Malware Analysis Report

2024-11-30 06:33

Sample ID 240612-vt3fdssfnc
Target 2024-06-12_bbcc9b53719abe4451531599afc51786_ryuk
SHA256 ed83a668fe4c34d625880b088275855d25b1cb98938b92bd38d5c35c8674c975
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ed83a668fe4c34d625880b088275855d25b1cb98938b92bd38d5c35c8674c975

Threat Level: Shows suspicious behavior

The file 2024-06-12_bbcc9b53719abe4451531599afc51786_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Checks processor information in registry

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:17

Reported

2024-06-12 17:20

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_bbcc9b53719abe4451531599afc51786_ryuk.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_bbcc9b53719abe4451531599afc51786_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_bbcc9b53719abe4451531599afc51786_ryuk.exe"

Network

N/A

Files

memory/1724-0-0x0000000140000000-0x000000014010E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:17

Reported

2024-06-12 17:20

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_bbcc9b53719abe4451531599afc51786_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_bbcc9b53719abe4451531599afc51786_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\dbe9a86485dff9a7.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaws.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95953\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d29218a3ecbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000301074a2ecbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c7195a2ecbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cae3e8a2ecbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083876aa2ecbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8ea4da2ecbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000422468a2ecbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a9b5ea2ecbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035d397a2ecbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_bbcc9b53719abe4451531599afc51786_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_bbcc9b53719abe4451531599afc51786_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_bbcc9b53719abe4451531599afc51786_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4484,i,18320353784098040629,17273168055569331828,262144 --variations-seed-version --mojo-platform-channel-handle=4408 /prefetch:8

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 114.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 54.157.24.8:80 fwiwk.biz tcp
US 54.157.24.8:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 44.221.84.105:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 44.221.84.105:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 35.164.78.200:80 sctmku.biz tcp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 8.8.8.8:53 qcrsp.biz udp
US 34.211.97.45:80 qcrsp.biz tcp
US 8.8.8.8:53 sewlqwcd.biz udp
US 44.221.84.105:80 sewlqwcd.biz tcp
US 8.8.8.8:53 dyjdrp.biz udp
US 54.244.188.177:80 dyjdrp.biz tcp
US 8.8.8.8:53 napws.biz udp
US 35.164.78.200:80 napws.biz tcp
US 8.8.8.8:53 qvuhsaqa.biz udp
US 54.244.188.177:80 qvuhsaqa.biz tcp
US 8.8.8.8:53 apzzls.biz udp
US 34.211.97.45:80 apzzls.biz tcp
US 8.8.8.8:53 krnsmlmvd.biz udp
US 34.218.204.173:80 krnsmlmvd.biz tcp
US 8.8.8.8:53 nlscndwp.biz udp
US 54.244.188.177:80 nlscndwp.biz tcp
US 8.8.8.8:53 udp
US 3.94.10.34:80 tcp
US 8.8.8.8:53 udp
US 18.208.156.248:80 tcp

Files

memory/3180-0-0x0000000140000000-0x000000014010E000-memory.dmp

memory/3180-7-0x0000000002200000-0x0000000002260000-memory.dmp

memory/3180-1-0x0000000002200000-0x0000000002260000-memory.dmp

memory/3180-11-0x0000000002200000-0x0000000002260000-memory.dmp

memory/3180-13-0x0000000140000000-0x000000014010E000-memory.dmp

C:\Windows\System32\alg.exe

MD5 bef7d94fa6da7fd94b9570e55bb2150a
SHA1 ed8583b5a6e3acdaa1c052670bc31e46e83a4a6e
SHA256 bcae63eafdd5804686546ab56cf06a1add6654731b705653a59d33d45132becd
SHA512 818e58f0de59a630620244240f97f0f7b3bd5cfffb9b8eef48c1f8a6a7981e579222413703dd9499b856e098efa6a1b67d2392f3e3153e88dc56249654c94158

memory/1568-15-0x0000000000600000-0x0000000000660000-memory.dmp

memory/1568-24-0x0000000000600000-0x0000000000660000-memory.dmp

memory/1568-23-0x0000000140000000-0x00000001400AA000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 f2dbef4af69b6d79b9a754b8f96d9c80
SHA1 9e15d3342da9865a1c9b6394b4aec47eab4197ab
SHA256 464879306641a4b74cf2ef6b1477ca0108f7e0af31b0cb4424ac47be386f9e0f
SHA512 b89edf82fefcae2ac672811ffe3d43f1b94f654cadbebb34e0e677030f57f127a3dfa028ca5ec101ec25dce188fde8a6cba0a2ed8c7e6ede66800db5a13cb12e

memory/912-37-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/912-36-0x0000000140000000-0x000000014024B000-memory.dmp

memory/912-28-0x0000000000760000-0x00000000007C0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\125.0.2535.92\elevation_service.exe

