovd.biz | udp |
| ID | 34.128.82.12:80 | whjovd.biz | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gjogvvpsf.biz | udp |
| US | 8.8.8.8:53 | reczwga.biz | udp |
| US | 34.67.9.172:80 | reczwga.biz | tcp |
| US | 8.8.8.8:53 | bghjpy.biz | udp |
| US | 34.168.225.46:80 | bghjpy.biz | tcp |
| US | 8.8.8.8:53 | damcprvgv.biz | udp |
| US | 8.8.8.8:53 | ocsvqjg.biz | udp |
| NL | 35.204.181.10:80 | ocsvqjg.biz | tcp |
| US | 8.8.8.8:53 | ywffr.biz | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/508-0-0x0000000000400000-0x000000000054C000-memory.dmp
memory/508-1-0x0000000000B30000-0x0000000000B96000-memory.dmp
memory/508-6-0x0000000000B30000-0x0000000000B96000-memory.dmp
memory/508-7-0x0000000000B30000-0x0000000000B96000-memory.dmp
memory/812-13-0x0000000000720000-0x0000000000780000-memory.dmp
memory/812-15-0x0000000140000000-0x0000000140141000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 9532ece73c995ecfd211a7e4866b1cd9 |
| SHA1 | 03d0c2d5dc7a05f97ead1276a008c246b633be7d |
| SHA256 | a7ec3642b037508903d2b24c1b96ff653864107f9086711d3c3279aee7ffc16e |
| SHA512 | fe999fe4d82eb3ddf1db1644c88d4450d3cdfd711776142f66446d33666be5e3492f19306e1986b361f0274d47d6fad4dcd0998eeb9d1b185befb9b6946fd754 |
memory/508-17-0x0000000000400000-0x000000000054C000-memory.dmp
memory/812-23-0x0000000000720000-0x0000000000780000-memory.dmp
memory/812-22-0x0000000000720000-0x0000000000780000-memory.dmp
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
| MD5 | 89acce390fe442767c282ca183147f44 |
| SHA1 | 1d091da70e9fa66089c0cb3a07044e2afae12872 |
| SHA256 | 1b47e607c8f631c6288468e6b636b6a8816c42975b9e8e3df20fd9244dfe1f8d |
| SHA512 | 01e8500c183ac6eab73c8720914745ba37ebf449cdfb245bf49b08a011587174f10766bedb3db635cb825c03f8baae123946c508198d685aecf156a438a0ac17 |
memory/4820-28-0x00000000008E0000-0x0000000000940000-memory.dmp
memory/4820-29-0x0000000140000000-0x0000000140237000-memory.dmp
memory/4820-36-0x00000000008E0000-0x0000000000940000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | bf6a9c12d51c71f0e8bfb3acd73ae30f |
| SHA1 | a77dafbbfb2a9d04fe502c5d89dc75fd40add030 |
| SHA256 | fd2ab86016802abaa1addd0b14044df4dae058368bfe1523f3bea52602919d17 |
| SHA512 | abb8732090f0b315c9232b98c4c0bdcf8bc1be3436012b05cf162faaf469535fd49373a3c82c1cd5a64be6fa5195208562209612c64e23b83cd9cf91c0da25b5 |
memory/4836-41-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/4836-40-0x0000000140000000-0x000000014022B000-memory.dmp
memory/4836-48-0x00000000001A0000-0x0000000000200000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 25386b6520a98830fe01c5eff323d5b5 |
| SHA1 | 7b3114480a4940a2efc2a0a901fbf94bd5351eb8 |
| SHA256 | 708c2513aefa329c51bbc1416e7d46ba82a00d36b0c284a93148196ecc2816e5 |
| SHA512 | 8b20028a68da1a7a35e765fde9f519595878987daeb9e02b7bb6b39fec210233ad87684fc328f075f6250d70f367558ff0dda39b4b184041310173a1e8395b31 |
memory/3796-52-0x0000000001A70000-0x0000000001AD0000-memory.dmp
memory/3796-53-0x0000000140000000-0x0000000140161000-memory.dmp
memory/3796-59-0x0000000001A70000-0x0000000001AD0000-memory.dmp
memory/3796-62-0x0000000001A70000-0x0000000001AD0000-memory.dmp
memory/3796-65-0x0000000140000000-0x0000000140161000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | a163718eaeddc3ceda77687ffc1cf75b |
| SHA1 | 8b54c6af891910637e52b3511e836f4aa643484f |
| SHA256 | 96fa85126ba0499cecba9bf42d9c8174f5bb91e5d8c96c72d48bfe96cbf47e64 |
