Malware Analysis Report

2024-11-30 07:07

Sample ID 240601-hppyaadc5z
Target 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe
SHA256 23e3666d857cd71be00456556fc47e8f27f7d6cc5de543852e2131ac77ddc535
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

23e3666d857cd71be00456556fc47e8f27f7d6cc5de543852e2131ac77ddc535

Threat Level: Shows suspicious behavior

The file 91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 06:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 06:54

Reported

2024-06-01 06:57

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 160

Network

N/A

Files

memory/2108-0-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2108-1-0x0000000000590000-0x00000000005F7000-memory.dmp

memory/2108-8-0x0000000000590000-0x00000000005F7000-memory.dmp

memory/2108-6-0x0000000000590000-0x00000000005F7000-memory.dmp

memory/2108-10-0x0000000000400000-0x0000000000581000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 06:54

Reported

2024-06-01 06:57

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\562cd0fbc3136770.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000368669aaf0b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2eb2daaf0b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000996f0da9f0b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092ba59a9f0b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000daa1c2a9f0b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020b5d5a9f0b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab0022aaf0b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000434b6eaaf0b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b47cbaaf0b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\91a4981ceb8602c0d3af37f180b568a0_NeikiAnalytics.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2920 -ip 2920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 432

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 34.193.97.35:80 przvgke.biz tcp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 197.86.237.3.in-addr.arpa udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 23.154.80.54.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 54.80.154.23:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 3.237.86.197:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 54.80.154.23:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 54.80.154.23:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 3.237.86.197:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 3.237.86.197:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 54.80.154.23:80 xyrgy.biz tcp
US 44.208.124.139:80 fwiwk.biz tcp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 139.124.208.44.in-addr.arpa udp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 54.80.154.23:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 3.237.86.197:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 54.80.154.23:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 3.237.86.197:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 3.237.86.197:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 35.164.78.200:80 sctmku.biz tcp

Files

memory/2920-0-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2920-1-0x0000000000590000-0x00000000005F7000-memory.dmp

memory/2920-8-0x0000000000590000-0x00000000005F7000-memory.dmp

C:\Windows\System32\alg.exe

MD5 6eccbf6297183e4c1cd6d5c68e9c3992
SHA1 ebef698e6ea7849ad219d1fc18742e9f591e35b7
SHA256 dcb5c2f12a18eee947e653773cada23422c87a8b62c700dc7b8c51383f76d869
SHA512 61b4e3e7d9af4299aad5a6c530b6228d6451fbd33e0fb6e332a59174db577e1e994eff5d21c00552b1241ccc6c022d0859ed44b2c182877b43b05b1f5eddebc1

memory/992-14-0x0000000140000000-0x000000014018A000-memory.dmp

memory/992-19-0x0000000000730000-0x0000000000790000-memory.dmp

memory/992-12-0x0000000000730000-0x0000000000790000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 11b5c368547c5fbc77b97080bc23a852
SHA1 d56c2f34394eb48c5e550c0b965e9305018fd5cf
SHA256 3c5542433383cd2eab4c652a4367d0e00c7c3792327f2e5873f8a81486d9596e
SHA512 a0e5368f09f3eb5ed4cf5fcbdc254f15e5e79058afb9b30d996e5dc026f4c381d0bcb1f78bedc1c97d37f4cff81f82eb0b9e7c1caccdbab8d7de3a6ec86e4abd

memory/4404-33-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/4168-43-0x0000000000B00000-0x0000000000B60000-memory.dmp

memory/4236-53-0x0000000000C60000-0x0000000000CC0000-memory.dmp

memory/4236-47-0x0000000000C60000-0x0000000000CC0000-memory.dmp

memory/4756-63-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 6cc6820f55d212e77d870eadc6deaedc
SHA1 2f21fa4afae334d65f5d936dac12fce2544679d8
SHA256 ed8c20d21ec7a346bb60dd82d9cbbd6828747991c73b1c340378f2a5dd34f144
SHA512 97d96300af067bbeb104cf26965eeef75c36003a2f9330013eeb3e1485a3ddeb0b980d8c1a385d4dbdb11d78af30a6e6cdd8c6ffb3407ee2321745ab6d7507e3

