Malware Analysis Report

2024-11-30 06:51

Sample ID 240601-jghdxafa82
Target 2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany
SHA256 b5dcdffbdb80fde8017739a0cdf14f1465b38bcba6d4eabb1c532c39d9ed8cd0
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b5dcdffbdb80fde8017739a0cdf14f1465b38bcba6d4eabb1c532c39d9ed8cd0

Threat Level: Shows suspicious behavior

The file 2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Checks processor information in registry

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:38

Reported

2024-06-01 07:40

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Network

N/A

Files

memory/2924-0-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2924-6-0x0000000001CB0000-0x0000000001D17000-memory.dmp

memory/2924-1-0x0000000001CB0000-0x0000000001D17000-memory.dmp

\Windows\System32\alg.exe

MD5 41a674230bbf3fb48dfdabdd38340961
SHA1 8a29de58da1f722f72bd295fb742a560f0e87979
SHA256 f2ab24348d711e4d0a2d63b79bcdcda1072c1ac542ee3113b4dccae305446de1
SHA512 2b82c132b26c6f797bbd00b742ac25a914b55bdbddf5da7b54a8817d55b20115f52118b73cb233212e57e0cd7e0e5e01b8eb7f28f6b0f6030840c264e78993ef

memory/2984-12-0x0000000100000000-0x00000001000A4000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 57c4d9b29ff2a6b6540cb7ddc94358bb
SHA1 0fb79b001f114bdc92666ec05ae6b40e2cd737d7
SHA256 18ef0b7e0537559bdeedb963b6072050776eba4aee947305fcb5b81b8b07e5fe
SHA512 9042f93979876f829c13c58bfa7fdc48b2625fa9f27db21e178f55618db0deb225e0274f3b49a4a16172e7945aa20b8d0dad71bf9b9154b684d39fcad1f09951

memory/1640-16-0x0000000140000000-0x000000014009D000-memory.dmp

memory/2924-19-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2984-20-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/1640-21-0x0000000140000000-0x000000014009D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:38

Reported

2024-06-01 07:40

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b7276f0fc3136770.bin C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000442c74e8f6b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f1fe5e7f6b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e440be8f6b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007be3e9e7f6b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000081c23e8f6b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6a36ae8f6b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017537be8f6b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ec4ede8f6b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044b3bbe8f6b3da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-01_78c75142caefc222070b2dd40cc35bc9_bkransomware_karagany.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 197.86.237.3.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 44.208.124.139:80 fwiwk.biz tcp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 139.124.208.44.in-addr.arpa udp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 23.154.80.54.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 54.80.154.23:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 3.237.86.197:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 54.80.154.23:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 54.80.154.23:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 3.237.86.197:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 3.237.86.197:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 54.80.154.23:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 34.193.97.35:80 htwqzczce.biz tcp
US 34.193.97.35:80 htwqzczce.biz tcp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 54.80.154.23:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 3.237.86.197:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 54.80.154.23:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 3.237.86.197:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 3.237.86.197:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 35.164.78.200:80 sctmku.biz tcp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 8.8.8.8:53 qcrsp.biz udp
US 34.211.97.45:80 qcrsp.biz tcp
US 8.8.8.8:53 sewlqwcd.biz udp
US 3.237.86.197:80 sewlqwcd.biz tcp
US 8.8.8.8:53 dyjdrp.biz udp
US 54.244.188.177:80 dyjdrp.biz tcp
US 8.8.8.8:53 napws.biz udp
US 35.164.78.200:80 napws.biz tcp
US 8.8.8.8:53 qvuhsaqa.biz udp
US 54.244.188.177:80 qvuhsaqa.biz tcp
US 8.8.8.8:53 apzzls.biz udp
US 34.211.97.45:80 apzzls.biz tcp
US 8.8.8.8:53 krnsmlmvd.biz udp
US 34.218.204.173:80 krnsmlmvd.biz tcp
US 8.8.8.8:53 nlscndwp.biz udp
US 54.244.188.177:80 nlscndwp.biz tcp
US 8.8.8.8:53 bzkysubds.biz udp
US 3.94.10.34:80 bzkysubds.biz tcp
US 8.8.8.8:53 ltpqsnu.biz udp
US 54.80.154.23:80 ltpqsnu.biz tcp
US 8.8.8.8:53 vnvbt.biz udp
US 44.213.104.86:80 vnvbt.biz tcp
US 8.8.8.8:53 ypituyqsq.biz udp
US 3.94.10.34:80 ypituyqsq.biz tcp
US 8.8.8.8:53 ijnmvqa.biz udp
US 35.164.78.200:80 ijnmvqa.biz tcp
US 8.8.8.8:53 tltxn.biz udp
US 54.80.154.23:80 tltxn.biz tcp
US 8.8.8.8:53 vgypotwp.biz udp
US 54.244.188.177:80 vgypotwp.biz tcp
US 8.8.8.8:53 giliplg.biz udp
US 44.213.104.86:80 giliplg.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp

Files

memory/4808-0-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4808-1-0x0000000002200000-0x0000000002267000-memory.dmp

memory/4808-8-0x0000000002200000-0x0000000002267000-memory.dmp

C:\Windows\System32\alg.exe

MD5 eb9ee7c3adadb684454e330b32e0bf6d
SHA1 6f26d7b63388532086c3e88e8c9eb39e57f52b54
SHA256 7f2818ce464fd33058698bbce3a851466f423e3764f932e6b676717b4da7b0e3
SHA512 62ba8ecc9b442e110bf32757d2191666a72afdd69f3374dc4fc629552f2711b9c9fdec60f3fd98d40a4da550ab47fbcfd239b2c2c8f070d1ac29c28f71d7d593

memory/1404-12-0x0000000140000000-0x00000001400AA000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 c989186c6462f2bd18abaa83a95ab9dc
SHA1 52cde3f5c8d143e42334c659e426a89779a02c5f
SHA256 adf8044075210b8d4d6f9547b363b2dd19cc8addbf2e2bd81a705d28df69678c
SHA512 e05b17f2573ba55c668354669ff8283ff48cfbdabf1ec6471797353b7dd882f190229079988de15d7e9366227fb80a309d7cf7f552a70354388b592b4ad50af5

memory/3864-16-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/3864-25-0x00000000006D0000-0x0000000000730000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 d4e2daa84aabb0371d6f088d56695b9d
SHA1 4a7568e8318441337e55bb758b3d506648d86771
SHA256 06333f723f611e44b47709349d57bfc43fe9c0906b3b97a0c9e5162b4861f75a
SHA512 08f82fe11e776c6ad2e9bbb7eb8001f3a6ce52ef63bbcfd059fe7d3f7e3bb592d67070ec8124224f153640306ed1c522bf53535d1651d3aed6394c57bbe60be9

memory/4808-30-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 6ce43dcf4d8c60823042b99c1505b218
SHA1 668544659b67aaa4cbdd0a02ec79a850055219a8
SHA256 33e92beb55865cce86c54febb31635d68f56d32efd39eaa8b81ed77898e9e0b2
SHA512 6b3405846c0bdfe00f68f2d7e949b44c204b055115597f02e1d249e64a4f6cffb14910f464746e9336c75c2a26ceaddca474e905dee5a69b6eb4d3978350cf83

memory/436-33-0x0000000000510000-0x0000000000570000-memory.dmp

memory/436-41-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 c68859f8b9545960a316b52855af5551
SHA1 6d0d327adbd60cbcf0929b67574b874e61a5cfa3
SHA256 9730db3c5102a9936a989e6c243717f519f56841d27a06a6a9318794dbdb031c
SHA512 3b7e66e878f0555c70f7bafdc4d5560cc4fc9e7104055eea71705490bc04a339c8e69c284a1b129dd61b26be5540287cb3d101608707401d22fcd1b04fb0798c

memory/776-44-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/776-51-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/776-50-0x0000000140000000-0x000000014022B000-memory.dmp

memory/436-39-0x0000000000510000-0x0000000000570000-memory.dmp

memory/3864-17-0x00000000006D0000-0x0000000000730000-memory.dmp

memory/776-52-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 f2488629f771e1588fd9c69610891c52
SHA1 3fce9d3ce23c34820cd54f770c0d411fd32a9def
SHA256 335f0d9ba432c0918f1e0408a3f6ea448b846aa6e2f54065a0f857987bc7a22f
SHA512 325243d73a8d17ad50a210fcc32754e0b523ac3332c8b506013a793b0157b067de939f13fbde3f400a7f6631904e8754bb1b1fb3aa25328bc750ea545e076c7c

memory/4380-67-0x00000000015E0000-0x0000000001640000-memory.dmp

memory/4380-69-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/4712-77-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/4712-79-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/4712-71-0x00000000004F0000-0x0000000000550000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 2634e0ce7dba08f1c4cd25e966bdae45
SHA1 2db8f8743a7b7e5f85e77b4c7604678fd0a2451f
SHA256 40fead129040c7b5ed2edb75092e868da8c76f9936244268ecd1c31ddb7fb9d4
SHA512 81235126c7a5f2fcfcd759c2459582a7a96a0609566cb874f8c65b63e5f51034eebaeda8ad0a27d7148a0a04633e3aa9c880f663716696b9b460de525578669a

memory/4380-64-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/4380-62-0x00000000015E0000-0x0000000001640000-memory.dmp

memory/4380-56-0x00000000015E0000-0x0000000001640000-memory.dmp

memory/1404-238-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3864-239-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/436-242-0x0000000140000000-0x000000014024B000-memory.dmp