| SHA512 | 4776d55480ce4ce6f772e25e3e82f84f17b30e9973f7532b6cc62634ffb72d328efebbf8b1b696be5b9ace975b71147cb921976783238ba8196d02686377f70d |
memory/4940-67-0x0000000000510000-0x0000000000570000-memory.dmp
memory/4940-68-0x0000000140000000-0x0000000140166000-memory.dmp
memory/4940-74-0x0000000000510000-0x0000000000570000-memory.dmp
memory/812-231-0x0000000140000000-0x0000000140141000-memory.dmp
memory/4820-236-0x0000000140000000-0x0000000140237000-memory.dmp
memory/4836-237-0x0000000140000000-0x000000014022B000-memory.dmp
memory/4940-240-0x0000000140000000-0x0000000140166000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 65a5a2a78be635f6dd82176ff65d1518 |
| SHA1 | 25c6a63ad2176cc82a4f323d8caacfea4e6fa6b3 |
| SHA256 | bb826356936769eb5a01d53a116083a246c07250dc0c5b31b21f4214194c343f |
| SHA512 | ed1822cf76567504bc86d50a5d164d20ead86e22f46817e1c5f5e6e172df73b8bd2c59a655991c6eccb5a6fbecc7f5512a165c95ff152f61b01bf9179c95338c |
memory/2216-245-0x0000000140000000-0x0000000140140000-memory.dmp
memory/2216-246-0x0000000000690000-0x00000000006F0000-memory.dmp
memory/2216-253-0x0000000000690000-0x00000000006F0000-memory.dmp
memory/2216-252-0x0000000000690000-0x00000000006F0000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | b65570b165c8b668b021dc8dd5bc901a |
| SHA1 | 8b354d2da59e36f0bab403a14dd5022c318fb95a |
| SHA256 | a82df5e7872990b6cc811afc6ab3274598f72c980a2a3698a9b6b4cd18331165 |
| SHA512 | d4aa2adf296f5f7b85c59ab0cb9a2dcb11a5c66e0c357f3534166a295c12ee17965c8a5d6cd82330fdc4c3e168a3cb6639bb9c251761206392be407d79146461 |
memory/3148-257-0x0000000140000000-0x0000000140135000-memory.dmp
memory/3148-258-0x0000000000D60000-0x0000000000DC0000-memory.dmp
memory/3148-265-0x0000000000D60000-0x0000000000DC0000-memory.dmp
memory/3148-271-0x0000000140000000-0x0000000140135000-memory.dmp
memory/3148-272-0x0000000000D60000-0x0000000000DC0000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 83b5e7280b2dde55db8899373a2c3cc6 |
| SHA1 | 8ff6d82d3357586f551e285d1dc0e2fdd6ab2b78 |
| SHA256 | 9a0f604849606ac88b0f82257434595300a3e04779efbf32b635ae62eeccbd55 |
| SHA512 | cab225af66e1b6a62658346e3d7c60e0f4a5fba9376c6e983c96b1a12390b49006d160c2a4d7f8ba1e8fbc12f1a904b26a6063b256ab1d9c28d5ab29583d1ff8 |
memory/2816-274-0x0000000140000000-0x0000000140150000-memory.dmp
memory/2816-283-0x0000000000CC0000-0x0000000000D20000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 3bf5c128ea382f49b1796af0d35ab31e |
| SHA1 | 105630d09530e2137dc7f8e4d6d2ecbaf74bc436 |
| SHA256 | 7caf3a63dcfdcca50ee370cf0766e79c64475fe51094911966dbf0d981637def |
| SHA512 | 592d168a43e4ce4f226123bee01ee73be15c3f1fe50fc220ade35ce547f1a43eacedad909fde1f3b6bdc1e887ac76aee1f769ae23a22fe18ff2375efd06f2fce |
memory/884-288-0x0000000140000000-0x0000000140142000-memory.dmp
memory/884-299-0x0000000000BE0000-0x0000000000C40000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 120460d152ed832ee9e9f9cb1f5f4624 |
| SHA1 | f9c6bce4aab67eeacc83c62834adaf0185c1ecd4 |
| SHA256 | 5610fa00c8ff29100fe103e170e8e4d2a58a330faa64c7356fe7bb47f9bfb9ee |
| SHA512 | d508fdf7f541a49d98193ae444143ab756c37417efc94072b8851d27c22aedbefa824d04132cd140bc187d3387a9d741ae385bc3e968221091ffecaa2ec52d05 |
memory/4400-302-0x0000000000400000-0x000000000052E000-memory.dmp
memory/4400-310-0x00000000005B0000-0x0000000000616000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | 846cd4546d186a548d2a4d754d2b186e |
| SHA1 | 03a181676614fca333a2c110372eb29717a8b90c |
| SHA256 | 8dde14c5396d67d8e0419b97c2c39a253cbc17287165f97253897ba6151a5b8c |