MD5 da110251866a060cf1e572a25e2c110e
SHA1 1b7cc3933e1518c98b567340b7503886fa058205
SHA256 a834da047c6aec7569f5434f26e5669ad7203e0ad1791acecbe36d5bec789280
SHA512 c72e63ae1ff3928a629540f2911093dd54259830d7d033f51abb9b28293a54d0363217d1657e8bf98ab18361f6591cef37a66599758bfea617a21536a116ef3e

memory/2764-46-0x0000000000990000-0x00000000009F0000-memory.dmp

memory/2764-41-0x0000000000990000-0x00000000009F0000-memory.dmp

memory/2764-48-0x0000000140000000-0x000000014026E000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 b687048d39b3fffb1c49fea3d6f55189
SHA1 fb4a9496855bca5ed4bfb480a40573fbb20821db
SHA256 d84e5ad93d5b0c3a85086266e461acff03004ebfeb84d9aad34fae020b0f3c37
SHA512 754b0a656b74dc22c598187902bd7573a6d7e73e27c610bbf627ca0139b5b3c2eb94a7c825a372ee883e91e250eb4988a4228b6bc525a0bea9c1033d492f98b2

memory/972-51-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/972-60-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/972-59-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/972-66-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/972-65-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 6f45e4b9120ae1a9a628d61adbb320d8
SHA1 35716258a8fc000963065b4699d6d81acb2397d0
SHA256 17bde879e74d0e74ced9e01fdd8daf27219fb345f2c02264874264ccfddc3531
SHA512 f4deeecceaa9ae8f8668b4fddddbc8f8a9d3073ff577313249d74ecc483925bb6911d7cd76bc60fac71223ad04b001ead3ef4f66a0df6195446a68ef2dbfc033

memory/1520-74-0x0000000000710000-0x0000000000770000-memory.dmp

memory/1520-76-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/1520-68-0x0000000000710000-0x0000000000770000-memory.dmp

memory/1568-235-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/912-236-0x0000000140000000-0x000000014024B000-memory.dmp

memory/2764-239-0x0000000140000000-0x000000014026E000-memory.dmp

memory/1520-240-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 2049893bc2652749f66df513f73e2c7c
SHA1 4f2d11da7c187da8c08c1aff5535e0c6a9403c76
SHA256 ebc068004921aca0f2d3ce3c488287211ead0102c443e74b23c6b14eb14d5be6
SHA512 9d349300d5f366772a76d9b4bb86839bd6a945738fafd4557c24d0be24ba30f726814b98587884fb4f51bfc21ec46e87afc2f3b0a3e0fd73b9552f0b342641d3

memory/1832-251-0x0000000000580000-0x00000000005E0000-memory.dmp

memory/1832-253-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/1832-245-0x0000000000580000-0x00000000005E0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 4f032f35629f908b8282504154f4eee9
SHA1 8ba52e7520daac0864c2d243a6822b4921643816
SHA256 7dc49c6b0d303ea01f3242c97088c0cd6772b8c9737567fdd1dd7aebe1d1159e
SHA512 20754aad1c5871a27f2c41d27a5d2d6a9e86f3ff78188e734d8fa90735ec26aa81cada54a85e2f26bb5e6edd70178e4d832942e0105c46244719476b38a467ec

memory/1332-256-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1332-257-0x0000000000E80000-0x0000000000EE0000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 37205590d428be26b11c4daec0ad3324
SHA1 6e5cbc0948912ef2eba9a39d84f15bb112faf021
SHA256 b8b6165e7491264fcd0bbdec87529659a88bd9f78d2078c72c2e15c2eac815c9
SHA512 33dd066ea8749799084fe2500303960d4ac103dcf44beae216fdf12919f12c07113c12af3966f38a824eec71a4bf571891efe9075db5a04d75e0216480c78851

memory/4640-268-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/1332-279-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 c347a976fae88f5b76b252c0057753cc
SHA1 fb73dbc99e6000aa64df63793ad54299e507672b
SHA256 3c36dfac7edbee91036f5be09b754e565cc488afedc1979b90128a7b6dd15d9b
SHA512 bcbbae2bf09500d9e956ac0a2a8c4b2d5ff20635e79764ac44946ffedca9aeed7bad49a071c42a3c7bca76ba2cebd773509e952ae857bfbabcfe084d651fd0c8