memory/776-243-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 be86f7a671312a24fb3f57ae6d3760bf
SHA1 6f22ccd06ed412522b0651dc825ac3c5a0513f1f
SHA256 099dc9dfcb1eef8e37bf7002854a81d9a6152d0dd719d956f16b3f07591881d5
SHA512 ef8dbbdc4734883b042e253f7e8239494e0f95356b6154d59eec87e5e02a4f9b45b8113c890a2431893c9ff1b94f1d7478f7d2c6dcf663306fb1de6cc79ba036

memory/1060-248-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1060-251-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 3f8cd327c1e99aba7a4e5fd2562e3777
SHA1 82c5deae4d6e067535d147da350549d13f0c6600
SHA256 ef43a17cce70a5df6ebfc905ff3a99d8577c899ada839743df694ab7c8f53a92
SHA512 d951921b36865f5b53ba4717529fc522f52fb63ec0e0939fda812937475b5df7bc21f7d41fe7e95f18e987ef214b2e949f3a51bd1b1eaf3589c368a427ee56ce

memory/4952-253-0x0000000140000000-0x00000001400B9000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 7735ba26b89e96ee2a5ca9e53f9022b3
SHA1 b72bc84a282d0861d41245a3a0f764238328ecd7
SHA256 7c215d305bbea104eb2e8b39b50949885ff3bbe863dc6d9468596423ae5c7dbd
SHA512 b9ae2913159c921256cb50a60d65728599dd500ca0fc89c452e0131f7433a3cd3259c74a44afc81ccfbc62e4e42b5d32bb196c282335383b538a355dcf63c356

memory/3564-261-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/3564-260-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/3564-267-0x0000000000760000-0x00000000007C0000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 86e470c1a707f08a8433f8cf9032ee5a
SHA1 edec9665a1f84184aaa2d1d936d6869478580d2b
SHA256 824f9eda84873169fd89ca52f8ab756835849a02af28ee9104fd831aa7131850
SHA512 2e34f00644ae06b16223d872ee4de58dca8dbdbe15f87c95e965a675046599f4bd75db528a317b4dd90a4d5aa762b772ec0496a13341c8b4d17c098c265a6844

memory/4388-271-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4388-272-0x0000000000660000-0x00000000006C7000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 8562af96ba21a6cc04d80350a666bf6f
SHA1 4e544c31e000906a73304802e49f69fc5c81d8bb
SHA256 11a706886dbabb8238d323e746b2fe9b8ccc18deea50e1a121579463f9e0afc8
SHA512 c98365b60f0e4a890a2800b210f4dbc5c27d37f411544e17fed902bacc291463b7a11c88b623d677a619e7ef5a73ec13302c7942a2c8b5932ee42aa14d9cff5c

memory/3500-281-0x0000000140000000-0x0000000140095000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 99dc98c076507e9998e26a495746413b
SHA1 18ae3a5ef438dcf794a8d01b0391aa6c23fc85a5
SHA256 c50ec8e4ca6fe67291aad279d9943d12bca1f5d9e512c4480e7fa865d6ef3c12
SHA512 0ff0ccf75a7c664e640b151a1db801ced6dd43a4ad424557ad26a8a3322506e399e172392d9710fb3fd6c0128b75a5b0e02ceecedbd37200ec08b8deacbfd0d6

memory/4620-285-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 f62c84d2aec88dba3a900caef87cdb9b
SHA1 d9962a3ecbc3919fd7f8fb49125e3cc67d4c52f2
SHA256 ee611aed82761c1238a4965ccd55a7afbe47ccd0a366d70996a027e872416bdd
SHA512 9b04b00febd7a33b2a5ab29cecc91958d83c3dd781551ab14e98113715ad8665995dee5e2a5b290981e9f3586bb4d4f1ff5be4fbfe69b4a3ba0ec9c22584fa69

memory/5108-288-0x0000000140000000-0x0000000140096000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 89de22089df3dd28300223dfa6a6cf52
SHA1 b7af9432a5a2d6d84847dfec45f5d509ec6bdc2d
SHA256 840c7d3b75030054468d1a23ed3018267c370200dc843438602bced5d0134c38
SHA512 ad94fa0480b4915cac4f0633b40dd08b1d88d4333a451ce1a0f303c8e79baf32c64a8e20cb03afec46cb5fb20c4ba62cccd6a0e65a8c1d5a5950f5a251cb6b7c

memory/1820-299-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 4366b5997e994e80232372c8c19ca321
SHA1 3590db806d925825fc92f39e8bb95d9ea1ad2ec7
SHA256 58817f3789dfe0eaaff0792455044a906696bb616d94cf56487f303fd290b3d8
SHA512 366ab263ef3f6e6abd9d5d2ca2fb9ef9de05c1ca6a3efc6ec90e1e0ec140b114dd85b15c0b9d69a8920522b89142bd13f84674766ea5abb62e705d9c313d78e5