| SHA512 | ae1091453b0bd9bdf181bc181c72d6ce6bede49ba318949db0116b23ee51faf5a5fb3c4a4682d24788184d49d06f456f3dcbae5389f609baa88d2b74e96d793a |
memory/2216-313-0x0000000140000000-0x0000000140140000-memory.dmp
memory/4456-315-0x0000000140000000-0x000000014012C000-memory.dmp
memory/4456-323-0x0000000000750000-0x00000000007B0000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | dd8aab3c828476096f55f15de5a8685b |
| SHA1 | e0fd5bc5934d36ebf5b9c755960be60ea9036828 |
| SHA256 | 462c69f7501e79e38927e1a41902884687b2b0946f99c64d6492961300b5ecd0 |
| SHA512 | e754bc2c45f018901d5b90f2823b9d54f17834312f974546ba1df02983c1d1a777015cfa0b8ab344603e604b85c817a8c3dd958b37dc18bdb961393b5228a7b1 |
memory/3048-327-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/3048-334-0x0000000000660000-0x00000000006C0000-memory.dmp
C:\Windows\System32\snmptrap.exe
| MD5 | 53b6b40107e0f5e7dc824edb3a82d3cc |
| SHA1 | 9cae67be58e513ce05a5ea6252d7446d95739ced |
| SHA256 | 631c76d1c92b9bcdbbcbe16e870baa2cc3efde2a387a0576d6ed37b933988d9e |
| SHA512 | 7c28be1bc1d580e12dca9b28608cc0d5f629d4f58bb48b9620b3d61ebcb803575494a784281b95dd1fee908c8193ba854569374938f64bb70d6c2d8a1a4a6fb1 |
memory/2816-340-0x0000000140000000-0x0000000140150000-memory.dmp
memory/3648-342-0x0000000140000000-0x000000014012D000-memory.dmp
memory/3648-349-0x00000000006C0000-0x0000000000720000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | 0b36354a35c59ead01864a7c0d79bcf0 |
| SHA1 | 7125b275d28ca001570a3b722a68eccfcf67ec56 |
| SHA256 | 7e0454456785994019f0c30f5e07fcfdab4db6ab2137a2a5f20f7857cc04616a |
| SHA512 | 00c80685fa9c3f5bf04b697dd630446989092bcba123dc7e3fd8850433c654390c5b384b81b4ac4cb4f34e035bf12f09347acba1dae93ca55388ebc5e7bc8237 |
memory/884-352-0x0000000140000000-0x0000000140142000-memory.dmp
memory/3972-353-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3972-362-0x00000000006B0000-0x0000000000710000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | 4ade8aea1a848af5cd05e12a8452c5f2 |
| SHA1 | d388c8b99838e61db7359fc7db377907903dbf33 |
| SHA256 | ba87d0f5ece51b24df6025c9c483005ef8c55a60ab16632105c5385540efaf55 |
| SHA512 | 92ec9b67ea96ec35b9e51a0d931d9735f7efe9474ea22b478d4764192a9f29fc8c8ac9609520c877dec97508006ff9212adf3ceaf1c096d60de37285818a7c71 |
memory/4400-366-0x0000000000400000-0x000000000052E000-memory.dmp
memory/1284-367-0x0000000140000000-0x0000000140199000-memory.dmp
memory/1284-376-0x0000000000900000-0x0000000000960000-memory.dmp
C:\Windows\System32\TieringEngineService.exe
| MD5 | 0a42178544f5d1567b5745511e853c41 |
| SHA1 | f5ebb88e5c2dbc83a4ee964bba75d8c279ccbbbb |
| SHA256 | dd0dbe34e8cb7770ce2d9b592c2074684fc2cc22ba8f258c7f4582860a5f25ed |
| SHA512 | e03e0f939582c04153c3d0cc28b22c9ff08e5e8590347b6a8366d290cf4abe533d8eed629fae98034f0795c65bd7d17661738ca8dca6f540ee08e6521b9b3595 |
memory/4456-379-0x0000000140000000-0x000000014012C000-memory.dmp
memory/1324-381-0x0000000140000000-0x0000000140179000-memory.dmp
memory/1324-389-0x0000000000750000-0x00000000007B0000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | eee3bc60daec7941d0b6c547cc7ac082 |
| SHA1 | bc79b767dfa2d5201c7fd0a22cb084003a6e9c77 |
| SHA256 | b71186f24823cf74201f7f793640decd8158ba7c8c47ad2c1b0c9632c1491478 |
| SHA512 | 4f6ab31b6a8f42cc457c69c314c3a12700c8a548e6a6d018a00e90201248aa03c5c07cbd83a4b56571914dcaa42bbdcee5557a79cd96cc885a34a6c25c59e334 |
memory/3048-392-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/2324-394-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/2324-401-0x0000000000C00000-0x0000000000C60000-memory.dmp
