Malware Analysis Report

2025-06-15 20:00

Sample ID 240611-wefthswanl
Target 2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk
SHA256 c5ef08d5fc89462935e0ac93af3b15b7af5085bd89e2cf4b8fc5cb2f7dac9048
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c5ef08d5fc89462935e0ac93af3b15b7af5085bd89e2cf4b8fc5cb2f7dac9048

Threat Level: Shows suspicious behavior

The file 2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 17:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:52

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe"

Network

N/A

Files

memory/2060-0-0x0000000001BF0000-0x0000000001C50000-memory.dmp

memory/2060-13-0x0000000001BF0000-0x0000000001C50000-memory.dmp

memory/2060-14-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2060-9-0x0000000001BF0000-0x0000000001C50000-memory.dmp

memory/2060-8-0x0000000140000000-0x0000000140237000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 17:49

Reported

2024-06-11 17:52

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ca484935e703f493.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000474369f827bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074a90ef827bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030630bf927bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077b69df827bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033709af927bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4e066f827bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_3cb0788348d846a3078625d3563e82d1_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 139.124.208.44.in-addr.arpa udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 44.208.124.139:80 htwqzczce.biz tcp
US 44.208.124.139:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 44.221.84.105:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 44.221.84.105:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 35.164.78.200:80 sctmku.biz tcp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 8.8.8.8:53 qcrsp.biz udp
US 34.211.97.45:80 qcrsp.biz tcp
US 8.8.8.8:53 sewlqwcd.biz udp
US 44.221.84.105:80 sewlqwcd.biz tcp
US 8.8.8.8:53 dyjdrp.biz udp
US 54.244.188.177:80 dyjdrp.biz tcp
US 8.8.8.8:53 napws.biz udp
US 35.164.78.200:80 napws.biz tcp
US 8.8.8.8:53 qvuhsaqa.biz udp
US 54.244.188.177:80 qvuhsaqa.biz tcp
US 8.8.8.8:53 apzzls.biz udp
US 34.211.97.45:80 apzzls.biz tcp
US 8.8.8.8:53 krnsmlmvd.biz udp
US 34.218.204.173:80 krnsmlmvd.biz tcp
US 8.8.8.8:53 nlscndwp.biz udp
US 54.244.188.177:80 nlscndwp.biz tcp
US 8.8.8.8:53 bzkysubds.biz udp
US 3.94.10.34:80 bzkysubds.biz tcp
US 8.8.8.8:53 ltpqsnu.biz udp
US 18.208.156.248:80 ltpqsnu.biz tcp
US 8.8.8.8:53 udp
US 44.213.104.86:80 tcp
US 8.8.8.8:53 udp
US 3.94.10.34:80 tcp

Files

memory/1044-0-0x0000000002090000-0x00000000020F0000-memory.dmp

memory/1044-9-0x0000000002090000-0x00000000020F0000-memory.dmp

memory/1044-12-0x0000000002090000-0x00000000020F0000-memory.dmp

memory/1044-14-0x0000000140000000-0x0000000140237000-memory.dmp

memory/832-16-0x0000000000700000-0x0000000000760000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 b64ce2407a5c1a4d3ce3e4a3864f2d65
SHA1 f06a8e5203868d3d8d166d58ec380d1ce5109c87
SHA256 9e0927530bd66a323ec9f0f94824edf5108db7cab3f635b78974cab51b4bb066
SHA512 fc2b6a66dc48c3c4c7f583330dafd0ca39e2e4939534062bf7d09e026e591acb173fc5165cfe802be75315b038cb97a28ed395f8bb7a12ce77b2f1d49655e2b5

memory/4616-44-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/1816-54-0x0000000001AA0000-0x0000000001B00000-memory.dmp

memory/1816-58-0x0000000001AA0000-0x0000000001B00000-memory.dmp

memory/4864-68-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/4864-62-0x00000000004F0000-0x0000000000550000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 9a9ab3dd6c00f9db589b8f958b0f3f07
SHA1 2f412563d84ea3de3cd97d8fe3a94012dbbaebf7
SHA256 e45f507ac18d023e4de30510a5f11fef7f65bc11279bd603ce2ad259dc404050
SHA512 db740a735d3550f173a61e28ae0ca4bd5af74c69f7903a4595c9d739c105eed6e5617591fda357f23755c95901e198b2c015dccec2f929dd9d913e414f7f03ae