memory/4608-283-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 1dae5a53c030c1231e78e97d3add12f7
SHA1 a4a9d92d753d0ebb1edc6afd466d6358601c4700
SHA256 5c4ab2025b9629998f2710319e3c742fb0af59f409fcd6b2952313c35d64126a
SHA512 226e78cb88dc4be4eaba5e5e6c88ca599d61c50e51510dad39bc300aed009a00c464451d7a3fc3e891194d4fe0bc685fc719653fab57102d8dba6267d5597625

memory/3100-297-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 b925699ce2a7ef0abfc60dc41b27a44e
SHA1 c3dd6509360bdeb9ce363ea463688a97dc928b28
SHA256 6d55a5059e5333dd5138820e3899c0bc5cce1464734bf5a3fe307e2040c9da2d
SHA512 f60ab197c371957806d21af85af7f3a58f10f650bd6d09736f23e622d3cfb38aa8f996bd22f196b606a3a256d975e8954cd766195039e799914e855dab2ed168

memory/2016-308-0x0000000140000000-0x0000000140095000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 c082dc33b72e4ce3588d6fe27a64cc39
SHA1 31e01d63eb2d8d1fe47539cb368a1da74389fd3c
SHA256 0be6ab1a1be320af85117b840c6a4a1c68f30b03c2badefa974cae30b9827a3e
SHA512 b35451ace88b66be4586fed706f9830f25d4e366d8ebca3f67d54a52d5f19d4bc3b2277121cdeef2cd47db591cb83828c30c6e9e48647f61c5a5519d9ffe3fe2

memory/4844-311-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 9834a18d1b5cdb9e3dcfc4ef4cd38308
SHA1 c262013f72053a7e8b7986a78940b749e1fd773d
SHA256 46c04e36d9bf6a8d72aef258eee0a6a9694558728b503a4131d885b7e8b90ba3
SHA512 9e4176b2e14537eda4d567d6bc17479e023d59d50ef97f6230686a87a8d848adfce3070d911966dd7ffcb0bce0249ba1605337f9cf4a7e1702f64cc28da3d08d

memory/840-331-0x0000000140000000-0x0000000140096000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 e447f42a98959b7d0ebd657302a7ccd8
SHA1 89a88e88cc79ef4a64f05c2714e2952b62e8627b
SHA256 07cd599f6c1b0512444454aeb0f0b6482d0ae3a7ba0bf5deeef73abdd28091b2
SHA512 db26a743ffca7ec0851bb09be0c1645c7f392e86d4756d772bc864ba2d99a2c23d65568cd579a2de67fcb71a25cb6eaf92ce93dda27492a8137e3dbc7725f992

memory/736-334-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 65816e59d78db3d7e7bbebb7acd4e0ce
SHA1 a995ad9638b69b01593473977949f808fcf3c432
SHA256 00abc8b086481a67e2d5f8d7a7bedabfb076e7fc7917b1ef934ac4c48f4a0db5
SHA512 165bb6c632b5cc0e5a8488e1719d1c93ea106cd485645227209c6bca3a9ee6c2a0aa5772a14bd9627512c78b8c356167a44a7ba4a559190ca14b83a66b7ea9f2

memory/1004-346-0x0000000140000000-0x0000000140102000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 fdae438783d28590f9b44822258b3249
SHA1 9884aaa5d868ba79f1a79bff0e137875993f8d4e
SHA256 66720c52555f3ad03d75ee42616083fdb12f1365868c84808f954ba4f287c6d6
SHA512 051f3969fda46fcd24e5ea6c3a871cdf5c71aa01cc14fc7222b290e7ab04a73807a4b38383ab8a154b02579f6eecea58d1156c5c189dd2ebeb43f94d558e314d

memory/3740-357-0x0000000140000000-0x00000001400E2000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 4526c20a676e5c3ebb33329090c2c9ba
SHA1 8a36d15b71a0f5b5a5fec6689d64809f943a9f8e
SHA256 1aa883b011f2206c9808b3f0379097f6a73416980aa454428bc82794d4fc4995
SHA512 f4f40ed39e27d05dbe45bd8151917b17667888528dd6d340c2fef1e865a1c77c652a9df1b9f28385340d35a7166074443585701dd939b949e8201a56d7654398

