Malware Analysis Report

2024-11-30 11:08

Sample ID 240612-3qkeeayhqk
Target 2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk
SHA256 e45b27c0534307895b6d592770e5875a67631ea893a7c1a21b8aff793d060510
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e45b27c0534307895b6d592770e5875a67631ea893a7c1a21b8aff793d060510

Threat Level: Shows suspicious behavior

The file 2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 23:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 23:43

Reported

2024-06-12 23:45

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe"

Network

N/A

Files

memory/1652-0-0x0000000140000000-0x0000000140248000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 23:43

Reported

2024-06-12 23:45

Platform

win10v2004-20240226-en

Max time kernel

133s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\943927e2b3e2edcd.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020f5f69722bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000064aa89722bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8d4ae9522bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f61209722bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013f2349822bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adf6319622bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c469859622bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1e9839522bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ba7239622bdda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ed02c4fe7e1a4456ff766aa1eb79c248_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4788 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.208.124.139:80 przvgke.biz tcp
US 8.8.8.8:53 139.124.208.44.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 34.193.97.35:80 htwqzczce.biz tcp
US 34.193.97.35:80 htwqzczce.biz tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp

Files

memory/1620-9-0x00000000020D0000-0x0000000002130000-memory.dmp

memory/1620-6-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1620-0-0x00000000020D0000-0x0000000002130000-memory.dmp

C:\Windows\System32\alg.exe

MD5 bfe756653d8e37a7084c1e87a077687d
SHA1 a088c941435d9ac457d36df8570e6d355f5522a2
SHA256 5873e10028f482793d197d60f80f19f7a8c4ff5a92ac1c4d22faf69c59e74be4
SHA512 702a974942fa407da35e48f96ed198bae7b0b5ae9fbb993075f343d087735a0f368f6feb16020bec2a5393f71e049aa0bd34c57294a852e47928ef3c91eb756b

memory/1200-13-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1200-14-0x0000000000710000-0x0000000000770000-memory.dmp

memory/1200-22-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 10e62bbb7971bbe12ddad3aa01435b28
SHA1 7c6f2e8e5d9eb493e4b3cf705369b81aed7dbab6
SHA256 21daa66ff6b86b468d1bb5010bd731fb7dd00711bfff1d4a555632c18b115302
SHA512 3454fb400e6bbbcdc901f7a0156c389fc9ddc5ecd6f93a1ff27a71066976260093161d482f343e227832df738cc748bab3b853d5022dbad62485a16ca2669587

memory/1620-28-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3572-31-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 d51a60221607a2440e6f54dc8b1b6fdc
SHA1 4ec0af516edd63f6e849c10c1487314e5485f0d8
SHA256 1ff0ffd1eca19512f9daa6e6026af258204bcacc93c7d9004d1de0a98df10675
SHA512 e300606d7cd176d3dc24315ad81a8cc64dba2422b3d918f3e50d5cdf6a7a2d940b0966706c248af0e4e2c1f81958e3be56693254a0f3af5cc7e11a73dc6b1b03

memory/3572-32-0x0000000000D60000-0x0000000000DC0000-memory.dmp

memory/3572-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

MD5 a17fd345c5c6bd644996c8955f901629
SHA1 457d8bbb353dd276667065bf60a727109713ae5f
SHA256 e04089d9bf3ac2b83013200bd69c26d1d53f6f146aaddd83ccdf0ab6126e4592
SHA512 13a0225dce2a8b09e0f356343aeea92f622f13be8e44d7bac9d5465201ed11abe7f1460f390dee12c4293ed5e3c6631a9695f471bc010ce67c54821bca2bb654

memory/2116-42-0x0000000140000000-0x0000000140245000-memory.dmp

memory/2116-43-0x00000000009D0000-0x0000000000A30000-memory.dmp

memory/2116-49-0x00000000009D0000-0x0000000000A30000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 f4942c161276c11b63845dcf960c210f
SHA1 5861252a31892d40cd372fc50b8adbc4e5b29781
SHA256 841900351d16e196444f6f3e69e822b8944484a2cfb5d4607163d7fcaf59e320
SHA512 95ac0fa7e7a85d5acc5f534f8f2dd46cc0e65cc8a7729895fc439984f474a163981b7071723227c28b54fa99110e4e2e595632844a6729a9caf1e63ad18f47e4