memory/1816-60-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/1816-48-0x0000000001AA0000-0x0000000001B00000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 5639d2e9e91e3685086342f9c9c069b8
SHA1 e7b8161d217b67300b5aa2aa176fd8e6f3e5006f
SHA256 7969f50a8ae8d19b3777ed5c0be565ec7902f057d50bdbca03256d48ffffad9a
SHA512 4635e19ad0e0c8a6ed9f7c9b578a5256095d9a1389f97b51e5a2c3045d0b436bc6d4a2c67386580adaa5c07a1118978b08b465157c8f47743d803057b5d07526

memory/4616-38-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 f20004afd0bfdebb73ce5f0ce26ff595
SHA1 811dfa41316f03e5fa5c7dc743832a9a1da7a000
SHA256 3125d669a60a7660a89ba58cf89cbef4941cf2738aeca2f4b1766292e670d563
SHA512 fef9420823cfb406724fefd23028300f75b2126cb60c257baaa24aba24cd46e3c30409ef13da95fc49bcdf4d6fbc3edeab11803483c7b0bfeafbae5a85d1db48

memory/1212-34-0x0000000000CA0000-0x0000000000D00000-memory.dmp

memory/1212-28-0x0000000000CA0000-0x0000000000D00000-memory.dmp

memory/832-25-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/4864-120-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/4616-119-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1212-117-0x0000000140000000-0x000000014024B000-memory.dmp

memory/832-22-0x0000000000700000-0x0000000000760000-memory.dmp

C:\Windows\System32\alg.exe

MD5 6d0719e0245edb9c90b0a94e1de5c39e
SHA1 b676107994ec10c3a7887e9a2558578509ab2f16
SHA256 1d1289abddd3b855d4b95507f3b9d5baec4616a64cf3af2ea3678a34c9db0836
SHA512 7ae60c6d16ea86d7da9bf18c4c9d0d2e2238fb906f2e28e75efa79db342c1aea88de4d193fb2fabc2cf6dd367e87f2e2b5058bf51d04dda5d0c20ef6ee8fd9ea

memory/1044-8-0x0000000140000000-0x0000000140237000-memory.dmp

memory/832-233-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1212-234-0x0000000140000000-0x000000014024B000-memory.dmp

memory/4616-235-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 907ad9ef3f96b42a6b02c2b8fcefba1f
SHA1 6ab566b63e274150018755371813e4da9f4a0bcb
SHA256 fb8e611d5fed3d617088aacd6244141d40152c366d027064d6fb0377c92290d8
SHA512 792dbda0bb1a83f6a5120978437b72d4e77565d14bcc67bb1e429429d58212a7a80e0e864e99429772c36c12779a7ad5a773d3d7061a5726d5c877d40c0b393e

memory/3680-240-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/3680-241-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/3680-247-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 a0ec3db837298e6b3e8a5db0b5f1a54e
SHA1 c5ccc4ba75ad3c13c2ad24215c45f96c4a09cf09
SHA256 e13733515cd700856bb13cfe788a7aaeef04826c5d5db881448e79325be0941a
SHA512 22405f495723d727eb83ba56c775e2938e7ab8aee73fe1287711e71905ff80b1c77017b74c5c6007095e92bbf8ade61cd1be482b9e57f597ee0d77810290d0a1

memory/2196-251-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2196-252-0x0000000000A10000-0x0000000000A70000-memory.dmp

memory/2196-264-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 41591efa9a44495e31776f28b6c561d4
SHA1 00e24911e796da899b665f80569b5b7f56cdaa72
SHA256 856943df45a848753069b3098e307b66912bd62a0fb127a23860ef41d345e58b
SHA512 6d6aff9c3c2e5295d7b5c8d1469da2822e0fd6d04b97b8c9bb732ae874cff02292144503a611eb79dc7786e5b7267b13935d78214529e5d6c82ec26205cb9dba

memory/3068-266-0x0000000140000000-0x00000001400B9000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 1d182e8e61aa365fcc2bb869c6c683b3
SHA1 ee945d380462342c0519cf9da2bfb5ca4b8691b1
SHA256 c1ac7a17c40ddd6be47e510125ec22ebb4a1fffa2d10111d4b285d8581a161c1
SHA512 8f8454dd0f5f93a2f546535d1aa9419a498232e6ea286962f6d7535e400af37440039a7c6ad981d024567459fc72f624e958c0c12a4756e63b4f5b40ead90bb8