C:\Windows\System32\msdtc.exe

MD5 d41d97e1cfa5a90f16f147322b53a48e
SHA1 24e863dab9ee026a2d8f27d30064cf64f39622db
SHA256 8e3ac2694cf0ca91c4156a14f737f1dcb05e39d3d6e33bc74910cd60883350b3
SHA512 55633ddf601456c16f09b01ef2df124f5b82fddb1640cef543343bc6475c83593476ca3938491d931ebc81f44f12c1f78da06b6515b869343e61ea0eeddc660f

memory/4168-91-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 82574693c0c28bd96383d50871b10c14
SHA1 d877cb344759aace19aea654e4cddccca895a299
SHA256 2acf9febc8c2205658695280cd2d79c5c31f5f3e550bec44043fd9f0a7727550
SHA512 1b25a29b8f0c58fa2c5c9f26c5e6ed6994fcf8770c26939c720f415da0adb377d6589e4e9ab9b0f4e2244dd61255d24b60f72656f658fa7cf38f69d82521bf85

C:\Windows\System32\Locator.exe

MD5 4a19153e9b39bd5c62bc1405efcee053
SHA1 901a19c7695764beb90093e72e4f7aec875155f4
SHA256 bdb6e91884d03d848f437d9b8581152620d788b85ad015c89c50450f21e02738
SHA512 42905c569a6699d311cc5b474704dca761be7d0f41ea206d808ba1a03dae21955636a732971d1c6d0b508f6d7160e82b42d80807544904a007349785e18d2525

C:\Windows\System32\snmptrap.exe

MD5 0230abae6ef816f3bed78a9f90e62707
SHA1 ea8bfee879b9dc707f9cc677917ba201344901d1
SHA256 faa0392dacba65c5cb0aac0fae6d62e4983659c1688060f9aebc52a8eb885fd7
SHA512 f790e7248c8f395f6f80e74e2494d3dbbe1ffd9a98e3707b0e2f294a77caaa97dc6f31d67b34f808d5903fc0131d2687c355d2f7fd5880687107587d8ae82fa8

C:\Windows\System32\TieringEngineService.exe

MD5 56241695933e4d838b899898ffe0b124
SHA1 8e92d0b4d515da59f3cd5c4e8f8f8d33d2c5fe24
SHA256 e0e6c0d3ecd04acefb4f8c5eb21a28a4cc288ef4956bc4150892a5c1846a38e2
SHA512 0e72bac9bffba1a50ee4826d3c97a07fade5dde9b4e1dd28bbf0a90b44b73ad011132061305cfa575f0e7694570eefb69f22962bf56b13ecd6c0fbb160de5d33

C:\Windows\System32\AgentService.exe

MD5 79cab442f0c1295a32ccfe5157e715c2
SHA1 ebbbf80e9c9f6be20691f9422ea9a391047f7fba
SHA256 2ab9e4a94737e3af31deff2d863f6eda648a1dbc0a7660640f363775288afc59
SHA512 a41566c01b624692bdff30b1143c77840b208ed07c92ce71a63639b0e937f2b9eaeb523f3aae054303bd0ed11bc39cc27941e049fb71ee0e37a6c0f87f2d3083

C:\Windows\System32\wbengine.exe

MD5 3a93c7a0e17ca4e2a883b92b6c83c630
SHA1 193787046ccd2e2967da71fee7f2ae67fc6a9da9
SHA256 da9f2cc73d2b7f50c2c8effd27a1527c5ec12926a4e7ceff5ecdae77c367121f
SHA512 94d5fb40751bdbee9a9dcbf33c08a6caca16013ee438b915621457e109d65606ee251b11612f81c9df2c65cb55c0a185b3832bce78221be6073540b908b1e096

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 bfda12338c4bb7ce57401bfe58dee8bd
SHA1 6d405073c01ab89ec1735a56e9c2638353dba125
SHA256 5916d46fb991093fd6d8960484355b187570b041dd77d8bdcb083ef6fe63c328
SHA512 5f862793f4bfb62dc1815d9f7318d3f8061e57461d55c8702e5b8bf42388af491ff51ae6ddb8798dd084e16dd78f2a42584e3122a87761d58e3d0b2f1fdcf392