memory/3564-368-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/3564-380-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 9c18dba2c1eb861941da78605ac5cb39
SHA1 9eaaefdd285cc260772fd75573a517633d51abbf
SHA256 603f998d7af1bab32666136f26f07463dff2df0e61d9707445579a78ff090c19
SHA512 8a18ea287da30172b5dc57327b6b78975112e7c6b6767c02ceef5b68682e50d7869b0b2ec33f4de142628183bfe3263b421489e282f829e7df69374cc7f5caf8

memory/4640-382-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/5048-383-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 63e2e7ff940c070eb8aad403be7a9fd0
SHA1 6f3cf3964739f477439946fa158e1cc2c6af01ea
SHA256 1a3732411701545ec754e52aada3bca927c35a0bbde0cf9662ca460e77be347a
SHA512 ad53e8d07805433e98bb54be5149b2e0b3b9c0e326ab34331cdbf856abd943f18f219879f02cd49320569eb7201fbe578a0ffe6a469a6e03fe40ff501e382a2f

memory/3520-395-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4608-394-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 6bb5e89194454d196f8394b31729a254
SHA1 216ba2767aa63c21771a71543b389f96e374325f
SHA256 9239928679b899dd7ceb950d008c8a413982e874c7f13af13402a0cb3de4de4e
SHA512 68c22abd0e04c65efd3545f1cf4e46d8a141ccf5ed09e8d8c233448a070320fbdfeb8afb787477f035d63200606691af63aedd27b8a89afe89edd0c1b125312f

memory/4460-407-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3100-406-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 7806ea7d093dde8bfc8dbbe91195505a
SHA1 eaf16ad816e83cf733adad19a896da0f62922179
SHA256 956d4b841d2d912994d24ff261664c53fa97c5ae56b32a709cac9cd38fa6cc20
SHA512 3211d1010cc703c43407dd556fe4b8034c7718e0f9c30ef78a39ac64ffcecf95683bf63f587d886a132169a1e7481a866e59bfd5c977114f5f51ff3d9e221754

memory/4956-421-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/2016-418-0x0000000140000000-0x0000000140095000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 530e482e069014fb781e7a076a9ee341
SHA1 e262b0d0801a172842c50acefa20405dcd13fc97
SHA256 0c50c656967d8beb4018e89b7f9c3e6a019037979a55a72fe7a560dbd2a7daa4
SHA512 1c5478e7c06d148d1c9713bf179fb667c1a4aec4ad72fbeaa399ccbacbcef002b939ee20728bb1f0588fc06a45af5f5712daa87036ab6a8af29d7d48b76e002b

memory/4844-431-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1744-438-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 6f96295212e2b0380ff8bc1268ef8fa2
SHA1 e8f38736d5acaeb5b97745182dcf9e072d95114e
SHA256 e1ecc9f0f600dfc93cac9c3f3d2a2f3b41cf268bd9d334639f02095a04387750
SHA512 098fa98644f10396104b586a64aa973a102ed5a41da9381a2bc0dc93f83f8e504a40bf00c8cb0e725c523e18a17de44e7e3ad72053eae1816790c35c25079745

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 99aab26a73b06537865856fb6bc40066
SHA1 21f799c87dfcade55e9c2b19027ec2e562c5e332
SHA256 2b006e13092e19450c22bc0766ef2e638e6b1043821c6842af2c3416e07565ad
SHA512 9833dd55d05562fa656d96f752934918792b4d09ef8adf18b4747c92e36848086e8c2d42ea80b7bd9df3a6714457755a1a3e995c224d76b98c07be916c5cc7ce

C:\Program Files\dotnet\dotnet.exe

MD5 01995145c71eb9137bbe2b554f13a14a
SHA1 13ad782d5e075521b394c5744a89893f0212a994
SHA256 b3bb615a14c929514389498d641fc184aafb5a6f20e70ab9477c63e67a04d1b3
SHA512 917988098bafabf2bc805fbedb387c630ec30fb3ac971f33c0dd78bd3d8c950aaf18f42e988305cda5782e4b7cf1a4cca0ffb9726105a6c9045d7309bf4df200

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 473e13a3adc96d49e83a01bf273d5bd8
SHA1 4e1ce63372f6b5756841fca48af51f85c37909c2
SHA256 986ee9fa257d2bee17d4b730c0611c4297f2bf47f9d102539d380f006da36dfd
SHA512 7dfc6298857e8109b27649f986f2cc514e20e0e5e935485d086162a89e55a6592911cdd68d43047e6cf087129769e38124c5593c8e81001e339eb412396049b1