memory/3972-278-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 8ed36de79893aada82792046d7c89fab
SHA1 3eb6d9d75930e705546ef8e6dfeb715f822f9353
SHA256 339cb8b43a3a630aee59a329b21771f1c80615f29c1b8b8f6bcdb45437de8e45
SHA512 de34928eb427024087896bba417e1966f1ff5a73e3d8a69a7346f5a557508ecb95b1da243af48a099f60caad65cb3b9a14e6354db273b0e112d9433b3dbed597

memory/1204-292-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 421ea08a9c5d04565e10a7c3fb1e83dc
SHA1 2ca5964ebf6e49da218eed55bb725df05525187a
SHA256 f49b4f369a28dd7232f8a55ca60a229d35bc015baf4d37c741c151a6676ff5ba
SHA512 b7f53e943fbcc843c424558467f672fdb2becfc3e68afda99529c2daa51e714b40ca6915f1492d34b56e9b55e923b9d0a75618625a571b78d5bde51456b984ee

memory/4820-302-0x0000000140000000-0x0000000140095000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 3519e164b0b03cadaf3def48faa5e0f0
SHA1 beb0054d4074af8fa1c038eb657eecd7e83bdc5a
SHA256 9b72d83c411ad3ca9a11edcf4d7b8894d1d2a541c764be0cb2b080eae2a69353
SHA512 53f8657d70f991b37ffaf9c81c74ec83f7cf5c14e3901608eeffa70ff45f5cb6b4094d5438ea62b4f795c626e093326fb9968dbdcee40fb55d514e8a7af58e80

memory/2080-321-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 ca0ef0c5b17b5cfc9b3b70b83d653d6d
SHA1 e545ab46509f476fbcc1012a4163897348a48d7e
SHA256 8f32ef0601a186363d5575231ebca05559731002696cf78b9f341930270cb400
SHA512 aac7d59c8cddb74d7b16cd60afc3bbebb9288e71c0e50b98200cae57a4fbb7d1e3629cf76b5f7d40e8b68eb9a573efdd2147bd08bfd0d761faa25d989255a566

memory/2044-325-0x0000000140000000-0x0000000140096000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 0cb8bb7d54014bece73995e78d93750c
SHA1 19c30d39077443eea01a80d2a778428cc5d62009
SHA256 ada417707676dccf2fe1566ffaa8ddd64b43e5791b9d8ec8cf3fb983b1c92a15
SHA512 93c6a6eb0f0c9abe384c365259479d8fea9aa4ade62059b139ec0e1ffe217197640586853f67dea16915309f4e9cf11f3e74a72d6c63b291f3cac7ec75831580

memory/776-336-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 8b2aa38752232ccdd6bb8552dfefd91a
SHA1 30abb183e11f3306fef73e0259c61bafa6a9f4ff
SHA256 b3ab911e860b6700fe2fbafc31d12062fa83a61bd405b1a7c50256860e22f56e
SHA512 8d84c9216158f7a3eb984066baf39d86d9cdaaf782ed3241379383b5149d3ca680bbebf7c74bdbfc39872cdbcf617d0463fb5f0a45d0f290a1d5ed45d6e7cdb9

memory/3592-347-0x0000000140000000-0x0000000140102000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 1b16eb6534b2a7df7f3156eeb4ddce3a
SHA1 3377bae43a78353db9e3ce596ced5d845858cb95
SHA256 8e7b098d9b07e5ef7e37e2dc577910d1efa662588c62f8836921779f291b52b2
SHA512 ddb1ea0f5d8c91ed7c130b2db4da99a2be19b9eb52b0664874f86f71a62b5019a6fb3aea7f678335425ba7ca92a341cfcb32af4638c21cf6ad5c0030e995d5ea

memory/5032-360-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3680-359-0x0000000140000000-0x00000001400A9000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 63bfee43c6c4c3dc091c930a5ebd7c68
SHA1 277a726208575cf6c114521cc1bec90be6272315
SHA256 df3eba15cb78fd1fbf8681a60345608c7caf370d2b23e5ab4851d3dbb3123dca
SHA512 1db7b0610c8a02086cd879688e3de614435199c93f8c68c3f30d239ef048fc14cbae8f0693cc089a5f94afd6a3b31cd5601ead6664b5a29299c0d3c3915a5df1

memory/4764-377-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/4764-383-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 7bb452ca7802e06d605135b98a69ee34
SHA1 5e4f521914e2852bf8bde06fe8db35cc8c1f9254
SHA256 8438e7a46fd952e8fbdee96f760daa170dfcf0a52071737d71e498764a74a1d6
SHA512 0f32eca506db85e36d1bea5244a0b32ca2657caec75439176c3a984b1bb8e18c8efaeef9fc21fbff5e6af583a16aeb58a7fd5aff4eb933dbe004e1e701048582