memory/2024-303-0x0000000140000000-0x0000000140102000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 a3862cc440c193ae6c58c1663a50e9b2
SHA1 32254dacf29c798f71995329002cb3b97e57f527
SHA256 ec20999a7de7768855951492da318fc4a719a76bf4e87b9b633524f5f8d4a2d0
SHA512 ce1f7b6c5bf16877f9b0c7b0db06ebeeaf3780182cc8b2acde2b4bdcf2538ebe40e802f963c4a523c62bab2748c67864377e5317279602827cf7b26405d8cba8

memory/1592-314-0x0000000140000000-0x00000001400E2000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 65565b1b24f2f24589d6a2b45a2dee36
SHA1 50b87c36f96138aa0a5056422f0af926bdbeb79b
SHA256 54ec6284c962c64c7950e5cca7b11f152c135c0328e7c38ba65de38dd6740b23
SHA512 0d30004af0e78610627cfe632ff829f626e0f2bf38576d45b73bb98a451ebc979aab65d607f5cc51d3f83bbd2a8a63c20f623ce575f2ab6b1b4b85d48ed161e4

memory/1408-317-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1408-319-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 9fca82699dc7e4d825f2dd549cec8248
SHA1 a46036cadcef6c57187444ba0d6f1fce3c2711f8
SHA256 023a4c240f3ed5896935d979e83dc08f31a5586a2e87c5ae6c46e1f3836aee0f
SHA512 0b558bce505efb64aad7f48aa3d9eedf35f110a58b2e68a7a580061a5ebb2b3b02a605b4fd8ffbf1218770f4dce5e061ff2dd958e4e06cf3c3ae9590a0b4ccf1

memory/1396-322-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4952-321-0x0000000140000000-0x00000001400B9000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 d3491dc1fcb43cb2f0de5d4c6b482cb5
SHA1 9d8bc4000ccc261efa69fb2953f47eb9881dba3b
SHA256 da813957a35871bcfc4432c1bfde2683dacfd2cba2844a9fdf26205ed0fc48b3
SHA512 0e232c3e8eda96270287ad9b789b0fb71dcd03a6b8761597535fac69cb5e2caabb87afbd1df41fa4fe49a4a1439899fb1054b595364d48988ef6603e635e2d83

memory/5036-326-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3564-325-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 acc74c4a805d7e67bbe9950a1acb91de
SHA1 580dc6444b3bde145a18672a440db9ab1463814d
SHA256 2b7b66d3c85fe7fdd8752027f8b56fefd5bca15faf3a4a87288e1ea96ba59859
SHA512 b2dfea310ad54516db907c2863a2770ffe4ac3d87d2be2d2eb25f14a26fd0b08041df77ef2e0f058c3aa8ae8a68907ebeabe3d6de36ad9c6fe6ba9287302a175

memory/4388-329-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2576-330-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 9c9e838d77138a7bca9c6d706a511daa
SHA1 0f73752bca78c403fae2dd1f9a85af560f120905
SHA256 71cfaf19504ca3ebd496a3cce30af4a16924a5afa39e41b114316c622fd1b9a9
SHA512 9b609b0699f8e735dd5236a5c6be4fbf9c9268cdf06f979dd2d202f0fc8c892b938029a34c6564ce2d2269f11e7d17c0a28260d4bef2feb985437c754f6f513f

memory/3500-333-0x0000000140000000-0x0000000140095000-memory.dmp

memory/3200-335-0x0000000140000000-0x00000001400C6000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 133af394da41d0b49060c75537077cf1
SHA1 7b29e51747c6a436b00d587a1409ae88eaf7ef24
SHA256 ce0c1d5b9fbff0db372b8f3fe1e0a093fb8aadd3ddb61846455722bc290a285f
SHA512 57d952ec0b95d446273dc16d006303783cc2054e4af34a0252ed98d9d9edd68456d19e4491e036935581974f94a8553f6bedb4ac39e1fff45e590f900a112553

memory/4620-338-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 e8c4542029567e10a607101c3b50844e
SHA1 709a1cdbc3b3bafc08ed55439c807784dd787ff1
SHA256 84687bd71684c66196861e53bef9a5593846d9ed7fd3add4e49e65db66cc22bf
SHA512 a602272047ce9198ef7883ecd9abc25aa68974818659831c696b2df32e96f2a510373dd4b5fb193fab1baf192c50bba0b0749b6cc9081ddcca7bbfdd37d109ca

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 0764cd6424a7ed052fc8c33acef308a0
SHA1 4f6a660e336cb49702f44e96be00f53e43f49dc3
SHA256 9d2808368f3f1442c0dbd96f81fcf009f04790a3245e0b4e79391c9e894bcdcb
SHA512 da61bf0b9522f961b55eaf34ba86fa7bac5501265006768c1868c488fdcc74abef4dff52065ab7783529f6e0c31b8cec4d1b0d2c4e2a627e73e117130a96229f