memory/2360-53-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/2360-54-0x0000000001A60000-0x0000000001AC0000-memory.dmp

memory/2360-60-0x0000000001A60000-0x0000000001AC0000-memory.dmp

memory/2360-63-0x0000000001A60000-0x0000000001AC0000-memory.dmp

memory/2360-65-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 d937a22ba8f93ec0540d7f75299b9648
SHA1 717d0dac17ae5e61fb25d8a727cfbbda42086f0c
SHA256 d7a720fe71c75632aa6bb4c010c05d32125b530c3d7cbf1fb62b678f5ea3c2e5
SHA512 dbf8e39f347312e7249904f338f995d9813a514c15ba32bb1f5757430c7dbc618080fec9f4ee7b59655eb4fcfb06a04eada8b617f065023bf20548fc5b544ee5

memory/3384-74-0x00000000007B0000-0x0000000000810000-memory.dmp

memory/3384-76-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/3384-68-0x00000000007B0000-0x0000000000810000-memory.dmp

memory/1200-161-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3572-191-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2116-205-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3384-233-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 d31165373b1d917027d362c23b24d33f
SHA1 513cbabfc04286c039d783972f2c71c2bdef4e83
SHA256 310b3de3edf158977a961e67a9bb549cd85c1f4d5134e944ace1e1ad1ac120aa
SHA512 f30e80dd8454e01a971408c3f54ef92646ad5c9f4e87d12b8653ebaf5f26c1b390b715bd90e9f51a6818c4ee98dee6cefae83ab5afb08228ea3f0d95c7f48cc4

memory/3288-245-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/3288-246-0x0000000000720000-0x0000000000780000-memory.dmp

memory/3288-252-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 9a67f613b98f1c8f28a67daed818e4d0
SHA1 49addf3082e229a38b515df46a4ebf2a568ffd92
SHA256 b685198e2230de0c6fa8c2f1aab715f5cfa7303b43d9098010bd4ac921d67e81
SHA512 25c0aeec466743b6935f8302ae58567dfb1bfceca9302d0c9461e9ee8a21b5624e9ad63bcb7523662b19823d9a2e28df2f362304cc8b1a834526f25742e3cb86

memory/4020-256-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4020-257-0x0000000000EB0000-0x0000000000F10000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 6fca39e9a41b451c01fbbeb6f778b2b3
SHA1 cd17cdd3bc7e4d4756b6a9ecd1bdba9cea41c830
SHA256 e9166f80e690d26e276449eb52bc9cccedfdac91e4b1e9e43c0d38e62b9b5879
SHA512 af3dde61ffb4759b7ca0ade68384c4b47d66f9e66692d9d501fecd0d5f7c224bcf3b18c850cbd08f45c72efae63ace9266fe8743fae11cfdbd584d9f26825ef5

memory/5100-271-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/4020-270-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 c64218d00de65985d9cfcf39a8aeb024
SHA1 dd9a517df1c00adebfa035077312bdf4aaffe438
SHA256 7ceb7b304d67f3ccac97b2dd3409f6e746f0fb634ad20744421c7dc844120187
SHA512 0a0050f26ff3b9e5d72338ce90352b1f7d8f547de3d954a2ce7b316b3abcd4d8cc3917451dd061c07d745478f7be50da3a3a7114b7b05d6961d057c2e6c81016

memory/1688-283-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 42cb158c9f0b2e0ecf823e90309fe69e
SHA1 7d44ed6db5a3742e003ca3808fa0d5756541587c
SHA256 255f4510d68618cb194fbad78339460f368dd50b6e5977ba8d313d039dd05b2c
SHA512 2da3a042277c846f6046565df1e6ae2508c631999c0f0b1441def6d806d8037ff56dec55a9027d4d164e37edad3add17dff70392623768d3d025d64ca55e895a

memory/1276-297-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 87d70a24409a6cd051289c7910b7fe5b
SHA1 196ea671b4fa169cbff0c37be7673262610431ff
SHA256 d9b7a420c3db4d3a95e4b1ff4f8b9b65810d946796f36a564e3c1ad0c20ab3e0
SHA512 c9a15fa3474889c4c775145e9d04cccfbd491dc33e92a5d0480c7c503fdf6a4a64d9a164da2291bcb51ba387209e09e6729dcf18b62d5c5d18df8a8d4916de0a