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 1b141cc7a242549f50a66d699680c65d
SHA1 d26edf2f016a07501500d31bbd0edc2ec296f71f
SHA256 29baad263c5a05803aa904cb2950cbbaf2670cc171c4820ca56f55e7c4577159
SHA512 8e302046eb3a9eaf6adc62f7972dc7a7bab9caf105b86d3b3a7cdf05cab02b57efc1eaf5fb085f7429a9911097da0d90f3bfb94202008b676f0e9958ac523c6c

C:\Program Files\Java\jdk-1.8\bin\jjs.exe

MD5 a91b4d29313966680cffdb28d2795063
SHA1 d0119069bb3bd92c3ca965ed7d1f44ea6ee06ad7
SHA256 0a3ab3aadb49b27c66e7da910980c15f4e80f583e31deea8d1009d5ca292003e
SHA512 3aa55a16366d167157f0464464373652fed2dbecf1818ab088d7d01e7f4f11d3bf39032b36d3d2ffa7d1d8edb2a62e8c84ef79d944302e16d53ccaf63ddeb803

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 25633873ef28c760bc36bcc7fb8ad8d1
SHA1 ed032aaf18d1fe5c24eca7eafae3eafba82cd466
SHA256 644e50e9f63b9ca943be4c16d34153201f1c6cb1c2d685fc73f432335a5a4640
SHA512 ed4e1e9c2f53c7252aae965d17e9088ac6e1c055e6d44f08b0c882b12a91c2109dc18ac63b92906616596ec5bbcfc64994b2f651d15e2846f7609988b01fdebf

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 8c0012dd83cc473c86e5571dd6c128e6
SHA1 663b9cfb7e26f26be6de8d6744ab8b2f7da4ef56
SHA256 9516f1616cc4d8e2ddc531462d33696ab97e6187eb9fba07aac7bb8ae48989b1
SHA512 2cb137b5fa1b5ada10f08e7845fac199cd6d6445233c9ea3f4c2e36d1eef03c5ea7d23d98dffd1cb7c36de0fc3ed63726211c031282d15d23368b52e44659af6

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 d62e44f21341ed7bbe440fc1dd8579bb
SHA1 25b42f515a035dc9d8b6487cb4542f8c57223ae1
SHA256 43dbb58db72a3b216f528fdc16fb76406d3ba721252bc73415205e2e253d6f4a
SHA512 d6453626e2f59fdbaf035db2c14ec17fea8fef89e755dda02754b7d33a888e2b563b497b65b358a43426c2a90323a892704e50ee895f59bb5437a315e7cfbf1e

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 faa8055044566d4ceb3d85e7721d9c17
SHA1 6bea610a386aad5e32eee2b2c9c9805e055e2433
SHA256 2e9afdf9d98e75919343c6b285334b616f4a44f2e99d6ee2444a945ef1f767df
SHA512 cc5c990090dfa80f3181820bcce013863b8f05f9ff3530aa4c896b7e6f4fe5d53ef25fa27b3234ccaba985c98c0f7924f938a878f8885c8fa5cbe602764452b4

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 b2eacdc695939e372bbd699b5fbcecf6
SHA1 4155fc2ea669ce99b1b27d0ad4993a877ad56500
SHA256 bb4497dac2ea67b0d10690ec11a245745f018569da5b2bedc9904dc6a03abafc
SHA512 11c91fdd951c86c348fe5be7b74ade9d6f872fe1ca4abb1d9022700a1ebf8732e0cc5deb87da0f335f70e8bb08e988ba8b94e5300be1f8f9028875b456961b83

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 6ed99a542e8e09c744cca9ca455340c1
SHA1 abc811f8e51ef3012a1156f387e23e5973ee0dca
SHA256 c6acd57dd4c7c9c1e5326e2a63201a2d6a9f45678d355446569796ac2cddae73
SHA512 b02807e72c64812317c54a6bbd07f6cc76534b3b38d055dc1f486726aed76c7deaeb87df24ba9f5cf1a80a09bfa9bc7177ce611e9785c553b0f326a0e2d69b87

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 887e896a3414cb650b6c34f93dd99203
SHA1 daf3cadaa404788be1c57b31f78ff140c9c849ba
SHA256 d6353bb0c19a50f8d07077eff733bd8b1952583ef467b5f46ee892519c51d40f
SHA512 4b58e33902ec2f061c29ec2c109aee47e61aa8b2b73599bebdf611f976fa3436a89541bbd15631260d71f75cf69b1b450f6a23b4268cf6ec2e061cec184aa5ee