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 55e06e65e2ae6371121dbb8d3e934594
SHA1 425bcb5baa997a8cfda5f40eaf4dbc7e359d8e35
SHA256 e4cce0e63fa0bfcf2992456f11beb233e26adc42b7ef51710a44896656b16ffc
SHA512 9e3704f0c2c9af951e3536a0433c4f290daa098bf7e8294a7b06297d5810431b66dfc135af0c96756b49fa2c420dd236f1c8ead122eea9360513d232dcbe151e

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 1611b0fbdb67dbeba7775260a5a630b7
SHA1 93ab7aaa21620f726c26b705c6be4c9ee84d21ae
SHA256 3e27d43ce7d38cb0f0d4c08e18ef2185e60ac53ce95b211372dac2a2d3d270f2
SHA512 b0989f154fa1de99934f2c7d62affc1b7fd87eaff30fa9291a284aacf2472c0e7df63b85e1b419320ef2f89731a04e965355640b085b99abffc7c439283cadd1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 2da18f72177f038b9d907fc40b9a08a0
SHA1 4dd883ff3f0b954039a9c7e48f89dbcd3859c1d6
SHA256 4fe3becc708aa3d6a8813da487f21b63d1123e00e510bb39b7fa66f8d400c0c5
SHA512 3fc892a7386d49194042e7321d3e32cf994b1a6c9d09e04929115e3851898f21f6c7b964cb3a93ab66cc064c8c69b693a862e5cd12bc25884099627aaec3f3fa

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 d1b861cfe41c704b770822529e90c0d4
SHA1 9f12d7145c07eb52340703a32340c21616d949e1
SHA256 5fca11c6f196a6fd0a1dbb1447a08eb6a0e2c98afcd467788d5b3e2db3e0c76d
SHA512 3a055a2947de1d4511b66ac6db34d933da5cd2e33767b37c35533724e0e445e2cf1c8af2b6d106ad5963905a34feb2d71016efb50bdcc3248c9d5d52d6589e58

C:\Program Files\dotnet\dotnet.exe

MD5 42e58af9f9c87d91d85d279bc4d93e4a
SHA1 548848b15a5d7ed860330550b7d6383d2a37cae1
SHA256 dd74e694d884029b14c67426f9d4df73f8a57051bc12815853c5a0d9f06e7ed9
SHA512 e38702d601b81ccd5640637142801b668b88f15ef04fca79f6ea312ac45f9368266d1b834b17cad5e901372f617a0258c30274e636ea833123ee070a02a2ca24

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 8a2c131d7cc97093cc4b0cbea48a3f59
SHA1 c01155f4db6da4be7e322439ef38f655e8d43339
SHA256 5a6e02ce9189b36237b77856c37004823c453bf8844534396fd47e9c3bb213e5
SHA512 d79c7d36d7db31ae92f5e178e78fcc3d4617b5580e9ce9919e96e160e3400c0054d5137dff05084dd188734c53e2eb22e369a8ce0a9c310ca8c203329470f67c

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 4f5f38547b03c72c768c5f75c3a8118c
SHA1 0679d145708fe5b1fa205978b8a33c15a45ba85a
SHA256 3e7690e21d8b137882269cc33951b9e8fb6e827d5326ff8b667e933151d6c4e3
SHA512 b5cb820dc22079c3ef465e587279cf3a10949ea4626f4b34d647434d151d7ae1fd6a12e478329fddf2ba937a3c8811665b85069e54b7ac30b5d5e71a26b1c18a

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 c194c98227ce48951bcab571dfb52c2e
SHA1 9650413f45d2eee851543ecec78ed243d8073b20
SHA256 384912e48288d59b23bfe9e4b5d23936bb4082b4669351a053b2b758acf779bf
SHA512 74c07b9651004ee15237e9d8489926db2a4845197805414fc548d55c9f957df3387697380cca99663ca81bba4631d10c2e5cd2a6b4c3a1a7e53ffe3196227263

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 1262362ec9a8245b957fa8fe8d40f499
SHA1 473c914b4a030047909e9e5f03f9d0534b76d277
SHA256 a6ba42b2a7666aeb4877b7a77a8dc7a11cbc65c1f6e4a37cdc23f36011f0185e
SHA512 e5cdff5809fbbda51d513fe0f88a8179fdddaca1676b153f45dc59193d9fe5e9f5304c3a02f48358b04b336e24c050842c73df9554f233e5efb115b0fd79e484