memory/1236-300-0x0000000140000000-0x0000000140095000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 aad9b98719465697f4691f45a5df2acf
SHA1 0f083ba8523ed6747b90fec098a9a6880dca36ac
SHA256 ab1810cb7d59f1b7087d4bcba1516bc544cb150b5eff84ba3d7577ebe576a25c
SHA512 5c5f1ec448854945f50f3f0478456c490a0b0b162b646da7bcbc3baa71cbe6187c6f0ba79a9c1bbd7f2e915b96f91cc4e3c09f49eb12f1198ee038b5116f6ecf

memory/2836-311-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 5c673fe65c230ef9edb0db5084976e6a
SHA1 cc7b43e210d766abd172b5e27b07d69c2e18283a
SHA256 71292926c57100afcfb0d4bc8b19ce181da94d0cc0c8b8ae1aa4e2cc2fa20157
SHA512 1e1bfe5a4c5930e73487d3ef7b7bf7e2a83d28c5fa5982190990a3f6f16b639682e814fa770e5ea7b1c01445c037822d047d52e3a1fe9f11d0c93ab7736df19a

memory/2164-323-0x0000000140000000-0x0000000140096000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 48455ea76c67c63ed5dcac30601f548e
SHA1 91e72d9f8ad3c4d028a1348f78d08da69c319731
SHA256 95c5ce01dc35007941ac3584b7b5c25ae956688a84e185a9a61a18a02c4bff67
SHA512 ea5f452c7a4515e593ad0dedf6d012c25992f7273d38158be1a98b6066c355c9c9283b58354310e69f502fc33e8de442877d2c5390fbf82d51a877ab1b7a36ba

memory/1584-334-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 04f4dec7e38ac733c976ed458b005f66
SHA1 eb8b8dd07f352ae2675358df5398823e55c8ae2a
SHA256 89eead9b711d05ced17e794ba9bccd6f9a408243467eb2800130c158a4bf6b05
SHA512 5c54421b55cd5228aba4f41a893917384ee51962c907e168d00e4c866e6342dd77c6f54012de06ef1e53f4af4536bc963000bc3ad09e71e30d557e63a96e7da0

memory/3272-345-0x0000000140000000-0x0000000140102000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 4f09103825cea05a1be7827e680c0be3
SHA1 b75f786b5f94870716d1fcf3f9c3393c774ef6f5
SHA256 47614bb3914f26ab0e1092887a3dd250ad0bc79c9814fd9ce90cb88b08fa9288
SHA512 d29c758e5673a29306246f1678404fdcd0d6112b11bf4fda47ae07dbb6a32cbf79229d0060afe9668cdeaff2c58f339b3f113bfd1f2024c59ab859c27fce2373

memory/3288-357-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/4092-358-0x0000000140000000-0x00000001400E2000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 2499c4904d21414c3a014202311816f9
SHA1 c6a03337061bab9f54d4f04651051f0681632d4a
SHA256 23b8c7be505b707f1368f38c8c8bc9287a049fa1e00a99453a05b1d5888a3e91
SHA512 f7ae02387e7d82298326a709c4e22a4910ca7197a2493ced7d34020569b55a651d39d9d0dcd9c86319e8b39f5cd56d95a84159c72b7f343d542382eca1988bd6

memory/4912-369-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 506b4b93e1fc32a88f166ba3d754350b
SHA1 3f2315f9fa679f5451f60d0572c769b6d329fe0a
SHA256 6d5f1e08aaa3bd114f2aafa18889f8b841ae0709937a785c9efa7724b4526208
SHA512 4c852d74062f1c4bab7fd105bdec8a5b9bc726753d60d5c3bfc668ec1d8ba1a6120d4930ed668cd929b480a051cfbd3a89843782cbebf687e5ae9fb3ed7867e5

memory/5100-380-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/4912-384-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/368-383-0x0000000140000000-0x0000000140147000-memory.dmp

memory/1688-395-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 cf3350b3630cc3a3fd26accf9bb594ab
SHA1 7b2a3b917c35f30d43cf5c197bb2bc131311c93a
SHA256 83d20a668feb91614b1e16acafbcc7c7e0a81631ad80c60536b34c362b71b9fd
SHA512 3de247883fec40a3fa3dca30a89cadbee143a0959ad1168d75e38be5fa9f86f111830868e6163cfc618e9aff0cbae802e6dc19b7ce233c9dee5368072843b6e4