C:\Windows\System32\SearchIndexer.exe

MD5 7d1663754ba9125378f82392021ea923
SHA1 59010c7b8bf8858885121c0f3cc7f7c65c968a1f
SHA256 013aff4b6c3846677146277a540ddc5e995c9983dcfabc05c95c2f887e5782ef
SHA512 360f6ad6ed18de9805075c0bdad2f1dd3317c01145034b9e2a19c67ba9c4118a4365816b6e453eb3490d4d99ea8e9ba23f883a0c6734318ce18d2d4c77d4aa00

C:\Windows\System32\VSSVC.exe

MD5 e86bd07cc096a3cc8498a639183d631c
SHA1 016a62731e1d44c9d22dc849e6dde7a4137ed853
SHA256 8d3a46f4d18d7e96aebd4048b1e4acb35793f7ae607780ebc6886d1ed028c365
SHA512 edc88018329045261502344753bfc0cef19b61e37bf2bb6c3625e5f034395feafadd33041d4f972a84976285bb14cb7ad4ea7bc3ecb8210d7ad50ee6326d57fe

C:\Windows\System32\vds.exe

MD5 126c663741b939964c5a7895c4df0fdd
SHA1 f786d6f79ce6d033f09868fe16b45cde0ea98112
SHA256 20a8681e99f1662114154819b546d49ceb865f35f68e812ac4048f9cbc1698c2
SHA512 ff7817bca040379a83b6738f26565ef475a4d8d87ad31e4ddcb28ea33c008074988c410d61b3d9ba7d663d117ad59074aaadc23505b8db04509e65414ef41d3d

memory/2076-193-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 eba4b2b8cf24c98f74335baa51efccf3
SHA1 7ead7f4ea9a3a368ee3d0a082c5b73e9148a86fb
SHA256 1a7154e6cb7c46f753c1cd390da36073f88e4df51bfab9c2c4be198c86faacd6
SHA512 1f406e638dadd4e93b5972089b04f72090c4aa798bdfdb17c7d7d4d68c2ca353033c9285338a0a3387842609fae675fe235de442541c05cb96d25c6b8a1f20f4

C:\Windows\System32\Spectrum.exe

MD5 09a0566546f0802561ce05271fc9ee4f
SHA1 6eedd6ba22a122e5753068048eba35c3f49e27a3
SHA256 05bf02cf9755bf876b41dea63e9facf308428f3e3e9a84320d5bfa734bf717e5
SHA512 0b39da93e3ab082a61506f487f27725293398049652feb704ca4320499e98206cf2b17bfb43e1d71200bcff52afe3317a5942cc6c1455c35151407824748ad76

C:\Windows\System32\SensorDataService.exe

MD5 0594eeeae27a58ce2e13d66e3ff29736
SHA1 83716c7c509cbae0310946f1c0a6a3cbdf47bc18
SHA256 6672fda0fe7660f46e9369c47aabdf0201a48937a1c0aebb9b398329622ccaa3
SHA512 463fb674e89b779f99e7d0e787065164522fd851a1fd59d23f9ec07ea84b24c7c323fa7bf0e78448af09723d26ad73d55f98109a6816914acf30f7bc1d8c34e8

memory/4484-308-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4636-306-0x0000000000400000-0x0000000000577000-memory.dmp

memory/4932-312-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/752-317-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2320-316-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3924-315-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1964-311-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2060-310-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1752-305-0x0000000140000000-0x0000000140199000-memory.dmp

memory/3192-307-0x0000000140000000-0x0000000140175000-memory.dmp

memory/4756-303-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4236-302-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1624-340-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4964-301-0x0000000140000000-0x000000014018B000-memory.dmp

memory/3188-300-0x0000000140000000-0x00000001401AF000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 6a27f234bce8ab3d15b0c6a092461064
SHA1 6dfedcebb4a7702d1ed675f818a10781141de1fe
SHA256 21f2aa976dc2e0a5ec6094fdadbd84a4ec9bf1e07b2e6bcdd8cb823160e19454
SHA512 1b651c4ee3cda166d5468fbc02f906249bd823d36a2f2f4e7e3be61359c99c752bb49f250ca8b549d56fc38776bb4704bfd93fae1752bdd1850359f474bf1498