memory/3068-385-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/64-386-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 d1b424268f9ae398375e16454140d31d
SHA1 595cde8be43a8237b7e2b3a97f8c1e1f42c516ee
SHA256 44e3d9309a7671023a1bfda87c208ee58f7daf64a449e9a5182f2e0b865b88bd
SHA512 e87c446952b1b091cd65d675c8e44f483870428c262240ef32c8b572c0a58461a682ff6a8c7e415e2d4b9bc9a4ca2f9a95e823088a77a33e919cada138cafb2d

memory/3420-398-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3972-397-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 5a2d48c56824f11de2025700cd445174
SHA1 4a24b100bd9c6ab9db620830546ad8a9ea6d5951
SHA256 310112b488b699f693787556424c0ef9c314496343746d118e7c24803042a2b3
SHA512 db6c4652d947a25c9da190dc51be835bbbfc2a56424b78ad2d62a81ef8dd163fcd8eefee5fe704d2e2e27283ad24315ec623cb7aa4ac4e932074e95ee9e55d8e

memory/1204-409-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2004-410-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 c2ea6ff745a6b2108d42a3f4ec89e7f5
SHA1 997691d4e06dcadc6334360d2732fe279c0fbd67
SHA256 61cb2bfadc6dc9a4720a92fb75d19d8dfebd91465e8eeded6a163f35148fa34b
SHA512 8c808b8fe839036c6bb418d0518636b6ae334bb5342a4e14f9ab5895831226f669f1b278db0bcd63fa2745dad1e50ab944cd85f5b1f059a6ca8c6c4ee25f8c3c

memory/4820-421-0x0000000140000000-0x0000000140095000-memory.dmp

memory/1316-422-0x0000000140000000-0x00000001400C6000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 7e414fe323c3f5e164dd9e755224a42c
SHA1 e12e1e0fb4e6715b32287f7ea1d1b825e3766907
SHA256 feaa07d92a0bff269345bc954b0c755ef0ab8c201dba74ecb4e8d82bf9f199e7
SHA512 6c4b72a4649cc7893b62f9a0514fcfe563af8316de2601ba608ad129bab510a27a8912ce579b15c13024cdd76e3ae07da2794c9cfec693bbc0ca827df990fa5f

memory/1804-443-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2080-442-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 408b34fb94408fb99305e6304bb8117b
SHA1 586514a70812e4ccf86eaf8371c5779fb3eaf890
SHA256 6b0ac606095bf0d799c32c9af01cc48738ea12616c0f92b47826e3e8e35f1f66
SHA512 ab95b34a0bc7d235e5d81fb102189ac4f164ed41e8ac8f8924b23ddd330e00c2aa54946cce814456e499da237c6f2010ed12daa52a428c447c34964f73e16d0d

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 e0ff346632cfe45cef2448c33075a5e3
SHA1 37a69d4f3a86145dcae98a598301a646f6a0c51b
SHA256 24468406353955da427eea8b690d29e2eb53752d29f86a1df8097d8cabbc358a
SHA512 25399be80ee47e21ed50f2186679fd966698e80e1cdde679120fc569f5005e9d00d429f54613feef80459207829adb0708bee3d29f7b300a6865b8f712737f9f

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 a36921a485f81f05e6b8f5c303fd13f0
SHA1 31770a8300e628dc0be733608d39bffcd6528b96
SHA256 b0d80bb68d17b75613133dbed30ab6ab0b9f4a19402bf7754a5ae2b74ea6262d
SHA512 a673d5df31848a8d21faeb1b0d75cb017e4eae5802b1d2e796fac2353e10526432148fb388257a67f8ead5dbb3681928cd16abbe6194b0ed3c739362f887daef

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 721cd31796feb34920f27e2ce5ed432f
SHA1 b7418e0fea19e353e4644802b0f66dacf4a93895
SHA256 a2714f45548b456d93e5a1e3606a806e866bea9ff573bf07c7ef636dda243701
SHA512 82b27857ca04b5afcfd695cf419b8b269dd4dd5436f9cdbab11ae178052ff20df2d378b7b7f6adc4fb1107b1486803a62e47915e81035973b2159c95f7937e9d