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 b0c9b8f263a3893d96a1604e865c5a9b
SHA1 31eafbea3c9370a0ae1d601c52728d3810912386
SHA256 dbe3890cd824977d14e4c6c9e23db7004f097875a80592cccee09b1ed440f3c6
SHA512 1a9e8869919fc1d267a3a7913d140bb939ed212839a13f2a1c1a1c902fb4e98404ce857cbe0b012ad57c78af45a48bd6a4a28ed83dde15b4d23c85067d00fed7

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 d472d6089059adb39b208943d6dce10f
SHA1 98c0b410709e402e657285b8d668e5a4fc4e39d0
SHA256 939dba3a8906892630673fd233a3c769594ac12f0db813988dc72414a7e53fec
SHA512 d8769c216c4b71eeda1cdc4427bae1b99ca0d8c51c3c0ea3dd4affc10a8976b93d017aeaf5f2b34b3266c6d3c3d14378f82ae0ef7587784e69a098d11a01a2d4

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 213fc572111001e23fb542db6270ee3d
SHA1 3261055399b9e609359068be165faf19a1bf3945
SHA256 b48339d7205eae596e77012413af92482dec9510d903480c6927813e49ef9ccf
SHA512 834dfa8a5c2529964af30f0a02676daf4f5a6ad9d5352225056a1c680dd0cf2cce306fe3c7102d9e383fe5d39f0dc2d97e0f17b1eb13ed1e9e41d105a3c67c11

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 0e6ed1cb19c94108b8dc19764321a76d
SHA1 b2dcfc78cd97dcff8491847a4db1e527786f30ed
SHA256 b4b1aadd53a7a8f1783079c14c9acbdb0375d45b4b810c844fa0c5dc1a93649f
SHA512 65ac4fcff8c0478f1fcac510d38877ee0a1ea4739f696065ec8fe6fc9078a3012e8bbc9abd324a95a1d745b8c8fb5581848f34571c6cbee16ab69565341aa4e8

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 2400d99f2f6a4289adf759fb10377f8a
SHA1 9822104e01f7f32b6b316acc66c2bbf582d6271f
SHA256 d910aab83d71481e34284bcc60e7cf85c53391a8443f654c606e03a92ff5aeba
SHA512 1ab3feb798720855922b344a235ce1dcdbb1e9956afdc2a1eb54ada5cd3eb3b018b264cb8f8f6a171f42eeb26d7f9b9a0dafd7ca58082ddb13928acc650a5963

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 3f99aaa73c4138cf5c3546ddf1c668da
SHA1 cabf9f7e324410f14e67a835ecf1df3ed1740991
SHA256 813c163c2631461891d49dbaf170d25764d801bf5f5c3d485e7d474b2bd30f86
SHA512 e6f65f6535d23197b4ef9b1bdceb7b6152aee29ce1c11e255cd4fad6b5a6b19d1a595c6565372c7aa7ee7f31e9d1d46daa912483b939df4891dfd6322a8ccd45

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 39c21f30b9ddadcfc41aafe9918f5d7b
SHA1 508c2668c4af8ea693dd43b3a1ee9eaee97dc0f9
SHA256 4a1abb7b3e8aa09df0a17172007f4911f3703fe43e4dd41234bb222ba97133a0
SHA512 1e479bd3836b2950d5ce1bbb661704bf38cd50d8668c05146398cf6476c6fec503a1e7f22b20a6af3d8c9de45b9c3e75fb5e831c9e9e8329042dd7c652b3641d

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 5208abb546182ebac94fdb8af705923e
SHA1 3e5a614528dfc8a7ed1f3128c1519a1b6ec22a79
SHA256 b7c9e16aac861d4ca435122a34c88b60c751cb8cbae2fe8e918520a4b503ad4e
SHA512 900e22ba13ce5b53ea0bc06cc176ac7a7168a8c3c996270c0fe68ab37118960cef1721c3b4feb5b431d1ee475c838da00fd0d739a56da1ef16f3e78a02c67dd6

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 b39ca864304858a535e1fe867efd4f8b
SHA1 53b9d4733f40cc3c476e5dd67a464a9ad98d4d40
SHA256 33d9b6d0ea7dda9e5393a9d2c620246267873043a222c6552f35222e28f3a3f0
SHA512 2c6c402f787638115208282f988dd3d3fd4a3f46246e360bb16aac68bbf95ebef4f7d0efe5ec2e3ca4db908850faa82f39ecfa4d1c52e26b2dbb7ba042ba057f

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 d48212aa1c49c928b6bd738ad192e223
SHA1 fb4f757118ac72b66954001e34048b23bb4f5a94
SHA256 3028ee57d3ff81e28cd103a28b5ace2d9c6e461da0cc03a37e75b384543aa1f5
SHA512 607f62c339263b07f01d14206b156890e75975cf2ba0aa3ba76568e2ed769dfa4c03eb339229d739ee326a978718ad37bc91b5226567e5d78d9e857ca070163d