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 75dcf94b5bf4fdfe491b8284a842bf53
SHA1 d261aa49eb1fa157d7525f8f38e9726378c7438a
SHA256 2ed705714b934f8f9298f11e07009718cb496fdc1acf83980c24271592e77ae0
SHA512 64577308e4eb3fa776680208903c4d7660e30069bb10e16858a62ccde5e4244e6a1b0a0d19b018ef93e414e1a2254026627b2daa3947f3bda7f3fe48555bc627

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 6fb56ee07a48e5b8882fc0079d3afd55
SHA1 e21e614e36f0cf85ed9f8a442b0c4df7f0c9eb2a
SHA256 82858704ffce72a0d9b77cb06cd16b01da1985324f58d311eb4da8611c8dc14b
SHA512 1a22cbd353b408991ed1fba14822d96415366c1fc28a8b744667c40b875f1960de9ffa8e5f8b5178f5871f741663ec5742a540a3764f062e157292f7df3143b1

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 04a27e2062fc7dfec506b6d9d8ba05ac
SHA1 3cec22f9e2fff6f2593f988645884a2201af5717
SHA256 2994e9bc8a6ad0bbdabf4dbe0e00206dd8db4946638b8fd973507851ecf55f47
SHA512 13de7679b370d1c14524502be388f4e25f8f5130db2eec58744a5bf6a936b9840845d5f5c19364bba86f6523822ca7819170f32d769648a2b26c3d1c237d3c6a

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 f2f1086f64ac1c93b77e41e62ac1fe9b
SHA1 1f71d789a076637c4a6d5c2a2e26bdb0af110365
SHA256 accfc7fba50b82ac1d750d700d161c3835cd097d7c8896d089bea86267e2e656
SHA512 7d502c4b7244efb2b291752e1c170d595bb992c434cc56317a786667b3f800c0e36cd229d8cfe72e410e32e21e0c2d1ba5728e78634dbb8fa53b6773ae4151f5

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 4b32f56a6bf1c56e19fb0d59d950f90c
SHA1 bdcd1e9c22bdf530abd239e921cb76ab6bd6336d
SHA256 01ce0704b3b437eb4ebd3c92fc4893c2a0a231fd8d42fe6c29a5ae868f2be69e
SHA512 6923317f6f90e5990f565a0c4ae6bfaca726751b2e0f1673fac989043d0bfca4b8b011602db5c3491bd84bd5fb834dd044248a4bc94f864447a9227f70e16bf3

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 931297bc3355226e1e9bc3bd658b6a52
SHA1 913ed100c36bf769449a4b03d10ea4543bc202cb
SHA256 90ca14171a2d356013c260c997cfb35402f5d8a6f7653475bef1c9c6041e9dab
SHA512 534194aed44e11a6129674d7d78bb599e62981ce71439e55548ebee169760c4017ed171615cbf6f60a06d186abd1548c02605f34fd7f44ffcc03bd69e2cc3da6

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 66e8e8f4ef5d0e930e4854359c1f7671
SHA1 eac8e0b5cab7eb2f22eeea5989487642b32f1524
SHA256 c93e735078b15896b8c9c4d98a199f2efc7fe1e1274ea6d629087da8150727ae
SHA512 0b5eeb607bd67490280d9e68b1ca8391b5f62a7844eaa467801e48fe3663e807ede0fa5237106afa37efad208637d938b96f7dfb6d10cb43a9632bd30a9167a3

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 292898bfdc8b64beb51fb68e69f00fca
SHA1 11d2affc14721ae60ff8d5d6d0b4884e43a3c90a
SHA256 b634c5bde85126d2e875ffba7f8f4e217d965695d3e37866aef9e213c5a1afff
SHA512 7dddff29612ea6bc7dbf949b788d3c68c0ca00a83dc2604f296ecf45725f690ea10b3dde081db57f9a9ee13fd70f25d13ba19146b469e7e168cd67850343e244

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 836d4053690b86d639bf59589df3a3a4
SHA1 ebe49fb1ecd4b7ca677a6cea5816b1e329d4b474
SHA256 122645b8ec6d0552fc69806aac3f87c67163573cefc8f69f3fadc606d8a090b6
SHA512 cec094161431235b50d7f9b11685b2611c23c060a8e6eb6ce11e59ebe0d22b849eb9a956890f4772e20040fbd3b9f001321036f02061ff18946ea236879565e5