memory/4676-396-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 a4dd6bffab5f3b57d692c1f14213f88c
SHA1 e84d836729616738a39c64be3daff316eee22bc3
SHA256 7d9b2f64ffda81b857cef748959a1fe53121543779867f59f0be72f8aebf031a
SHA512 6e8c220122e4fb3b446974992b3ded232ac6f8614c387e638698e36e7d12188b305efd6874df04bfe0a41d1088137dd007a7744b1912fe1f3ec37ca0a99bb79e

memory/1276-407-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2296-408-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 635ba9c7c875193f550a3b0d8f98acd7
SHA1 3b1393e339d86ad3195bfb15534ea13ea6b21dbe
SHA256 56481616794bec8e7ab108d4e7c46e93a6c2d380b9d45856636ca94830cf02d9
SHA512 7138f9355fc9f7628be0cbefc5a36bdb1ae4b96c64a4818ee287f6335772004bf69500bf4ffe0c6cfee1b274ae6236c37d7f2b7f9064fd9cd467b8c9bbcbf760

memory/2332-420-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1236-419-0x0000000140000000-0x0000000140095000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 18257055090371ec33919b4c6e749ba7
SHA1 815efc7783730667e6fe6c884f2f7f75ec7af78d
SHA256 467000cacb3782c428de2e5b1722179a9535d5fc039d26ed28621bb7d9f928ea
SHA512 fe57c8ce95b887c9a03cf9fc018a731e9e7d09cc3b07316e8339a1b2138d1a0f6994fc1a9b847207a732f11d2eab47c809224e77080865126d280031143b5423

memory/2836-432-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3052-433-0x0000000140000000-0x0000000140179000-memory.dmp

C:\odt\office2016setup.exe

MD5 ec349014121c7e651aa1a521f8a01067
SHA1 bef85663441679270e1509888ce0b8c093eae9aa
SHA256 0c0c52aea65623fe7ac99dc2f843d07458ff1d6a45a257890fcea2b1797a2e92
SHA512 6d6d4888f0f46c57fb86a64ae2c0c2a7cb54cc1c802d9b7ee73e1f7779915d2cf73637e3516c0dc8bc7b0e3de26218bcd98d7cb798323c16c00c1ce8fa022f59

C:\Program Files\7-Zip\7zG.exe

MD5 55ef03d78a30a68fb911bca35ab04fa9
SHA1 9d1373584e9bb2e4a4c8b9c2b664fa04eefd7ec3
SHA256 9bbad2d487486ec6494eac0ac0689ae30c754f3e70cae0e751922efab1f34826
SHA512 0bab5ff34cc7180471ef472d65eb52c2bc97d6040d1ad239e9a5c3dbc2a3dfd4ada3b5394ab15d12bfb42958c1e84541011cc16246c3f3835c1830c98435666d

C:\Program Files\7-Zip\7zFM.exe

MD5 8710a4c61b3a9604016e8b38d8c80239
SHA1 0a9af2b8f96883f916eea3e316de04d002d4db88
SHA256 5340037db71ec6c90b0e0373dd1ba646c07854032fc1cfe1bfe69dd46072d4cb
SHA512 bb37dc4d93f8fb4b48c0e0ee3990bd4bcd335a22ba0871ce3715293377ff9a5280ece31442f5b26dc5f96e5a53ad73518b93c6201c3842f8fb7480b0b1028473

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 9f7cdb16b4a1401991377631691812a7
SHA1 3a55ebcb009bf9f4890b56853d7d869348cdfefe
SHA256 63fa0c7beea3041f0beee879dcf9f1cef514fb1634a8f4dbf9bcac6583d9e379
SHA512 45ca264e0654e760e349c061d1f03b175cd8f120fd5cc53cee0da4da4bfd6dbe9f51762c08832f01da5ff82410a50134e219ed13d8bc02da3d795520dea23285

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 8ad4af7fbbe818a2a0eee58b54bf4dff
SHA1 5006e7156d94eff8da938dacc6a45150be04693b
SHA256 01bbfbf59b37c166db1cc2be5acc5a656236e34896c72ac52ab77d5400598939
SHA512 966cf331c5565119ade688061249e558f673412b04c5c52eb8d8937e2cbaae0596209405f32ee0ce262af7194b59169f9d7c81a899acaa4a598b8866d510661f