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 dd12843b368b78de4e26fdb71d5e4075
SHA1 ad1e8569d736eae0190385b024c472bc4a82ad00
SHA256 468ec43b7f699b9cfb5d8d2cd3477c810419e5e08eb601ec36831d6d7f53453b
SHA512 3e85120d3ada44c62a6df5cf790f0355afa01bef78705d5605ecf3fc97a7c5de1752c8df0ed7afd514863ac6e29c218b5e6cc09ef5a496c5950d8fc8ce43646b

memory/1752-83-0x0000000000CC0000-0x0000000000D20000-memory.dmp

memory/4168-81-0x0000000000B00000-0x0000000000B60000-memory.dmp

memory/2136-79-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1596-346-0x0000000140000000-0x00000001401A6000-memory.dmp

memory/4324-348-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2136-77-0x0000000001510000-0x0000000001570000-memory.dmp

memory/2136-73-0x0000000001510000-0x0000000001570000-memory.dmp

memory/2136-67-0x0000000001510000-0x0000000001570000-memory.dmp

memory/4756-57-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 2e46001a6c09a3508170acdb244871ce
SHA1 be3b63a73e59f3dbd57f048c968f8dd9e70fc050
SHA256 efaa05d260996da51348e377984b38ed6aa68ef0d83eebdb43d172d5772b4a97
SHA512 e9f88157095e0bbb0b7c83ed647c84a291e814b0cf5fc2242d0a188db084cd1d6681ad97e5dadca3947745fb1d667d31c7b89bd035e17b2a54d15c01dfea89dc

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 da62c0724b6ab5d427ca155c9c121d11
SHA1 1e5fd294de8347bab80dab84c80f613e8c49cb74
SHA256 560946b9375fd844248d1f3ffc35dc5a7935d47e2ea91a4585e02f698732bcc4
SHA512 5c5317e5f3b7359d9d82649608b76219999282c89ce10a7b46a450651aa6b6d1907dee45036ecb5e153a9d36e36caebd6bdcf0c5747397ff4576781e08c40838

memory/4168-37-0x0000000000B00000-0x0000000000B60000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 3cf514b60daaef69992b7bf3a88d05fe
SHA1 eb5dfb71a4da8f2ecfbc0392fa1ecb09bfc5e710
SHA256 ab02917fa4adf6daf044c1822b61cfef95fed3afe2ce98b172032e872292f719
SHA512 e19b551797d2bf10bfc2d202a0666468d2b319b39f4b7b1d3f77d915d4b6a9eb2d8c5103ded0da20f97fd0d5248d8c32ac659e63275b09a51d9fc30658479abc

memory/4404-32-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/4404-31-0x0000000140000000-0x0000000140189000-memory.dmp

memory/4404-25-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/2920-353-0x0000000000400000-0x0000000000581000-memory.dmp

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 891ee7a49d7264a3b8e03cd28941bf00
SHA1 6a3031307630f679943b7d79b1fc8f193173c386
SHA256 9e4730c96b62c33bb11de8f374308b0a6a2e67c1f1d2cd42cebd0cdf49aafd14
SHA512 8679a169b118172fe55f74ee6b7383e780adb47bccc1563369d8c3fbba76c39f811fb3dedb2d94857c367ae5345144126aa362e5b878adece5a49506e1fcadb1

C:\Windows\system32\SgrmBroker.exe

MD5 15a2e1536d9936b0d8273bcfb9de6d05
SHA1 2c5c1c36084a03e44d9c2d24fb183b51850e0773
SHA256 368e1ef83cbdeabb0f83932f34f29a84f6ecdbc2f98b85f7c32533a0940f7542
SHA512 2d54e61f5491afd280304f44a5b2724d7f4a212437f2478724b69feee1d374b5356baa6fd8cdabe2ec5364e0bea4e6549aaac05a568e1f7e4bd57ec43f9ccc3e

C:\Windows\system32\msiexec.exe

MD5 3d56ece467db7f850f8bae8af5eea647
SHA1 84a79199fa3a43af0e56c295dd1cda63b931edbf
SHA256 02c3e7a807582d5ccb8d9a8763da0d002a24276101c25188eef7bc8d1de3dabe
SHA512 398e8514f622832d441a21e78fb1fe1b6f3d33ccbd60ef146a5fb4437932300351f736df2b9bef8aa398c463f4b32bb9a86f5f01877c52d76946c3b9ba81a490

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 bd29e61def390545762b106a96c1e416
SHA1 59ce13735bb8fadb413deb71dec6c82e71208e05
SHA256 ea1e2e7f6c26d7c683b5382156d0a97a284e2b16a585e7ca75b35ad386e60f19
SHA512 65b27de9c34c6f592083e1bcb847ef64a3a660ecc33853a56600e8da3b2d5af26da5791511d921f5d28cdb023658036a3343402ea6111c3a1412022676c949ad