memory/2324-406-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/2324-407-0x0000000000C00000-0x0000000000C60000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | 73b9846290b40c7eb4b717fc24e7475c |
| SHA1 | 1432c17ec9b1aa532a80733fcc3ae719d4846d4b |
| SHA256 | 4d68a71bd8a58bbb6498fec7f26ccce15e54cecef02b7ee13b7a2ebc42440d85 |
| SHA512 | 49c0e20d099b04b1c1bb7dcb6f1d95c2d5b441da79e15bdc2015e94c023d19badadb6ec1aa09ff990fc10c73c9e0a1b923b92c586533849d1598f486cdb473b8 |
memory/3648-409-0x0000000140000000-0x000000014012D000-memory.dmp
memory/2920-410-0x0000000140000000-0x0000000140147000-memory.dmp
memory/2920-419-0x0000000000BB0000-0x0000000000C10000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 4437a9991eca7b45bda86d69d8c3a03e |
| SHA1 | 1ab910693ff0fca089dbfdb5906f6ae12a295b62 |
| SHA256 | bbb7715a000177cfd666edbf62acb17f7306151c403112103c7706b91c6af19f |
| SHA512 | fb543d62f058b8db7925324938919cf072fcaf72a3ed4dfc747653bf440b06a0cf42a4575ae6d11699af4470bbfba05c7833bef72c767bd33b77c1a3e94d8add |
memory/3972-422-0x0000000140000000-0x0000000140169000-memory.dmp
memory/4600-423-0x0000000140000000-0x00000001401FC000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | 9dce8914e0b4b3a100a38400201e8e7b |
| SHA1 | 9d4db003bbd9982e25d9e3d209f937afafc7f293 |
| SHA256 | 1880d8989df3555e3c5f1527cf379509f2995921373f844cf3347727ad96a98c |
| SHA512 | bd11d09092687126221a3d94e50a1210e7c3f26c6f9e9fcce7e8c6751f428cdb6ff8a929e23efc8ebea2f8bdaff32eafa7c30b82af017b6db6a3b1b60c33279f |
memory/1284-435-0x0000000140000000-0x0000000140199000-memory.dmp
memory/4600-433-0x0000000000760000-0x00000000007C0000-memory.dmp
memory/2028-436-0x0000000140000000-0x0000000140216000-memory.dmp
memory/2028-446-0x00000000007F0000-0x0000000000850000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 4d3e855db9f072d5e4f04cf7e21fdc65 |
| SHA1 | 36e96621b2cc28e36358ae76c93de5cea513a2a0 |
| SHA256 | da082711cdeac0f083a8d1193abe381959a29e72e087e0950720dbddadb17b40 |
| SHA512 | 1e91abee0e94f24e608a960148e589454351109d2e071350d55bdb64987ab0c5e30074a2190ff77a03ee757e26048a77be1aa68b8593ae725c850f31903ae6b9 |
memory/1324-448-0x0000000140000000-0x0000000140179000-memory.dmp
memory/3468-450-0x0000000140000000-0x000000014015D000-memory.dmp
memory/3468-457-0x0000000000670000-0x00000000006D0000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | 904412f6941fa252bdff156d39cf8a88 |
| SHA1 | 593ea375007833507917e75aff7ae8c989d14738 |
| SHA256 | d4a4aef390f3ff442532d4a89bf38db74b2d135cabafa6583d4c8e6bb3032563 |
| SHA512 | 42f2659873a507e4f3694a801d91cef4557d25f87e17da01ec77d3b9c0cee7305f0debc82c2061c01b864383485b59c9b244fd8eacfddea0d535700b28bf3a91 |
memory/1948-463-0x0000000140000000-0x0000000140179000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | 2b64b3314191d87d6364f9423940a448 |
| SHA1 | da3a473cad64c423b0dad95a44ed64af7f022dda |
| SHA256 | 7143cd60643d8dfedcb285ea63f8408d5ee0efbd92a07278b74d96838f802654 |
| SHA512 | 56272fd26c8fd5dad575ac1ff85e3e9d3c0e69d1a5ea94706a186ba76504c6230cb5f47e2cbd12bd4b238b4343dfe06dee1d5489c114f227bd610e2eca792415 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 300e250e5b6898b1559af870f650d8a8 |
| SHA1 | f5c44eed6e5648f796778a4de9657c20d5a7e73c |
| SHA256 | c362fbda1b4ddb58f531e77a1cf739bb54bfb1d4a780597359beaf3994a6321b |