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 a48796936b5c1182da6b5d87a6dd54b1
SHA1 c27deeb274a2c3c2fa1b33c30f93eb54f82b406f
SHA256 110fe04ff57ece395b2bc08b5bf6c43f40c5e3109ee2b5efd34f29df40213bf3
SHA512 1a5bbce287173dc013cf8c25efb398ba2b03f8af05ed6757f1390fa2a5c05557caea93c2153d190557f4f5cd88c70c5db3299606e4cbbcffb49796f0ca07d464

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 fbadaa8a5af3612ac59985ce91efd4bf
SHA1 455e6f5348c08c6c38dc4d09ac439e5a32bfc699
SHA256 35c30d8f2d6ac58f84389e18c55f20546546fecde1b5c5834934509f2738cc1d
SHA512 d662fec3b818b4524af1afcc728e507c7b12a04ae85fa1d6d52286de643792bc8927f01d6bc2b68d7d35f5e76a9262b693ea730ab9722ed02468e1bbed2f686d

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 b7a11e6a61783198cecd57d68b76c9e5
SHA1 310c2af973f930bdec62bf8a30ebc83fd30d60e9
SHA256 ea0d1adb10ddf062342739d434d5170b7a1b08e3165b66a359ce20e86946c843
SHA512 ab59e8993b781f93a2d6cbc9dd9162254aafbb88556cb7bc8ece35c19af6d4847df25d88a964e275714aafaef5ffcef6802a5c36a7c613cd88b74b6c10d9c20a

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 5c3207c908f0776f10a306af6485368b
SHA1 1a9a5e0a2368134d0305292a615ac210c3fbffb3
SHA256 51054ed9f33aba47be696610eef9227cfe2b35021d52db7609a050336c3ff056
SHA512 1f6bb744ee6a8950e9ef81b3284a7634e972c27f08967979e5fb6c3aa7c9b312d54e3bc312b62be603254de03c2477e394e75952e83bded8ea41d58420618e43

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 a8fbca92b658400c8e7286e525904518
SHA1 f075fe6c668e21d428e579e37efb38f85b177c9b
SHA256 3177403d265b2662d438bb6ad016c95b708c3db2a0077b6d0a3ae38339c2b7f2
SHA512 1c47972c4aaa7d28f8935721fc454b2aaaab507bc4c5446655dda4f69d704f3b9c37d94c549c5b09a3909926baec027003a073faa12b0841ebe0e0a601ef3d37

C:\Program Files\7-Zip\Uninstall.exe

MD5 12ed119ad51e55a9c3629d4df3c9346e
SHA1 c675c35758f78f45aebe794abe74d2137119a6d5
SHA256 a3337133ac1a1a379ed8d1bd99735de5cd53861931051e51425ed46c13d20c7c
SHA512 48b5aed1f610dc1953c27e8995bce2033f22682325146f739f2c04416c2df1e3bb386062d941c22ae8c1363d4aafae2ff0e36b6f36b221a90220721dd88cad82

C:\Program Files\7-Zip\7z.exe

MD5 72ed0585035f1952f8fe38c41ca4491b
SHA1 997c03c7bc6268a446bc482dc327a641b923233b
SHA256 71b8eb6d838d7a46c6cd43351878e057512adc79317ae65182c8c5799b038a55
SHA512 33d0eaeead08a51d0f8956c709b85db0d08e5d617b59fae687d8d4f096069943fc5a3a5ac78a545aa14af073011b8a44e84057ade31074c0854bb26a8d0d2e32

C:\Program Files\dotnet\dotnet.exe

MD5 1d7742d79624d27973234ef9b6616e07
SHA1 81c458edc13f1e2742d6bff12d8a04b61af73623
SHA256 dd38e3eca4a39ee0bf6558bb787d499da4e9146cddd51e97092bc657d20b69f8
SHA512 2258eda8e0d89d22285f0e7b3104ee62b0755de0ab3e720678fcdc0bb5f264f71da51fa047cec37bc932452fbbfc52b4c6c9d99c93fc4d9e7ad8e3867f99c077