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 a6678612e4e07225700caa9a2bbbc0e2
SHA1 8ff9e64e6e4e349612fe9071006e0b44c8f418ec
SHA256 ac1c619ec355d03fcde92abdd58d90623e41031bfc8406a747b7c0996ac5d156
SHA512 b0e972412aabdfbcdf2a69b368ae6001590124dce6ff0bc36a090faf532a38547ab1a09ba80d985381f10a45887384c10248209ef84ded48e9a9d349bb255668

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 3287390ae322332e327ba2fedd174bfc
SHA1 027c2cd99427c1fb094371acc75bffb4cb3e8322
SHA256 c1c5fd3aad283617b68c3c1258dd152880531eac67900e3553f284d3726a80f0
SHA512 b9b7cd39894fbaa55ef716f0ec031c4f1c890d56b8f34687daf90588856c5556c7009db10c0ebd7784eb125b27b161c17d293a3258265c9adc65b810d911dbec

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 aba8c30d8652db1d41065c08f8cd63a0
SHA1 8cc891badfd91bb512bc8ed035920dcc05aa5f74
SHA256 64d674e9087df3d1960ff6f2f49e9eff37caa1a7465c53aa7b9c2ee7168823c0
SHA512 2ceae5cc7ff3ab794d6d66567601f3db1d6c108c1ecf0a7cd5b214999323c3365f7abc0a48dfcb90a41f7c7075cb88a10b17be0f6565713be2c374b810742401

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 6e9aa02650d243c1010f5c9218c8273d
SHA1 3c147949bf032bbd8f1cd091590ce3866730c7d1
SHA256 144e68e86247583231d5885ae231b054afebefdcc556e81502306e42199bc961
SHA512 0883adfe8bfe9d58f471f765f56578db3c6140746161986895f68dcc86953d99e201c40c6b4f289e83ef2345ca33e34aa68f6044b0033ff92ffd071588702c88

C:\Program Files\7-Zip\Uninstall.exe

MD5 9169c850a9fff1fe38a94df3be5ac4bb
SHA1 071e9a0ae8c4050146662dcedb55f4053d2e9c62
SHA256 8d7e3af16ff372d98eb2984a23a087ca6e29053d293451868cbb70553c175166
SHA512 d79e5e65d849da450a6235a8f0be6ec492713cfc1767c6ec2ead8d75b739f65067135daddadf81d071cde770981bd2de77260c9bdee711f6a7f9bc56576b4573

C:\Program Files\7-Zip\7zG.exe

MD5 94f61fa9a56625d0ca2877bcfd2dedc0
SHA1 9071c70cac87eb11107393b4218289a5521ecd94
SHA256 0dd7c599c7c7e78244e70a16614f4a93ef15522bccbc52655ec0d201cd0f1209
SHA512 83c9fdc57de7589ead436d6d2b8732a323fc1735dcd3b7514635afeaafa654e075ba3e49eaae1d538e3ab59dc0281b584a483354db1f1c2bf2081f486e9faa04

C:\Program Files\7-Zip\7zFM.exe

MD5 4f10fd535ec44a91f36de7d44be10354
SHA1 a7d8bfc84bdec9321045cb7e057a1ad0054d077d
SHA256 3b59022d7e3dc0e5f9096e77cef3a772089e90e03dc6da8e59985933546c681f
SHA512 fd896094b76645d58e387e44f76ebd4393c1decc0d402c01c0454a9e14b574fa69f3562a7ae908f569ae0d903ea6e4f106ba48e42a958675dae5cf9beac2df46

C:\Program Files\7-Zip\7z.exe

MD5 0c1232614347ae584b676cdee6f55471
SHA1 97cbda0e8f87f1e75f5d219744cf9fa2884d8e0e
SHA256 d9acb4c8d65ab70c22e2a982c926d8950d89acd09000357faa6c4fb8b1a2da27
SHA512 11bead2e83b8c4427ddca6cc1e1c6895894756f03e186037abb238e82ef89c3d2afc8a01c6b754573ea03c0c5f24afafd6da2b3ad4d1c3f135229367c7242a39