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 d4071b6bb5b882570b1ea19cedcb6b62
SHA1 551656caf88ab7cc6e85b41631d97050c79df09b
SHA256 48043c55acdd6fa80b4603e8a97b40bbb5c40c0b003f0608a5d823a9d6a9c76f
SHA512 3610284f9c105f630665dfa274dee18943164d385574c228a9f15f26a07d5bf93840c62f182dc7ae17aeff10c2b87bbc09f45cda3fc13c6add6f300a349fb87a

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 3936034c55e5b364c4819b4f34fc45e3
SHA1 d74363175cbf1476e85cb20f7e87b903ae5f07b6
SHA256 ea82372a44ebe8839c2c95c979a9ef3117dc9c8c1aac1ec19cde69a3da67e9f2
SHA512 9fe231c3b1484cdd6550d4cfad7e0d7e1bbe9f7e09d9efca626af41c31299457fd97930fd434259bf281522de51fc3d52a0686ba63cb59dd176834bb4309f992

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 ae884effd937f4b9c2a4cc2dd5f0e349
SHA1 697c377d258fe53820c6b0b1200668ab3535c16e
SHA256 64a706adcf540ef8c63bfd11297cf3472e47651f8dfea835e93c0ef412423b14
SHA512 3b0abaab7e3c5f1cce57cdaed9c80c7308ec953c08ba2c7c77a0aa0370a9fa40cfeb3521d79a6e9d43a98a863318f70ff7856ced8bab0474478d6f123def3734

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 1033a7ca5cec7c6c56fdecc75ac38d9c
SHA1 420024649b8beaa9ff699a2240202c2fe526ba1e
SHA256 c9eeff83c5e13e066fb935cdcd00d207441d689e59165de8d2c64cbdedaace74
SHA512 2b506f7ea0ba63fbfcde488c9766b17e772b722e297540102748b450929106f2703f362fb1cd7f25e8622317ed4b30c42c10311044c9ed29212f2faac18e3df4

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 3426127b69bc050fd73fd9e43790916f
SHA1 857df259e20815985647ffe9041e6279a3486aa2
SHA256 2e8999f0759f3500f965c2ddee56e061dfba3ac71c708ba61c4e57b8ca318f8f
SHA512 bbeee9de26d9828a79d4473aa1f72c2e2ef1d27893e25b2205a1de696b24c91820bbb68a6bde08ce80dfff270c0ab6de96c3be286dafd5341bc06c33d2431e8a

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 4e3d9053c1fbc15df488fcf6445c43a2
SHA1 2816137c22bdc416c791c56546b01f64cefa56d7
SHA256 481da9ee63f5fe645b9849ace1ae2184d006a8b9c64b213c0faddd11887e1898
SHA512 8a518877d93f9f744c0c3b78aaa65e75de7d9d333d909b05881e4f68cd6ba9879b0ca075d8c75581d394b5c1098d498f05f18572162e03c50996922e8e3290ad

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 21382aaeb5d43da5dfef4ce00efdc3de
SHA1 a8b8682552709a353364749f5da3a5a0c757afae
SHA256 9b7a9c4072e72133dddf9e65893b782a19538d9b5af38ab098103c3d88754eb9
SHA512 fbb232f6ef01ae3ce92a130f5eb86d27f7af419e291f34712f20d7655131b666f7804b64bb237f741091c6528f4ed565b27aeea409985d49b8f68a5cf8186813

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 fec9f04b39a86d1360c121cb34a343ba
SHA1 1fcb0956c17e11591a49489294af92bfe7bc5bee
SHA256 c984736026fef8f49e614e5930079112328abca2e0997ec751a3c0b7b0df0225
SHA512 bcc347e938f084ae3aa16c8e2d31d53bdcc945c956aa6a5abd1353dcbec51288bfc4f57fb7318bf8c981850f1831a483b9e19a5422beac7b888ddf08d3f06090

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 94868bb6b0f288ac530e657a92efd5a4
SHA1 fca1c947dc53b2cdeb2f5b989b6a4edb01be2bab
SHA256 1c02ec0a6db99763c61f6fdcf0869332cc65965c61e5374e5f724bcfb6121c21
SHA512 3480ecd43cb620b88ef9d7c19130211bd42f2ec0e132e02728e7f9aef228f719d1652ba609fabef3104b4e843cfc92f5fd968f6bd950b7be71c1197207cdb626