| SHA512 | 65b8f5ffe37bad6d52b7f479b6cfdbd6090045a1560a5c1b1ae53f82d505d48e3c527c3f88862199fed2ba611060c4a067a12df6e47083adfe6923d9977833e8 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | b387be0020f46c23af359d028c6b1794 |
| SHA1 | 1b8f3d6c3c56b4ce66e2b4e8bd385647042999df |
| SHA256 | f86a8c82723f672961204684fe6c6a08b191f646e35eb81d9f987c0029761a2d |
| SHA512 | 85fc12925db5f6a68625aad92c233b52f17734eca4417567760d061743d63370c72cdcffd3058c34a73093bf3081c34e1d2652006a0d482d2ca47a67d07783f7 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 40ce392250ea2efb454a3cbcfe4ef5db |
| SHA1 | bc70343bc85d931df1893873f8014194e5293519 |
| SHA256 | 8ac824791c432df0158049fd20ff50d8df48e6e149ce3e6e2d965eaad035f16d |
| SHA512 | 0159b15a3c8bfe8eb6d20ebcaebb5fa406b78fadae506cefd4fc5c652e9d1220e68351c056256a4301b630e25e4a132c2cc6be59a3efdb363e793cc42efc6b03 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | b01c8b519bd268161b593927d9439b8a |
| SHA1 | 58097ebfa64f09c04ed5efb1747599da855a07f3 |
| SHA256 | 00806a04a38d5716be8c2db268a4ddf81f5784231d159ed0ef8e3ddb5613a794 |
| SHA512 | b9b129c8336b4df8c9b17877d68f1f32fa1468fe55e96243dcd1da1c1be84db5d6848fc7fd012c453239f63684b9c5d923438c115fb616fb8bf1e5ea24923e10 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 501e46665d1f71367a52da02cd2ce905 |
| SHA1 | 6812b3da348f98c9a625b174e6d037f93e0e263d |
| SHA256 | 803fcfd6be92e6f06c80362542ba06ffed7be999e7f545655b5a6816ba288e83 |
| SHA512 | d8ece60c11565726dc243271004d762c092eeab6ea312bb51e645b3405f79c8fb536ca5134501376c7c4c94bb4158e5eea4606fae88a4b49490bdee5b864d8d8 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | 7844db66c93c91c0bd77c57a83407581 |
| SHA1 | 72a64b8f1532f9f7aaac3a8e812ff2fe4c926bd3 |
| SHA256 | c64c806ad6db5710db59553ea48ff41eb1ef13942ac6c89e25f5d679c1fa6e34 |
| SHA512 | 00b932c94bd8c40b1c8bde631a5d0912d787f99a08f8786ee140c31091073fc7e35fbc0f08aeb49b4b09f80afc37b841d76bf64a63f9210b9775514aa2087917 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 7350815c54061ec89eecf793b4723d57 |
| SHA1 | 7f9b4d4f36f22c89899c64296bee47d26b6f8dd9 |
| SHA256 | 96c616812b3a96fdb6ff661d00ce0394cb5276c3e69f5ce984796c42171905d2 |
| SHA512 | bc457ca05b4bafb9c3a2ab25866fbe0b7c2a061c97d3010f01fcaf250c9ea9d64ff07902146f67b2b0c7c187e8754a03a0ac8836e6342ce639c694a3f7966be3 |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | 1f79a969b4951ac9eaec7889e2d4d60d |
| SHA1 | a3d747a5283209059a2a1d98f6452d384d9b5125 |
| SHA256 | adb4f1c708d29376224cb5cfe3e0fc33fbb0266b30075190fa5b1d62e84030e0 |
| SHA512 | e5baae297ed0aedc92b514f0fc2f276d39994795ce02f05443007af695fcd9c753e1b3007a9166c4b3db986c5ae85fac4e40455af165c0f1d42b7eda1406610b |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | caf70e45a72ffa063aae48238958025c |
| SHA1 | cc7035dbd4388e82644568047156087b567e77b4 |
| SHA256 | 38ce6b4522dac9b7983da66fdc8baab1ab02a3be22b89c1967fb93613faa11c1 |
| SHA512 | 49d44ef1249ec93c489db72cfd802dca9df3eb43b6440771ed7c69e80c9071c9945ea8787121ff35c7b73eab00d128efc60aa0161694bf27c2fb96e3d33c0a30 |
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe
| MD5 | dc78f5fdc60c3d43dcc99f4d53f82479 |
| SHA1 | 34932c47a9d02c2b8d4947b8fea0dae18f43940f |
| SHA256 | 348c96e45f78410fc1ecf4c5f8cf01fcd0fff81fa3425b88cc0433edd7a167b9 |
| SHA512 | 9cd36bc1aefcb062703cd0c392e215d7d5235573426accdd78eea3aae0c88fbba9d3991932d9fa2eb40d8168d06f112d6e664e2da0309a877c65912b0307366a |
C:\Program Files\Java\jdk-1.8\bin\jhat.exe
| MD5 | 21e602215993592cb272ed74407316fa |
| SHA1 | 4866207282ddc7543d7f42b997948813f8f8b537 |
| SHA256 | a121ad3be481d889dcb5f64759c1016742aefccdbec4cbc2126b72d360a3fcf4 |