C:\Windows\system32\AppVClient.exe

MD5 1463a2be1458dcb6ffdd23b3d1f2ec53
SHA1 fbc327dfb2e9942222e2d5ec33cb353e8354d97d
SHA256 93d073fe585ebf809b50c81899c8c75fd4a70623f320258a5d79bc7bb1fa34bd
SHA512 887ba94366efd8d262528f1fdecea5e8c2b906180f6e954406fdc32711aed7670ebb512490b8cf4c9feff3dc3a858a0f1b4a246cc221949f9b93a1d0b3be5e10

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 13d7b872eb3f2e04c0ba74df7f96b17c
SHA1 4b43231673b10e6cf819495607cc850ed2056638
SHA256 1f1118bdc4d80b3f21b63a3fed1f1fcd533ce710dc55cdece3b8c1d57b3c36b1
SHA512 01b604faf43b9c89e2d826fec29a01d49e4551a517f72c0c568312fcce08177f0daafa660ecbda85e75df794249e13b0e852bb65971f27f417b809f84602d43f

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 aa2ec8eb5be7327226b1f694711fa421
SHA1 00122dffbc6676dc17f8e504e5c8b5211172faa3
SHA256 7cc30e248ae6879bb39ab252aed3f1b3ff74da8239bc490878df5ba5d16398fe
SHA512 5277c3bfe680e8325d850d96d56099c63410b1d51ef501a332f005bbe872af459803dd182eec845c65cb27d0db2c7e794e85f0373ce2bfc0c0fcfc7fe9113ed6

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 20452f1a4727826c3e4889b94b0ef043
SHA1 e11312d2af5fa2a597a228e882d0b6268a67f4e7
SHA256 39c50a6323ea195e5c20d163d518d230043c387f3c31442f473bec99cb2ceebc
SHA512 1a5af51639492ced7a299eea1c4828569df8ebb4b0772177d2e1f281b800507e845fcbf1222545c3b8256c291003ef7ab152092d81b55724542c5e05bd555a15

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 e91b9f5d335d5d103a549931800a289d
SHA1 c6b88f8f171698a6ae1af2d548c9415e8cb94123
SHA256 7ffb07e31513ed8b40a9dc78e60abdea38199921850a418884455ea6cf2a7b05
SHA512 1feb334e98f21808e15b36b57a19ab0395295bfc592270b4448e8189e0a1ad61ea3afb1e7151cd5e5a2ceaa0fe54568b950d802002e06687c96b0fd153f1d846

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 835f124f07d26530e3e52c96f5ab181c
SHA1 5138b45c4bef574c5fdb5dfc904db322efbbee9d
SHA256 dc6b9918ea82ae473bcd8edcdadef3b3409f11cbf7dabc3fd6e926625b36e397
SHA512 524e4805c3ce56b1fb610c24bbf11782b450d2906e141c94b6c80477bee93342207d0de14bf867fe412f3ad8e1e39f59a0d7b9116b825767b20c174dd5388001

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 c8b7264302aacde774cf81bd14774ae4
SHA1 e178e6c53015edf49a0bb5e7127688e6bf5aaf2b
SHA256 f992c8500423125a3419462c9d0cc2803dbc5f8590d3de29133e48978ff1d170
SHA512 3c3241e9c96f48189fb5cda0e4ce970389ab63a4299bfbdf7cbf092ab01e38677e04e8bb0de8ba227dee160c6c210b07e639839cfa8db86b5b83a67d2e1891f0

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 009a61dbdf14bb3c79e5dcade8e73569
SHA1 7778c3a6ce05fd8525fd9b07457b20edacd19e45
SHA256 094d9286ab46f8a82688f51328e0a2ff4713dac882d8593b604515b2f3e898e9
SHA512 ad437434d029df5b077d52adc5b1d1389075d3c02df3751015f6915a8ecd6dbaec0d1e10054a414f3f068c549e0353c3f633f5ac72ffe41e3f8784a75c2be421

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 3d4e61e979227b6ab651f37536a86561
SHA1 9aaf78e4e6cab017d7f9114a636f3be51387cc94
SHA256 7271d0f8ab997917d8e5e2748b09cb1db9b76ea6c36135fc4d9da211f9c2cc6b
SHA512 5ef07489b6acd2d2cb1799fae863ffe7ed84029e230ce27257d6f4c6c43a4ebfffbd68ddd772c2533067db51b51d197d25c93d8b032385999d4603c08e54ccde