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 8801111dcab7d15dda55a3ad5eea5558
SHA1 e21863ca5fb8b599d9945c12d7abee64568e6a02
SHA256 d2b026d9fa9f93358f732c797fe4815dfd95243de787a197d6f315f1ad20844e
SHA512 9df9b08f5828361a1175ff662292adfd45e67c9d846fccb6d965af3cabcf02901b71fc881a8049f19dba42e96e4b38b79fd98900a6befc19ff00aac671d62467

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 c4472724928f119b172fc07743736940
SHA1 1cd77bb285520263d89d15b4584ee06ee2cb4f1f
SHA256 966ab68561255b6dff54979466a6441968e10be2ac8b972215f62abb6bedec2f
SHA512 2763b709c7e11fbc42e5e25e42244b4c0e11a6efffd8b50446df72941fd996a1e749a209cc848d20291fe63f5bcbeeffcf620f008e4768bad0243382ebf3a46f

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 6eafb5aa59bb76aa352d23ee161618c2
SHA1 0f9aae9cd7eb52ed31d0a002f9ce45e8cd2aba2d
SHA256 38fb7906b4f56d7cce3688455aeaf3f13a8bb1c9680c0ea35441a71d86225200
SHA512 286b92accda1e4c35363a5eafe3c0f37acfd885c09c468c3df5381b95ad1df4a4b2e8627a2918fbc560e8a42720a5298fd5396dde9ad6cd4ed0b794c3088bf11

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 b7150b3dba2d7d906005b5c54e2edaa5
SHA1 a897d0dfb8a929b02b57f725a14531ed7a557a6f
SHA256 7d1fdcb8e7c0ac4122645e779a54e2b809645c63f88e97091aa81f654589f223
SHA512 e3fb96edab850a4dcacf3b42e954f2b6ef27e02fc0038e5f6e168b95e5900416bafbed51a4212b795e8afd936bae3c83ba642fc3f751bf2b2ed5da625766fda7

C:\Program Files\7-Zip\Uninstall.exe

MD5 25c29b2e4c467ddde370a2d885d6d8a0
SHA1 466dbfd808107f547a9451c1303264550d10bf50
SHA256 42424100e5e6c87e928b269974a26593ce368be97fc3de89510bb3839d946e62
SHA512 517bad5b2791c3c0df8a294bcc3cab7909ba01c452d86bc65b18c0954ed868e7367622542053c3d1384ca8afb1c979aabb567a8d082f724a0da55e206df5f154

C:\Program Files\7-Zip\7zG.exe

MD5 e45e17bdbe8f2ec7973fceca371ee063
SHA1 fdd50a4eaf4e0d82a2a1fbac16024ab50e330b56
SHA256 033018d19abacd3ef6c3fa159ddba4538e14bab3b739aeb5bc201c1cbfbd4e4d
SHA512 feb4972f52c1f77029b932aaedfabb2b4476c25c9c762185210337e401fd3653da74d5e319a7042f4af6d25da40b9fc47f587cb2b2e91de45099274b1d3150b9

C:\Program Files\7-Zip\7zFM.exe

MD5 f54a0ab3edb66da4cbd509ee6d10572c
SHA1 c9a6158cc7af6b64a344fe23bfdd5ddb25a84ad1
SHA256 818481e2817c9f2da9dbaaf3bfd563fa1e583ab4855fed360d66b3b2ef595c60
SHA512 d19ad113d1acddecbd34e5de26f74cf4e6af0edbd6c46106a43fbe3c1ff833365c55d9323d2c594ef4b8d413a2db80c46444fa2dd8710b55e2ba889ec43b8d96

C:\Program Files\7-Zip\7z.exe

MD5 1857ef60f5e84bfc649a4215c9423d58
SHA1 005acce7413a78961c8a58802521f6d6ef4068bc
SHA256 68fc1ff05317e40633648c8ddedbb358d49c17dded0ca2354f9537e293a842ae
SHA512 d016f7d796b80c064b03b0e86d6b8122c9a018d530e0e58243db7808455ff998bee8701995c79ccebfe6c1a418f15bf1ffd81f2f87583b91fd5c3718b3e4d294

memory/840-535-0x0000000140000000-0x0000000140096000-memory.dmp

memory/736-600-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4844-603-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1004-604-0x0000000140000000-0x0000000140102000-memory.dmp

memory/3740-605-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/5048-608-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3520-609-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4460-610-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4956-611-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1744-613-0x0000000140000000-0x0000000140179000-memory.dmp