| SHA512 | ed607f92db63767a8cb3043c9c57f4bca8d6db01393b9397b7bada4280889f2de918f4e46e3f4e63606a8a1694fd61916005dc6053c12b53a0d34752da863656 |
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe
| MD5 | 10e44f057692454887ada2beb1ac3a99 |
| SHA1 | e14b74e970f71064fcd56e62a96c02653156f2e2 |
| SHA256 | 986cf61388c4ed2455e9da5f305791b581aa7369972ea3300f968357a2dbf6bf |
| SHA512 | a246eb67115ea50a7ea621e6795f6b7dd648d2f77046d12204cd945fa9031bda6cbf9d2cc5141ac2f4427518c08fbcbf64df720f1130c6a7b15da2cb4c0df7d1 |
C:\Program Files\Java\jdk-1.8\bin\jdb.exe
| MD5 | 30cf69159844f1ed07c10b19f757f43d |
| SHA1 | ea88fbda0d54e296a0695ee27df704e22910c3db |
| SHA256 | 00b361f335af288c0345872aab758c11a9a0f1d78bcf16793b83aed7fd5c052a |
| SHA512 | 4bd075504ff588563bdccff8b3c4afca004a73e934b9dd053bcb39f697365b1ee259c8710a859193a54bc0c16f681fb72a7af0df7c79a37184b917d4477a154d |
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe
| MD5 | 6fa8656aba1c77504e1055e8ca3bf432 |
| SHA1 | 69c03b1777dc6818d38eea0937256d3df0b8a060 |
| SHA256 | 1186f0e2e90d98a509cf40f977c860e147fd8e9658170d7dc9df218474546e0c |
| SHA512 | 1c824e725a7e87ab30e44414c6cf6d61761526b7a20896a8a954c2e5863edec2256f9e75293df50e8ef8f538943d419197c09e3e3489c52d60a610b690dbf059 |
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
| MD5 | c9d5924231d25119e3f952a834a51809 |
| SHA1 | 8b254994f175553f71a7bffc1672d303ce7d1bb1 |
| SHA256 | 519059b644223f03896c8cf6d1da001973c74f7f0c74c0fa4a8006d8d58da957 |
| SHA512 | f11790287669d41e09b9604eac00c85b4eb2ebb5f4889b792ed7ebc363b67514634713e20bec6fa4fb5643ef0c209e3e47184d02dd378bb666af7846dd40401f |
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
| MD5 | 8a0184373cda4201fe8c5bfbe1e15d10 |
| SHA1 | cca896b6601bbf81d63c4c0bb2b583484ad4a4c2 |
| SHA256 | 9efdc618cdf06f044ef4ce35f717a2f38550479da3399971e7f0cd6b45128ad1 |
| SHA512 | 262213a3b17970626fad7983b54c7f5e55f37d9b96cca8bab6d1792a4b7621c9cd036b579a1e002984e64471a670e672606cd362db97b89ce8e6fe6c661b8ed9 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | 3aead80d2bbc4d5decc86112e744c552 |
| SHA1 | 310676eec5f2f079a2e50fd1299d5b6b6a9bdf53 |
| SHA256 | 6a236bbaf2e49fb6ccc9e31728416686b3ad25cfd5a9ba7e8db65b410bf3053c |
| SHA512 | 54401da669a451f68bf988a0984519dcd2e214b823da14dd3ef65d27d8b5ffad1140b6b7c63ad41198d95b2ece82c31fe4f571ebc41a9cdcd585c8e055295b7d |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | 4cf79bc4d28ad45c71a2c511a69bf9cf |
| SHA1 | f21511c3b64d7fc2311f964545d26613d8e8fbbb |
| SHA256 | eb7b9c201d4c1d0c4b2c53ae47aff4821362777defb04d6a68304da0a5bdbfe2 |
| SHA512 | e60da5503902055ff833e1fdd3dbd108c6a77497094961f7c7117955a59dfd7a296d5c2bafc2f5cdaf8b1f821a04803f5b90480964f72ebf17fe213dc1b9526c |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | ed5e56dcbe780499529e3db4b7c218b8 |
| SHA1 | 0aa8612c38fd60f1cb47eec2ec216203ec90658d |
| SHA256 | 5932642ce5ab3737b3a29d0e0141a970f4005d3c61aaed6828694563c572e9ec |
| SHA512 | 2da05706d2ac85d38f6fef13c1ecaaa6de2562c540dc49c13bbee205afa7988ef2d1c6819702dcfe4d4967d582e0dfcabc7ddcf25255ca21b6497887c10a422b |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | 758ad78a012614fd858e988b36e3d267 |
| SHA1 | df503920c150063ed7df97621f8cb5d59ea7f5d6 |
| SHA256 | d9618eb02f523e40f396b08dbcc27619ad3c4fe0f350b65047995b0563e8113a |
| SHA512 | 73e3fd43b5fa2e1306cfcb04838a0b64018201bf1c25060ff708fe87bf75c88cc15e068c3642d131c2e59d143e493932c4e9a48371ed6618144ea0ac80df97a5 |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | 62d370668cb3aedb6f4426989e8bde09 |