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 a1ed43944a38df5c3e1e4b390272c0ad
SHA1 e415ee046fa9623d41a8060535cc1843fb9548bb
SHA256 decb6d59d838f92af5e2be5ecb16a3bf1e5ed4bace360ac59583c677f0ab7792
SHA512 b83162a08b3d800964979d71153c09b298258904bf2fa5523cbc5119a091d1b6a5e75e5e41004a3b667a06bad63b52a328ef2d2f9573707123ba90e12382b0b5

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 c96cff57afc9f2e8ff7c6b51a527de75
SHA1 a49c5386639b3c073420cb206647762f67ad850f
SHA256 7590e99c20d28d08bcb4d8148501309e161d054ab3256d672131668e44f45a31
SHA512 0e6fdf292aff833bde514828e7caaf25cdce8b9d8eadf11cda1cbbfb97706accd9843cd7949170b291c244e2e849f10c030bb2239f34ba21fb4f0af1fcd674e7

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 5a0be30cdb387cafab602c7b643cd999
SHA1 e40a09165b51fe4ef6ba0c6e9e09581a969a2f22
SHA256 25bf4a20679a21f2dc09c9d47fb57d6fee6e227cc90a2c0989d1bda96a6e90f7
SHA512 7fb6aba1d0f80bb27392a3300d68d7337b742756980ebd4427ee1a674483d1997700b947de5d8c111b00ebd07817405b10d7c894c73b33227e9135f3311fdf7e

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 27178278d5635261e2ea42faa3ed1a73
SHA1 0ac143d4c42b2c20ad984358ac4eabed95e5e53f
SHA256 9ecac5c7bca645729f380810c915fc396b3dfbd81280c233796070f45ecad810
SHA512 b109e5afa7237d222e36c6323d46b58aa462d282213cad1b03db1872e838645a82fdfe2d30616feea7bf6ebace03d827158ce53f2c35709e4475560e89f79704

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 e32f78d7ea3eb028219e50407f30ece1
SHA1 b5cf6d92d986e074a21a57746f834f69f0b41970
SHA256 9efe6c3ea6f7f47495355f48df10f42f34fc17d9cdbe5f17aeca5023687d862c
SHA512 e4e1020f4b14c2504f2b96eb179506f14978b7664e782d198e6ad04a1769fcd882c805d2c76203709b9dcbaff70c1a741752d9d8a14b27a009af536cdbfe7927

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 e87c777e883e79074347d94baa6c5b06
SHA1 1c79930ab8800efb1f47cccc9e73acfc6a283e3a
SHA256 ac15914fe51f6b0e57f6f4223398feb693348efd31da6d7d1683d8ffe86ec9d5
SHA512 9e477f4afa352f779c70172d448a595ae2cdb956900120e891e47b644784504f5f0c195705aff40cb5d23832593cdd49a81a4e2dedbd574b7beeb1535544c16a

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 02b3c9e0a5a4ffa1a6b0678303c8b969
SHA1 4897bddf52c83822b9f914c6cda630ac2d07dc6f
SHA256 8c94d1041212bfaa86c42239bc6ed34511f2246afca3ac8b4b01257f002cef9b
SHA512 ba642eb5466a8b85ce1813c27ebf1716c7cb4dad4d30241a9c21145fb536fff75a76e24e8bb23a00a77cf7c177eb5eb77ac2b8b37be79e24b88c38a1f6af2a89

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 0197649a47e598c41ddb65abf7c643bd
SHA1 219f87b2b2805fa2f49de1556695773da7e58f46
SHA256 7e026fdca6f4ba076727db9041089abea27fac5ea3772e1eda64f12f354fc504
SHA512 d320eced5008d4ec8f3898372613a114a0802b74909d9961f64c91c2da07e2062d26c76a9a882642232c670739d9c46da0ac427053d046d4ba61db6db7b57218

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 39987d9de04275c5088592c9504de3a0
SHA1 71f615ebf8d635b11b25e76a3d7bd2e2b175d1e8
SHA256 1b5ab460caafb8181fab015402b5e48a0e5dcf4d5bd0c61613309484812eb3c9
SHA512 c0afae7d5b910c99eaf35000a633c376ea1a84b0454b95db10be73cc003413898bd70abd68c7dab8bb6f06d3053b789ffc5d7611df1a54e23a59bd6a4f79a042