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 72872face92f137d740f6a6d106ac9e6
SHA1 c8cd3da77086ffbbe9e01045a0d11d8799f9930c
SHA256 1e7802a9665f83c2058ccaa80a7390299aef43aa19f8f6b4c59743313a21139b
SHA512 66ad1a5886f3e2958b406dfa43b4cf2000b2bb52c6c71109e1fccee6ab816a27e508c0950fb74f4039887197382ed368450a1d94d276a55251542ff3e667f59a

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 9a3180cdddcdb21ab3d4e429f3b46b83
SHA1 5c6ab7a8436fc0b022439b194302e7668c5e8f1d
SHA256 ed3d602a3642fd7370b18bfb18c0d4c52a0fa5364b8990bf25635e5c1f951dc3
SHA512 f7c7c0a0cc20eeff4cd53591fac2e067f6c70755c298ea042a0c7e560d911a1ecc2e31b5afced61aae42a2b31e5d7680bf74bca09a1b7c92508207490e7ba098

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 026a67649b6850857d13f4afac8b6f1d
SHA1 60079cd0909c973db75b94b5fd1fd9fa419e30db
SHA256 7581cf719ed78f47e218d71da3501804bbdfca669b22d63356b29cea0ead496d
SHA512 922c8f4e5df5ab9d82bf90929d4fe7b612c7a682978579f9267ab300725495599a6ba4dcc7956b3ede49442e42ffae9b0245edeb17f830f2e4b644274517b6d6

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 a7449c86faa2e3bafcdcb41535402d21
SHA1 49b66be4ac426d130cf0e1f29a486d5b502b478a
SHA256 046acde7784a7146d073ddb6377f75d49eee20138079fed075bf7b202cb03230
SHA512 1dbe8a720d8bee90c0f8152f5927f6cec1a7ac1887a7c334fda9fbc29bbfdd86dea842e8edf114a2e1782a8c7d96b69541e53870b3b5aa8f293b0ec2dfd8d525

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 b31ec24b5874198f1bf205b61dc58a3e
SHA1 b7b1d4eac194fd57152e36c91e690302a2687923
SHA256 2dcd85a7d0564469f8600a12356d5887c3f4248e1e7fee0b8e961c2aab8c75ba
SHA512 a637762b50f8fc6d6fa4a3f39e48fbd60cb20d8003dc067afd08c74d718d8f6ec0f21806428ccf7a0c8440618f49072b96e4c5e2889ececb7c54c101c3f722d5

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 b6ce9da2b314357865b34f7a6674c56a
SHA1 c10de5fd981919a1ce103f0e55dcd698d0b5a5b1
SHA256 1c61281bd6e816e13896b8f1b6312a47e9bc2c1ccb90bb254e1f42feac94937d
SHA512 b05a1b6be4f315e3c723777fe290a0ce653054be558f68bed405380022752d1d9bc5acbf07dced6ab26ffc5a48a8ccf0ba32fcca028f41cd29fea729af3578fe

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 72a36fec49c5b7549d0e5732562e3a88
SHA1 e60119cfe3d41216a6343a011cfaba37f1a69a9f
SHA256 92aa089ecf19edec99b1f6095f71eeaf2a57d11bc572236a637419760a3667f3
SHA512 950624a61fec3f87d9c6470297cb521261260c89500fee769be5e8ceba103fb29c7fabe22b308e5c993358084c49319a4cfc08aa09a403efaa9895023a99f584

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 5cfa0201e5f3faad8d3846f21f1816fb
SHA1 419acd24a630cc2d9ed202ac362850cb11785d70
SHA256 fa19e69733d0fe1b2a56fec203fa556dcbaf62c5a16646562b841d0f8c3f292c
SHA512 029c27b37e7961c481856b6b402af7bc4479e6612de04f36b201a98a3872920f29ebeb5cd7aaf67ea16a094a809b3f123d449c549e6b4c460e3e5e50c7d1163e

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 2b77d4a681adf7d2135baea9491a64db
SHA1 1749d70279fd4cc172a8a9c4c39e16a2f4e9fa39
SHA256 4a015f2d4c5603e024e729ac2a6aa30fd29ec9454170f0a0183708b45bcb4f8f
SHA512 5ffee103c71051a8577f3ebbc4d1544efb224390f4711edfdd1132b134960ad0ad926e30cb2d52b4d0a308c243d39c55c4b6d5165dc5c44aa4f72ac3c86e8337