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 5533b4b71b1a437586f92bc2b95107b4
SHA1 5091a3e624573f57beadd3f7ef28efbfb76bdf40
SHA256 7768aeb4f4edd6d2de76e1cfd8efcb066e4751d0d8e9e342f367b88c3b5c778e
SHA512 361a3eb2f07e7b4296606cb29bc0c1e7e9459de21c697cedcbd46ffc5cf38e5c87e3d507e924a4ff9881354c70ac1aafadcc3d22f3e400e828ae188470902f66

C:\Program Files\dotnet\dotnet.exe

MD5 0cb5161f64f10836847a2ec911946ddf
SHA1 d212e110314432fa801bba2c96fe4acab8c384d0
SHA256 a8705943445da8d8729de98f1ade8e5264ad42e0129ad719970203ecb4870428
SHA512 5add3f62a63092bfc1eb443c7adb0eab284aedfcfeb5b8d4eec0f17f03c8e542c92e74b98053abb36b294649ffb347db0d8e6d5d93a125cda126b7e3468010c5

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 11658a2a9655a4dd7a5ca1e04f6fa182
SHA1 aa70fca2af43d6613199ef595386652a13488259
SHA256 11c370cccdf5caa1f7df84879451984a3ca7cdffd5d426dc941e7378a9eb5683
SHA512 672068887bd2821fc91ced156ff950eb5a3953fd8d99a8105db0c87491e70f0d3a3b545856ba9d044bb5db883f49069e79bbbcdf34d4c5780ac7f7bd0498afec

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 e83b075204fc92c46007de75859dcd4a
SHA1 3981a8b49fcdcdb36357aa2f09706d98eb27b1d8
SHA256 66e3e26e8228f9822fdafd2a583efa31183a79fb4f1bfd5b1b63737e9ed593b5
SHA512 086e15d3d1642fa9d827acef9268dbd37e5083bcf7e17e6dc1d8bcc6da026d456213d373aeeac801e1b8512743f3eb61cd6a4ae45a4dbd7461fecabe774edd0e

C:\Program Files\Java\jdk-1.8\bin\jjs.exe

MD5 583813c4b623545bbf559552d258d698
SHA1 7013535309390f0d1d96f03a0c7637a2d9821ca5
SHA256 c119fa68c54ab75fb4e1a0d567b32607ec583180b1d032674ce92382ddd63c3c
SHA512 b781bc30c33a751e13579b5dcae5ea796fecd0711b13a5ec4444502db853917990eb46a32117f8293610ba0ad1bd010fef5ff8d795083982d4eb1137566b38dc

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 2f6cef672437198bd9a1a15e602eff90
SHA1 db1d31be4acb4470b39b1077dd81ff329c598ad5
SHA256 3f7e7994eedb23bd6ee4bb4a3d89bd5f6abe6341186f03b55c90006c51990e61
SHA512 ad4df42bc3b8cd1fac18a18542d756562a9c7a519b660bff1b662501195ec133ba6cb246c33f21a6325dba1795f5392504f81caa19c43760a959ded5f5d8b9cb

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 8c9cc17e7d94dc9811a3847e58c237a4
SHA1 f669523e466877ca233f55756bc88586f5bce3ba
SHA256 613ad1e2f041518092dfd0cfce7c288c5b51c6e5af0f7bafd49110c40a3c56fd
SHA512 3db3ae4127a906457f4dd37d79c1bf5e3d110049f8c47f5a86a4fe15bc10ea8f7a493e090402773a329349fe0c8d787dfbbec5e7a14971afa3f17ad1938735ec

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 d40a1a3f34ac528fe429fc1c301e9c80
SHA1 1cf0862e709fa72fe9595a6afac37592308af289
SHA256 3d7ec703b56f04d736a9a29ed7ea6039b95575c6ab15d26a71b7e783f835e981
SHA512 d6846d3073c2c5b4507d8562c20928535a49e5c18b34e71f04f07ced5b58465c25dc2916658295b79219da2c9e2c673ad884bbb1b8e073eb07eafd7c589768e0

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 51c92f9ca40678d4bea3120075b8aa60
SHA1 92c849b532ff87f3675d63059d899ad796fb7d60
SHA256 9c75ae82b42739ef4a1cf071e45690754315133ec8d5bd23035b39da03cdc888
SHA512 104f4b55628f89e5c9e2d0c6ce7ccb36c34b7bf4e8ab50099bdce4c9595e532ef9ff7105055f4a82941a4f20e0c274074de13e4f702b0fc75b68abf6d05bd452