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 540b03c69e0267639499da9c2d4be197
SHA1 daec21abd7bc1bc2f1e56e8c46bad62dd8f114ab
SHA256 43663bc7b4013d4c8509b41bdcd0e718b13e3dd6300c3142a743f3d18a4e351c
SHA512 084ad9d58a1d68474d288498227cbe5084d4dda9b1d13236b45043ddaa9de7fefaef71fe2525e7461650ae283b705601749fb2e55c3d0d98b89ca2518c016c02

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 3c71ed231210c1e8db484890b1686359
SHA1 5be9e100adcba9361831fe85c3fd90ae9b6c9dce
SHA256 07c2d3fdff7d5fb3ab3f0284168dde8bc19dd60bd5b72ffb0cf4ef57477753ac
SHA512 a8118175d64a8b43a54724baf0e2238dda1491455df05cb36c33e569c2ae9f1d7964ad16c797f3d437d4aa2bea4bcb14b03e095cfc075128af9b990dec55b086

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 40c84f54a982c3617a1c976cd50bac35
SHA1 a6fb4e185ec90590e5fd10e1fd8a8695a57736a8
SHA256 7c80185bd56ba5bebda63dedd5e3bf58684a6c2cb78d75681454793d3a4f040e
SHA512 0af9c37bb4fc8f2e907376872ca1f4840c9f60de99e79b08f3c18e4a89d39fdb51dcb0f6f452a988bbae9e5cb075c48601604d2f4d419e32adc9d3f2b46763fb

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 43a2b5b9f84a98cf94ffe1bdb8697b2c
SHA1 8bb364ca8a5357716f915477f3bc2b350d4de6e1
SHA256 f9ade60acf61d96fbed016e0a4b65f587492e2523a6ec22cf6b2bc045cb21515
SHA512 ccdf6b8933c93b14a7bab7aaa97c18225f526325cd0d451ccb21ea018f7addebb264499a9215412143390aec6f4c9b7610dd3981eae15a41f40a6ed780e8db26

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 5b7f9fac04b460131a8a5f69e6fe5484
SHA1 f74d447129c9fc43b3361165cfd09665378d9243
SHA256 6c6fc49468b8aaa9c143d28b338aec216e6250a4bd2b0536a7a546cb0fc5dc8d
SHA512 51449673a5c99c7dc0a618077bee5a8b8d54720b3efb7e9473bc3456679559c2df4d9d2f25b829f2e38782e74b48221ccba416e96cb1926b46a62162e1001647

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 f5015fca451efb4b7a6649b9cbaacf3e
SHA1 86c7668a70f3ec8e40cd1545d6d9784608e47f7c
SHA256 9e0000eec9c2f1c478b66267e162ba2b6835c982cb2a876f85f20a717319c69f
SHA512 72e2440d9898897476bda8b1c7b3421b5719f6c614dfb0e9e881f4db58a08d6cbd6356e7b68482531fcc0bca2dc42ee344a579b67c7b48079b2ba86e68bde5eb

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 fd9a8941f1380e1828e775356b6fa890
SHA1 197880d64e6d67aa786206e2d91f4c6e7ddbd1e4
SHA256 f346e7707da05ec6419fbd1925bdd605c0bb09bd67adbcd58a94db4e4a888dd3
SHA512 3c1b497e7ee1e0b8149a3e996de3fb9b5bf18f924ebd8f134ae10b94ac04b19b6ebedf2e4c42642cabc7ec0b3ce4b5e2f32f9ba4ce43ac55fc74426d04c943c0

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 40daaac1ce5dbe9971895abe7add6dbe
SHA1 943adf43c9f44e2e5050a0fff65c10e5db52cf78
SHA256 c3bf8208d8cab0a4478379f50ae7b1497be00c4766c34c2420ef9f122aca0d7d
SHA512 d7e07a84276e918cd9f81b3a93fc059d2a28623317b8550e859388486be058b0c19a39163d2dac54983f8684eb721c2dfad0b0dc701769c05099301dfc2f8e18

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 806838315ce59d3fbb9c30d98c648b47
SHA1 1edfe46dd34493e45e431cd032754e9677b4f3c8
SHA256 0f5f420b43387f41841b49666c09efb95315bc95f5aab7ed1dfc68a7147c1071
SHA512 f6f9fc52730b0ee0da44de06cff35e033a54efbd3a9beee0e9dbf0ce0c65ae594e065a38f98d10c610c57c16d4b9c1e8da89f4aa9ccaae0f429db4ecd2a268ed

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 0fdd98e6d71b1b7ac0d5850797179718
SHA1 21eed02edc44109546a5778412ad48c70b1395fb
SHA256 06c030c780aef7e7853235ece6a24689e50c8d0b8611d7b97645aafb390a9d4f
SHA512 541f5839a6f77237f213107484714cf7db5bd8f7790f1ebfb10c56aca4f6ad9f895628da8aacb081ef7e263c734530eb23f5283c1029b7b3684297ad0c74bab6