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 caebc5e418c489e5aa668f80214ec5ad
SHA1 ccbc10169132992403b6938aa36ea468cc04613d
SHA256 45476b0b9697e6ada2b185ee6f6ac1858575fb01663140657706bcad6cc0e442
SHA512 351555e290f7bcc583139633d7718ceac46a2f7a6fd57f9786ae07f3530898e61b777224256f84601bc89832dc33faa48061b300757dd91e2b8160e97131b946

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 306d9c325a5618da4d7f00ec5abd5778
SHA1 dc575cca76b2cd7ecd72d7c2c224318650a8d180
SHA256 8853d6278b683205566df48ab92df636c85b8f0f36a9358ba67f78274db4691f
SHA512 7310bb5e7fdf868334679257beabea5210569a12c9726d0735c28294a94b2aae59d15b6caf77043d2850652fea4d53c127f317a7121c874f70e695b94c37fb03

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 f79240e604ab4c238c1799807f5511f0
SHA1 38448f71a25b236400a29a591882211af0346395
SHA256 afbeccba71b7adfcca97d926ce75785c1e9a1511ac2642fcf2fc61d9b1cf8459
SHA512 e237c1f735ecc1bc02a16f6b2be14cc4fe8d3c4250a3d6400c712418726b0ac634fb9c87bb01d7e3cf3ab9258a1cb40dedb0ef57d1bd03c93d594da216508245

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 8e9bd59cbe1128c443008710578336f9
SHA1 81f35b7b1684ecdfd3298a4740d5e71ee176719d
SHA256 4f4164a095533842ff7df750ceaba97f9ccd5ba214073b8030f2d1e0b1e7ce53
SHA512 ed16f148401b492c8d249896cb3d207907e773b275b7c132282a780019cf76518cc3e5d98f00a109d2eac43b428c5da0c238a74b98cb0883c1a51abebfebde59

C:\Program Files\dotnet\dotnet.exe

MD5 8aadb36ff8e258eaca7252c221edd518
SHA1 05f7d7d1426014855a746ac4498d4fddf91072e8
SHA256 abd5a4ece2b89150a76db3fd00b4bd79db48e801690fda019085516c2f0284d6
SHA512 56b1b0345b9897bc6ffcf821a2c45aa28c5ffca88e2f0c12aa8b751d6bfb15e1e7bc9b95e9597a9e87943a76603d79eee3a066ef937af20ef37d7b3d20cf0979

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 491eb0a0a81532d53ca3a1303ecd33e6
SHA1 b6d29f3cbe4f106df509d5eb27c3019e8613a5ff
SHA256 fd1987c3512f035ba458229819c5cca9accb89f8579438b79b2ac0bbafad8f41
SHA512 6afbbe1e09ce352bdacd834433379db4e8d6daa434091cfd9f2514c0bbef9cf3f586c0673ac1564c5ab48781e90a5e2b66393d16f0d415e3d3c0a164439128f1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 7b4ede29100f92ac7e720220b313e185
SHA1 2601cf3cf6da4902355d228ebf89f45582cdad3f
SHA256 69cc66340017cb2b4ec8284cc8187fb19a6ea02501078a279fd523324abd9385
SHA512 6ffe09d2d583b72e99ff1dadc342ea0ccd0a80b44fa56000802a59aa4c7a1f5857d26e2920248f454bc296a0690d3b48605e6dbf2cedba33911a43c236fe6bfe

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 9c6c4ebfe13a3beb7a733c8a3c7f00d6
SHA1 65067bfad9be44a64b1518903b800204ca86fee9
SHA256 2881f9f929fb46e0d406405e4eb97acd86d85e62eb74f73e5d66c8e9dd9d2e6f
SHA512 36b7caeb0854409a8bb897751a5bf6a4e1c938f0a01d9eb58cda947208d8ba87ff50f915d3a46cc4bcc84ce654c836cc86fcca151462bb6215024678800062f8

memory/4484-401-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/992-646-0x0000000140000000-0x000000014018A000-memory.dmp

memory/4404-649-0x0000000140000000-0x0000000140189000-memory.dmp

memory/4236-650-0x0000000140000000-0x000000014024B000-memory.dmp

memory/4756-651-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4324-652-0x0000000140000000-0x0000000140179000-memory.dmp