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 7faee2e544fbdcb78849b8ad56652496
SHA1 478588df60744895485a8b19f592e265d3b4465f
SHA256 fb72943e9a043373a8d19436bfa8cb3475e42689c0c1485b66c0dc7e4ab0c510
SHA512 75a64a258cf3b2965dfeef9ffb476c8e83a9114b2e8ba8007e176401eb6041552f12f6a992bfc59067022d0dde6b04f1781da35185959b3c5a74fbf0e906e5af

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 67b55b7cc5fce7af0035f05c52f2d71d
SHA1 a93f0ee9c28372ee4ba9962035a30cbef1aa235e
SHA256 21e1af02dcfcf31cf6782b3f05a1ccef0394049cd40fc48dd66611a791e8de45
SHA512 baf774d6f14828968f0e64bfe0b5d1733a09368f42ed18fd9375edb5b88823c13c39e38aeac247e4a0e3e4a29c45503d16fc0c4997a3255871d106e0a8af3335

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 d4f8dc0509007b4145356afb9c0f6266
SHA1 0a9a50005b0238db2f8f633fdd9d6a675d0aae3d
SHA256 f854aeb47ed85d7d5866ac268e12ee198aca232993b027706e42637893541769
SHA512 ecc1939ea33f746071f61d78bd4d722624706e253c8e03f9e21593203349ccf53afc0967fd77f6df50eb2a080c21414b25d1ea724fd35c7ff782d45b3757b4dc

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 f98927de7aa8e24a9f210766c4c8b69a
SHA1 d58d7459cbabf9bc8515613d1552e02fe4e7eea3
SHA256 f614e3a003964a178d494bbe721a6e592d442014439dc847721a651133d13ad2
SHA512 9a32f540d09198b0edd224ed6e7cf5602bcde1868afd60124c014af3262791a5d16ff7230e34ae19c6b83128ee844913f2a66f95fd46f571e6641a7050b322f2

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 912ce783bfaf391d732ee599c87a6a83
SHA1 af9197105e7b6476ae324109c2c289b189a31794
SHA256 a6cafb8973230c7e7d3e8e99fde7d0937bde458b762a5902f60e5f19938fd532
SHA512 f9a7d62e8bc521b418bbf5d69ae77a4d2d1ce9a509fe0a416c714a58da28254991058c8246dfe89f6529712191d315352ffac90d7271f762492408f3d881f4be

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 f1c2abc7a19282addf8bb96481b8eea7
SHA1 7be27ade26be6c86628db68379ad73646971a387
SHA256 0dfb422cc5c92c896a8d5187949944611a986ab9d24bd3b2a75b61a9d6499582
SHA512 81ec118038f4c09efc3a2bd3c7bc7b5460199c0f2ce4047a36fc60fcf81bd67e0a1b3cb6b5d29e0cd3eabd49ab01b29e6f5aec74295e88a720be43196111766b

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 ebec70c3bc5f4d9b58fcfed701ac994b
SHA1 c87a875c4542b9f28273a3dd21b28512640bda21
SHA256 eacd4553b22d232bd0053e2b8e88a938c990cb8e1326d69107b3c23cbe12d04c
SHA512 b7f7d03abeba08e6ef802ddef28e74e20b0d44aa78b42a4b9ef3190776e128ba55ef95af4d7a4907f177517c336cf9ff4210249ee5cd56c46e194c6ea2d5f75e

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 c0e0f8672819a70dee4d7e690edbc28f
SHA1 e107fd77ad6b7439f0f0723f995e398fdf6620d1
SHA256 cf374f67441fba264df993b4375797c85cb4c3854de4dfdfbd08c4fce221dc3a
SHA512 8d2a8e324fa140e8312837fea06b3608168688e7b2f4b8fe3d6594b146109931556202ccedf3c4ca355975adac46e48d9623e4d3658347aeca6d81a1540ba8f1

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 dd9621f8eb9b89c41d48706c43e7f769
SHA1 6e060b9213efff61928b10f217ec456eb4c7a98d
SHA256 131d9aaff9610a831d19e3e497f5a300be7d634e6a3672ee6b76b5fb9cbe98ef
SHA512 ac00bc2b3d751c0446da622291df61589767ef7bc096e0961ebf17ce29433641d4fa9d0c5a3ae4751f05d3ee554216a84d732e01563943bafeba5e22dc8572c6

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 841ab19e53d49ee5715caf70cc9a264d
SHA1 e308531ce58a1ee82e0df99a4c875f7716fb5e06
SHA256 cd8cccc8b0c86ce4ab2fb340dd162c2f079c6ed0a990ebcfd8b807e95d0e0e62
SHA512 97e3ce715350da7eb1037ec111ddc55a3a188bdf7a0c49fd6693f5926e763ef0d8ffe7f1ee5d00e68e8cdee228d2d0bac8e851594f448ed65146c316e882fc42