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 55f179035b2689d2b66aec75dcf170d1
SHA1 40bcfbb57e651dbf45a893cf4dbcad7a860e84df
SHA256 89a046f31ac4469a416ea77334d347a46e0734b6f51383f49d92534643104eb5
SHA512 3b02d6aeb465f5927d6cbd69189f0a468d0d7dd77de893d5eb76d4d50c8cc6932a427706316513fb93d2a5c4ae0ff8988910254eded83fc1b049c8e677ba0372

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 937af1cdad3702d15de9fa092edaea62
SHA1 d6aaa374fbae5526839dd6efef9591ff440f802d
SHA256 1f132359c6615ea153fb8e491df6895248cede503b54c1d740418ed18e446e49
SHA512 a312768f475041bde21ce637aaaf93c1c8ed7bbf01ec4d86b4c30636afe66016738b5c07a5bd21b4f0859f29e68352ded401d9d5e964431d5d021e02b94415b1

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 cf8fd9f83f7c5902edd553f5256a7aaa
SHA1 e92d109709a4392482434e6a1d85f5615dd98b6d
SHA256 9bf1183664481f819996b66b3c786231676de8867d317ae672cb9109f3d93456
SHA512 45e24139454b6c79846a3ca360a15beecd9434cc0b763e1df63ed45c00be1a78a2d58afcfffc8d645eddfe40349328611e1afc0aebd80de702a9fe682d9fceae

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 3f13889b3d583e5928c3313fe5bec68d
SHA1 ac969fcb1c83ecebe7593db9cfe733ae827b4cc7
SHA256 7b3e86b081fa799d0a04633740b9602c48cd1f0299e9496139119f2f7f95ddcf
SHA512 b3e31c3081be9ca7686769b4ae2718aaa0e5769ea94088e5fc56f67022be8a4cc1b3402cc203a10f9e6bf404b52ad8a1414e2f23e78e5de5e5e9595c8fc58e78

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 e4c4ca11b53c4a3234d4ff7282d87cb8
SHA1 664a8027be448b248700d9bce4e720f9c1328b0e
SHA256 5f0a3b94b2c50c21c65a1fb310685a3aeb0921d4ce9d25775e114d08f3443c1c
SHA512 3fd98f974fc340652e2469eb50aab408aa2dffedd1c5420e71e882bc837eba5ba68308ea633ef32edd2509d489d1c5879aed814f3e9c596c33f612220ad8c149

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 cd1aec13cc583cd02bd2bb090142fb8c
SHA1 ea26a08d9695aa3928104bcfd89c3b70fb66b448
SHA256 d0a56811bdcb6d21189e3c8c0f68094141970becd14d22437d01759a9c8e8d0c
SHA512 59a5fdb87e752d8faee5043c3e4d6f7aabc8c29c98308459ba368be13837bce49feb227600cbfd1249a598a7fa735b3a84e1287621031b2bbf4f05144afeb45e

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 c0f5d59358110eedfb2abd671a601b5a
SHA1 9cc4bc82978e81641b71d190660f86b9848c0940
SHA256 c88da0ede68800563f91efe4e5241ebf801c155740903a35e1205d61eeeffad9
SHA512 2380fd936109bb82f99bd8e1ae5364fa81dd316f5a37715718c1c1654641310c5ffbc51ab53ef003242d7f986f34a1b165bb5fb54643c38b26cd3df8df4d7df6

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 f152d4d87c34bcf06904e13ec8c3e469
SHA1 9726afba3d1c074a47ed86be47b732ada0b74575
SHA256 5fac56c133017976e713d603de48aa696f6877ac018f9327693021367448ab3a
SHA512 59bc47e5b25f31823b5ba8d71ee5d52343d90da8ce0e4612ac4e57d6bd63e1124caf7641015f0c8c6711c6a083988134eeda156ff38810f58eb97b4aeccb82bc

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 bda6dbd073fb008d263b980a74b00f74
SHA1 3c02670f63fc9f7dcf0aeadb476331d455bbf603
SHA256 2904891c86d28418c7ff584baa1f386fc56d9fa02b4442f0df27f5b3b0ee0c40
SHA512 88124a29822dcec59e56c999f51973878bcfc2c98997b01c3988e5bf5649e182ed8fbfcbcb41c03c20928130798e828864848c42c696d3eeb5ed04c2b53c069f