| SHA1 | 257f7ab3aea19dbdb4f866fa56b0f9aebe8e62f2 |
| SHA256 | 70f2790ab5044fa8d6f435ebda0d3e40522136deb00c3d59ea30776970441d88 |
| SHA512 | e7a84f727a1a42c0d26f935ed30eda2a0596d31370015c06f5465b54756f947ea9ad4dd7dcf0ed9f369ccdb3439bb4f25e325fc80327513de23431d9eb314dbd |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 11ad9f34fc78c5d7cf52313898d4fc60 |
| SHA1 | afd85e5a6f16ba4af7d53e940c88090476f9f924 |
| SHA256 | c8fbd5b4f07dc60bea5f963b5d8c814263f7949540f1fdf96ff2032511015916 |
| SHA512 | 7bea93bb869f79d4a83bc3b9daddac4a3e500fa49072527fa70da18550b73d661907533e784a6e4c6de9f82ab5626630f844fd7b822f0ede5ba97b15a97ef756 |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | 4feb760374a3bf42ac5f70ea255cb1b1 |
| SHA1 | 47e3fe9480eb94ba90b820ba47fabf3e0cdbf3ad |
| SHA256 | e34bfb6e048c70056af2cacefaade24c9dc762ae853342b1f2362fe09bdc22a5 |
| SHA512 | 224591c10bc8f5faaa6f6a7c416ea9b8648116498fa557fd2eb491f226c1f1d2add15062a549c7acc3e04ef1ab729d91cdd38a4d32ad593888f81db7b9bcf835 |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | ed2ddbaedca0ddab55764418cfb2cd5f |
| SHA1 | e899aaa5b46528c1d8a4258d03878c88a17c7fbf |
| SHA256 | e8e31c3310f70842f2b75f74da1315e5343c5eca023565bc58ac351ca1b4e5a3 |
| SHA512 | 020abe7c2f19ff3ef69476187b725182f56ada8e2dcbf00210fb69600ee4aa5bb271a6dafcc7e3ecad896f24cc683cbfc963650d07dabb445b0526f3a04aec5c |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | 3fff644695a5da38f0f4ec9c697070be |
| SHA1 | dad0ce65d621eb805458cb4b63112ce8f5a4e987 |
| SHA256 | f4db2b120234b244abc9c01c156ab1056171b7836f1dc293602b192dd2467b95 |
| SHA512 | 6b37d7e2c11aa55a1eeee3593ab467f3742efacb5d400fb5c7f66a9552ac8758c73744bc51d57cae718ca8261cc5d23c8b78f64489287d396be03dcffcc349dd |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | 4f8ecca2b41b1c9d9836d934661850da |
| SHA1 | 118f8a3b123dc4b80a21ed00c7d896e53a4ac872 |
| SHA256 | bbd9185b681091b83eb64197781250c015adeae4080c8ba2b82f777896fec5ee |
| SHA512 | 3e9ac817af6c92157c277af58d4c9352836488f487066edc3d68bb85c7b65a390d7c3cd4cb9a4ffbf59c590ac6bf9e8530ff2ff959cd6b18a2915ec3aa8788b6 |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | 13dcc120684ca066905d4509f9f0b806 |
| SHA1 | df7297bd63f9c252294f69991c084f170bc33c4d |
| SHA256 | 758afdd5f78e67f5792d6edec546f9ab94cbdb4fb4c13ca615aa9c94fc5ed1fa |
| SHA512 | 59d43ad8c8d316c2bbd4ef2f7465553b3e23af6eb70f18e58345db92bcc427a46dcbd7ee29a339ed30a2b9fe01235eee18f054c9842e672868db2fa0eb119016 |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | 349595e6ce0e1cf071079347df1d0b31 |
| SHA1 | c85cb2634f70367ae03d8059fd64a53da7664ce5 |
| SHA256 | f806713b8f6e9000761fee3f0770897718197d8b70bff6d9e7a869d01d418fd5 |
| SHA512 | a34e8c4ca46d7e94786fdb625a4224a017cc8c81d401141be6a98397ae5a9e8cba5b7585947b1a94866f441f04340370c1e34598118dfc1bf93f464416e0e4cd |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | 01a7f60924b0fb616a3ef11c5e6b041f |
| SHA1 | d197b1a4a97e9ddb5825182a385176a55d7b01f3 |
| SHA256 | 11f0d8a545e833cb978f7e7915995fe40ac95d13670d14f6a854a74a0816912a |
| SHA512 | 29990ec87fd9b24150b7527c631fb25bb0ed5f67bb544a8713adde3d1c31dd13331608723111f39a6f972e5dfb85908b9ee55b951141d982d8bed24afb908f2f |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | 3e20e1cd17d78a42166fe36f4077b82a |
| SHA1 | 00cc2eeaa11f171068e3f403e2dd0877131ffd48 |
| SHA256 | a1a882dbd013b8f4d9c0db119a4effb0d0a523657cb2543a7c1c6da0547dfa51 |