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 ba71d6116cd73028f2c409eb09f26887
SHA1 b9b0cb91129e226766dd963c2d6423662323ccf3
SHA256 cf6c5d55f964ea39dbbce7c1c72caff62b588421d23dafa218309bc33f19df55
SHA512 209eaa1709df7b2ebeed8f9de95ff3b5ad0fa62111f7c21a26ef3bce75f78464c6bcd920a694c243b74a82b6b1f60aef4ddb4f60eaed9daec597c1147a5923de

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 357e6b4f59baa52187f29690394e0da1
SHA1 fb2a8697238ecc4547016d7721294137de361559
SHA256 eef677fcae9ed134ace84ac4f2a93eaa41892fcc849564b379a92ab7f7a79823
SHA512 81053994e8e9f7622e0d268af16bc8f55e74cc6d83c98b1797d7525925c6a4bb42745e508f2e956589c700a7f4e1bc85b4ce7bb8712dd33831c7bba2efcb125c

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 458f5ce2abde9e5c2bdb995fac1ff003
SHA1 532e2a6f02b7173123864247b9f90a0275ebac0c
SHA256 91d220e86fd36a5a7a17827fa1795adf225e7e19e45db7db11aa94b88dd3c922
SHA512 ba7f9e8980336d329c5285489c8c0eb920d759f0f17dc905afa9137ed9022932a7ee9c9bd7995de7ee1953f8731b89d1e20f123537f92723190ca6ceee2d9f7f

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 e774b251a406fa44a314432f311c238b
SHA1 87fe6ea12c9f1e2abaf6d2903dd4caf7e17e2aee
SHA256 3e75ddd0f2542ee5a70761013154658e9e89453628da98029dc0e3fcafcc397e
SHA512 4efd2493bcc13284313737a0ffd29f3953adde9d7896977c82190b55df659466d54a74a2e78e9127a299affef6ae827a5cecb58bc84a0180aaabe0e2116f7bd9

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 822d5a34cee54fc541e696399cc74488
SHA1 e4207db2e584b3f7b325a16625001a572c6ba476
SHA256 584bb86363530883a883b21c50b05386403deb6a304cebca61c6547649038284
SHA512 adceab2a3429db1d14be481ebfd1b4e954363a59c940b216c7f1ef7287d6229d225d1f735cc5d8ffeeec31b5e3c8b73a4b9cfdfbd2dece3054123af029f6189d

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 85d08ba9f51eef3f8a9ee6b1ffb9b012
SHA1 8cad8ae510756cf48d5f564aa60e9168aa871b79
SHA256 adcba53ee28200af52ac336f1b45214b6c4983a6dc9c9384ac8ec6f1a85ffc6e
SHA512 dd84ad35dfcc134467202bbb77464373db1a3dd139c4426707ef305d9870acdbe69adb64fff492243dbff142ea55d4093c8715ddf079ee8773f8111f49413437

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 6aab0d319634c60c586365324824758a
SHA1 87e1b975bb7696ee5c60d5a28addae794af5965b
SHA256 b381c2e3fc2b13afd56591c167216b4e48b422df92984ad2c4f65cadfa0eb2c7
SHA512 109b8a0ecbc96bb4b0e3875fe52b8c328f8e8c31d0d40f6c2f596d6531ca7e4a96573db0c1a8f18c3f4a6b5dc186694c54d901c2b9ac3b29ee2bb53df056e14a

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 70b45e4b7ca6d52539a74fa7d7c321b0
SHA1 6525293c9687a940016257d95012ecda304ca9fe
SHA256 ea0adf6adf861ce4af806d9ce6decc7bfc62d963556076dbbb3e133c133b8f99
SHA512 3d014871906aca013e467cb6e2a5a07e9c1f6bd7f6d4550005a984013eb2b583428b513745ce7a8829fe96e8f6574f4297532a961773b89a38a6a3927e973f0c

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 f0dd111bd4b20c7b2c812d4b92379c5f
SHA1 78131f3e5f921a7a39bbba7b5d53999708d3d6aa
SHA256 b98b32dadd914a10d28bf04bf19b0893407eb5c5d000bb746803b1b18a40b84c
SHA512 39545f383158db2ee20b21fa8884c68e3a52d32c46b7027b9cf946bd7fe375d340264016ef108ef7e057c64cc86cb609f3a9090f775c7f31adf6efa2b60ea8f1