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 90c9ccdd35f122e11771a39c86f06a28
SHA1 bc0a1b2aab04d8ab0a8c3e6ee80f7544a42531a3
SHA256 cf8c822e9c252522a0658bc51cdee6f7e06637d9461ec4eea116aeb84e5f544e
SHA512 33aedd05719e8ec5fed5200f094f20c9ea889ccc1030e35ce6f8e5c176a8839246a15839abcbea792e0d3f5ae77aaf073b6bc9c76fabc41e5e498dad874850fc

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 28d8c5e3e9c10b885ad249928f033051
SHA1 023078b1defbab2649e34804fc4d37e126e635d9
SHA256 58962f6c6b6e5f4fdb8439786121e21938d1c201166fde2d7ae1a87be10fe4eb
SHA512 f60c48395278806cc0317978a40b5971c73c32b9a0b724d4a5a4a421bbfec0528f793126d71ad896734bb8ed7d6230a937648a5afcae4d757fcf515ee7a7fb17

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 9f702dad93b888ea8bf1dbbfae6bef95
SHA1 b477f00ec4d2f2d298b60e35029b73e9a5539c0d
SHA256 8f4ffaf6a7696492f15a5b0b7b49d49f88f236d8a16f11a0c5b05897da481cf5
SHA512 b7b5c06ee5a0283a069cd15236a538afe68ed5a0e67e0882c7ca449bb0e112488112457cf7a4532790595f2f3db994a427242fadfa22ca913e3b5eb8836f0c67

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 e46f48674ec4f476d6982d231c731680
SHA1 ded0028ed7fdaafa37fa1bb5e7d91c3e7dfa7ff9
SHA256 3b1778832ee83d0d92ea58a4e91a6e53836af1bea61dd519be2f6dcc67495fec
SHA512 247a6a52c68652c614eb63e1f75d8d57cd5b08eb5ffb23c3de237d52ace8c6c53412079770b90d16e069d7153f76dd1e483953fb41cd4aa51def8a409c7b631d

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 529420d8ec2cc29f5d592777824c8505
SHA1 3b482e8188751650b86521a0739b0aaecc01b439
SHA256 b524ecf7e53a2ddf62a48e895b6fef310c98a0eae45a9831df723c6c3dfbf29c
SHA512 7af2289c9877d11c9f94df7045ea56304469b934b407094623be0da6058fffd8dcc448afb5b71351d90b2a541b96e0b3bf3cd2a1aa16e573e79e5d97b1a442d9

C:\Program Files\7-Zip\Uninstall.exe

MD5 a643f74edbd3ebac481b91ebe725a964
SHA1 3ff2c7140b23df0b11b921832510dff7c59a86d7
SHA256 75eec7166d196e526acd2f5e9eced7c71837c7367384bbe8c5ef451f8ca32870
SHA512 c27e0a392dbb4d435d60ee5d32136c0afc791dfe2da0b26e008c2084e0153efccc5888c3ddabe37ef6b5ac99f6ebc3743e56f6c2fc19b48f10bdad10c37ce2be

C:\Program Files\7-Zip\7zG.exe

MD5 cfabce5669fd36727cbce42d9e229aad
SHA1 295670579e359e4fb8e403ca6b62b61c75c5dbcb
SHA256 5336f9c05c7e98d798f7e6cda4840de9697070ee3a6f8748c5dcc52e28846411
SHA512 371ecbd539ef804c2ce34127d3df31867e13486cddd6beb8bbf612d011551747fc6181a2d65356066e1f61415db2f8448e6ba0fbd5d583eb7c4753d57fdc5aac

C:\Program Files\7-Zip\7zFM.exe

MD5 8ace45e4ef3d4e483800c47b5c4fd57b
SHA1 11ba117ee2b13d37d51a635df85cdeb6d099905f
SHA256 d5c71c5748eeb5fe86be7e2dbbdec2564956c77b46d33a9c47cb023c1b3ab9ee
SHA512 f4642bd35f3bec96c4a5bbe076204eee8a7a420d2f2070aa5ac37402de219faafbb6f05272fd00b7b548123fee9f47feb97ac83452fd882c24d0c9bb1f02a1c9

memory/3940-339-0x0000000140000000-0x0000000140179000-memory.dmp

memory/5108-415-0x0000000140000000-0x0000000140096000-memory.dmp

memory/1820-464-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4620-465-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2024-466-0x0000000140000000-0x0000000140102000-memory.dmp

memory/1592-469-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1396-473-0x0000000140000000-0x0000000140147000-memory.dmp

memory/5036-474-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2576-475-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3200-477-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3940-479-0x0000000140000000-0x0000000140179000-memory.dmp