| SHA512 | d3a8be5364be4d4a2d3105f5cc7472b6f66edde784302253e188fc12b749e3f1b149943d4b26489de1c1413f19cf83b2fd4a58e337432ba4f89d5a7899ae92e8 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | 6781df7299f5e9f0c0f676d875e0482c |
| SHA1 | 0e1418d377bcb34669eea46ddd9f08c959d36945 |
| SHA256 | aadbb175c327ed333877ce11e2776cfc89180f818a44b88804f0d9b54a6e6fe0 |
| SHA512 | ab4dfa78fcacde6ac6846da4504054d2e911e152ab8842fad56592edfc862f79640faf8d312a548d17d4aa81680bb64e648765b988fa34c16d7a0aacad39a8d8 |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | c8f44b2ce0c0327f2ff440bccd0efea7 |
| SHA1 | 7c0dc02828f2282eacfde92f23c0b8109b6c7383 |
| SHA256 | 5133dc1ca16d670b98737da37e08e9d6306f90280756e0d72c20a29aeb75e501 |
| SHA512 | ed4dca78989326a77c3ee173de4fc2961577a0ecbd9eb4075df615aa77618adee86a8aaecdbb356c77bee3c79774feb4babb059a40045f1552c4026800a110a0 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
| MD5 | a429e4a7869e5eae77f9149d2285a43a |
| SHA1 | df202f01e987c58647b7ab0c8d0f16a22ba5b8c7 |
| SHA256 | bfc58586ff3112f2c56390cd771eb7544e1ae3836b3662a882363ea5824a6501 |
| SHA512 | 516cd961a101e96d244d1f1ac3d52405cdedb24d7883e9d6ee2424ead43dfa8c1e5b9e0c6757fa2590bfc4b557d29e58744f19c64eeff4deb403b566a07ef07d |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
| MD5 | bf1cce006f5dcb1d4260f0b519f9dd6e |
| SHA1 | d8bbbefbbf91df1e31e8da0052929a36237cb77d |
| SHA256 | 4e2838564704e991212b9223a66a50a9fda825716dcb10b1c3e18cd7bc39452e |
| SHA512 | 8f9b12b986e89b39c9e272117292f5ca31a7528e106bc0775ec554565008f5c9f6d69dc478d3a139e4098a633115402ab21777aa16c3046ca4ec754eb80f8799 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
| MD5 | 9a3a08ecf5f94cbd7fdb9a5f1c085242 |
| SHA1 | a7d04308ce32608ccac93d50b07a0b8a8b9513ab |
| SHA256 | ead90c7eda4d7eb1413eb6b1533594c429b478ca95bc24de83f4246ac8e5dde2 |
| SHA512 | b0f3a814aadff8688a92a938e279198a64c1832198e609c78f8430581d2c21c12c53fbbdddf58ce4d55abd0b45413d49ef23b761c3ff1aa31bfa455aeb36a458 |
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
| MD5 | c58bcb542a3be97fe7dc9e1ce3c7441b |
| SHA1 | 5ab88772a2966e3ec1b284622c8ef38b1e8b81de |
| SHA256 | 66f9dc885b1af27c9119ba9dfce55415a893c0d66753972f82271d9a73fa56ec |
| SHA512 | 18193656a3efe83413ba466f61ef0413d80f7588e698c4b519b39f41a291379bf16a1a64e1e42fa4b87678d7cbe23a31ad5be39a7e1adacae72e848362eb0776 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | ca5462a43702688f12fd162d5913a14e |
| SHA1 | 32568fccb5c1a4dc6060320e46dc86a1d0835ba9 |
| SHA256 | 1487e0dee2de2604c2935658f234090f899d27bf632bd664d012d5836697c935 |
| SHA512 | babb6b0b5c71723ac2cad960ac89125eb6f69080b6e64bfcab9e5866ddab854361201642429c9c93788970ad0a9a9b3a61ea15028d3984b895768f08abd303e1 |
memory/1948-472-0x00000000008E0000-0x0000000000940000-memory.dmp
C:\odt\office2016setup.exe
| MD5 | 8aa2cf0362ecd859923921c3d16f1978 |
| SHA1 | 42251b7ca0b04672a71abe570df5bb8d9015102d |
| SHA256 | e05351da353edb630f66449e9281df57cf7a600c79b4284e76018e24bf9008dd |
| SHA512 | 45660ee4322ee291606033d09b9e60b4b3b3386096402bb02febf31b83cdeae57fedc2fb97592de16c2c25197a3054026a803e8761f765ccf0bb28ca23ef11b4 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 79b89b551a32be6f3203734508b66054 |
| SHA1 | 73b0122738f5b016816ffc00b268e8525476e1c2 |
| SHA256 | f6a08689785c38e9e901d53d680d03441c713307eaca0ef583808a288f2eb4ef |
| SHA512 | e0a8073e772671dbe1d4aa0ecc3b2a73f3b476b0b239d907878dad8aaf3ca40689f001dfcbb2baec476a3ad41e1052c90a8d60da34d9b9ab5341336e51333b9a |