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 62fde58b2eeae73482319efa3dbf2dff
SHA1 a475c64fa707431af246429d31277f3bd35bcef8
SHA256 6145fbd1e1493fab23eabc005de3c9214193dc39162c460a36f3c9c47b55d8b9
SHA512 6fe8ae5e7f384bbc7798cf4422b8d81cd0ae27ade81ecd1b99abc24d81bc3ab073469ea54a462bb36a1ce59ee458c81b4640b84a0e19d91ed4d622b99a4a62fb

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 b2b6fd930e1dadda75fe47a7ceee3aca
SHA1 1588eecb3af5fc3c09f14a8e7f113d3151c63745
SHA256 15896db6937752542a3c55340ef83ca87963bde5494a53da558fda671aea220b
SHA512 e13f0d66eecb6e53b07867b01fa4ab902f351b5926bbbc69b0eff6f7d10902d9d75b2c67c0eff67fe046aad7aeaf4d420f346e112d3e47c76355cf6f6af75e5c

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 f08762e4c8993263ce947e0e7f530d3b
SHA1 6de905a00f3ebf21e71eb24079a58ed185469e57
SHA256 bebe3971e9b2719c19cf6038e14046379e7a5140b97393e6b8fc083c1f894a30
SHA512 8d71bf45d0bdce83f6c73d6deacee2a2a91d535d319e0a84d720733882eecd0f5eda6c08c39cecc981fa0e1436846e882ba9439b04da4245519fae56bd23df8f

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 849d5671af8957c34d4a5ea4122f4883
SHA1 292df146f06af5cce4ac04abf902f105be5f664b
SHA256 f4a5481d7d5554ad4737297792f7a533986fe606a492613e13ec8d45f781fd15
SHA512 b7f1714544b0ec72d6f4fd9e8f2074f08ae666033f76f32d84dbd57a62eedb20f4b97c03a55718aa70dbcb1d779da4310dcfab58c35d43c5cd2d54aa494f1a9d

C:\Program Files\7-Zip\Uninstall.exe

MD5 a4fb89e7042c92d3e8c8e2db14da1da9
SHA1 ccc7f1fbb0a504e08694206ad84eeeb4c18e579b
SHA256 6fb87c86184bbbf0199914b4b4227c6051bfbf1795e14b637b286df739f18616
SHA512 1f8ef15f18031f39191007ad7afbe748f38ff6b40a14b0f4bdddcd7c53f48fea90fc69bba60345800fa4c2050048e9e388a39ea856e02cb679e8c64de27b8053

C:\Program Files\7-Zip\7zG.exe

MD5 277cff18dca9436a32e17e4fe8fbf95a
SHA1 4cf336058c16d947337e87b55203b598e14d8bf6
SHA256 25069294ba34919f3f08d4d0f9a413e4b36707dcce7de69877ded21e16caed71
SHA512 8514d134da4d8d9564bbd2cd1d5e830f19761ac75bf33c975eb6e71cdd2ef48450f081fa6c7ccccd8d37d958b40fa6e593a2ba0fe5593994b151f53a35ed0042

C:\Program Files\7-Zip\7zFM.exe

MD5 2b14af44dbe9bae35fdc36655252386a
SHA1 f11b10e46234e7d8c69cfc199b210669df4d9315
SHA256 e9e5774ec5995f8b6016d182bf5949d7e58257b642e78e3728892f08642f41fb
SHA512 af2bffff337b899d7efc9b3e4d50c531586d17056cf62171f61dab134f5a920f24694a131e5f309d628339b9cbbe5eeffa92350e1225c582eea56a8746781c62

C:\Program Files\7-Zip\7z.exe

MD5 1f91339cc4675c65a14001f1963fd729
SHA1 fcf34614721877b3c0d9d7a1ad9bb2a7ea424f5a
SHA256 226ecb87409a2095bf49be4414893c0de1c8f6d63c79be3711c8d736295289a8
SHA512 629ff6f049a65e0421231270418f1e574f11311274c39bbf3c40f235bcfa72a4d561ce1cf4c061ce37e1492cd5af63b8ef4c3f3f94e84bdd12a58c7c0a8987ff

memory/2044-552-0x0000000140000000-0x0000000140096000-memory.dmp

memory/2080-555-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/776-556-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3592-559-0x0000000140000000-0x0000000140102000-memory.dmp

memory/5032-560-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/64-563-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3420-564-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2004-565-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1316-566-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1804-568-0x0000000140000000-0x0000000140179000-memory.dmp