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 39cb777b270c805b6d0c20cca271d34e
SHA1 df62f50dc002f6363fc991be06270f2894a72169
SHA256 b6efb8139028de43529f2c044af6f5cc43d3e573f0274289e26e9c5fc6e9b57d
SHA512 f3d6e964f52b4da00e65df06af31e5c5a9965a19747352e5579fd46bbdc237a056a655269327308852ba7987bbfe95fd3b357a0e5874ff8ea1e6e8820bb969c1

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 f8d1e34fddcd15a7a1ea46b4472710a8
SHA1 d2df87ab1f89da34b3d99b82f3d3b1085a421c4c
SHA256 d831f8f5d453433e45b5e238497c54993a00fa257355ead49bd82d2650205781
SHA512 28184bee60218736fde574bacf3cc3fa74d8f2900f2164b0176b03caec7e0767a380bfe59286d0f323b0da53ebe74758e2cfa50d7a3dd32fbbf37fb126dad370

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 1dc519c5a71838caaebebf7469e9e14e
SHA1 3f093ecf67106f13699142f711cb15943be17086
SHA256 7c1264796a9ebb9ca73bd23f03447c5769e7918515c1d8073569ecfcc60d5a36
SHA512 45de0a94ce839d7cdba40456cba3fdd5e8ef147cc1b3722a9bb8aa5e107cd0f3c68e95eb87dafb8ac101455ec3785b4cb489204b9ca1b1ed5eb92285324cfb84

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 6fbded1f3b19ab6d9ddcc1bc5955a6f0
SHA1 9066a031d3abcb0670215b32db95f2fd5b4fc1c7
SHA256 d3692c5a1defea87c4d810d4c72912fbf77cebb0acf66e457c4fbd8e87d7a45e
SHA512 dca84eca2ce71fab51e3e2b010ba90265cac72841a1e574753b28912fdf07128f98c37931e3a89e1514ec03cfd86ae0e25f8255e3d433abf869f2a393282a5b8

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 78ba69e3963d76ffec41da135b502a40
SHA1 7be16aba6dc1481d93c4191107c6217e33deb285
SHA256 31e554096ea34082ec4a53c68bfaa5bf9f2208589e575f8a2db3ced3e023028e
SHA512 f9a71cb936bbee567cb302a63dfa6dcee81d798cc632db0c53bf95e0d32fdcda1d7aeaddc24af5c911403699aa2a33dbd35296bc6205f7d3a13c4d6b1c50d491

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 2551bc11522772687fb1be2d89b86ccc
SHA1 00d5f122860173bff219b0316b557c43a2fe721c
SHA256 4521edc0fbb92977e00e9c896c2840fe0c268a75102e956692b46a503f3398ac
SHA512 2c77b9c87402b8019a7ac38077aad5b6d223cd89389b2c8d0ec1d5bfef2bdaa338cc33ca8e9216ef5dc497cbc054dde1e1cbb9548c88ba841482829ab26a83cb

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 181e8cca73d1a650a0b3ca43b81e4a88
SHA1 357b571a61385cccf2a45bc751849d83c2ba895a
SHA256 b6779895b040a701f0b480844b2413d1bb6999acaf3773b916e08f1a2313159a
SHA512 ea779b3b1cf1f317cd561905d3d284008c777a69d2a2b8ec53baa1ef09e601245c3ad9a22a00e1da9e09923e3d3f5df104928c2156bf40b974d4c1951fe7906e

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 a8ac1895e4cc1b0801f4cbe993e023f7
SHA1 97fcfddfa2c0a9e673414ccc830b4eda6710537a
SHA256 4f2cd7f4dd95946416c8d5dacad56c50c6e27e012174138dc62dd78c17338ab9
SHA512 0fbd96065e0f3efa7a0411f548eed9bccb38c86915de20347f5dd49abb94e8fc7259d2d0042321225d1840469be2a30493433aa1d47b60a8014c632204998228

memory/2836-519-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2164-520-0x0000000140000000-0x0000000140096000-memory.dmp

memory/1584-527-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3272-586-0x0000000140000000-0x0000000140102000-memory.dmp

memory/4092-622-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/368-625-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4676-626-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2296-628-0x0000000140000000-0x0000000140216000-memory.dmp

memory/2332-629-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3052-631-0x0000000140000000-0x0000000140179000-memory.dmp