Malware Analysis Report

2024-11-30 06:37

Sample ID 240612-wlx2daxhnr
Target 2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker
SHA256 710df036c18187fbd5d82133d1bff579a5b5437f69d7b2272ebbaf48e4f6b97a
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

710df036c18187fbd5d82133d1bff579a5b5437f69d7b2272ebbaf48e4f6b97a

Threat Level: Shows suspicious behavior

The file 2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 18:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 18:01

Reported

2024-06-12 18:03

Platform

win7-20240419-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\caps\hdpim.db-journal C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe"

Network

N/A

Files

memory/1028-7-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1028-0-0x0000000000640000-0x00000000006A7000-memory.dmp

memory/1028-8-0x0000000000640000-0x00000000006A7000-memory.dmp

memory/1028-17-0x0000000000400000-0x0000000000554000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 18:01

Reported

2024-06-12 18:03

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a22fd1e253fadf5.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e75d3b4f2bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007aee8bb4f2bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0508eb4f2bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d14d1b4f2bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_d277695b0fefaa9d41d8b43ad7390d1b_avoslocker.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 217.197.17.2.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 209.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 44.208.124.139:80 fwiwk.biz tcp
US 44.208.124.139:80 fwiwk.biz tcp
US 8.8.8.8:53 139.124.208.44.in-addr.arpa udp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 54.157.24.8:80 htwqzczce.biz tcp
US 54.157.24.8:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 44.221.84.105:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 44.221.84.105:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 8.8.8.8:53 sctmku.biz udp
US 35.164.78.200:80 sctmku.biz tcp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 8.8.8.8:53 qcrsp.biz udp
US 34.211.97.45:80 qcrsp.biz tcp
US 8.8.8.8:53 sewlqwcd.biz udp
US 44.221.84.105:80 sewlqwcd.biz tcp
US 8.8.8.8:53 dyjdrp.biz udp
US 54.244.188.177:80 dyjdrp.biz tcp
US 8.8.8.8:53 napws.biz udp
US 35.164.78.200:80 napws.biz tcp
US 8.8.8.8:53 qvuhsaqa.biz udp
US 54.244.188.177:80 qvuhsaqa.biz tcp
US 8.8.8.8:53 apzzls.biz udp
US 34.211.97.45:80 apzzls.biz tcp
US 8.8.8.8:53 krnsmlmvd.biz udp
US 34.218.204.173:80 krnsmlmvd.biz tcp
US 54.244.188.177:80 qvuhsaqa.biz tcp
US 8.8.8.8:53 udp
US 3.94.10.34:80 tcp
US 8.8.8.8:53 udp

Files

memory/1924-0-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1924-1-0x00000000009E0000-0x0000000000A47000-memory.dmp

memory/1924-6-0x00000000009E0000-0x0000000000A47000-memory.dmp

C:\Windows\System32\alg.exe

MD5 bf2c4c6dea5efca53ec4d79d8b776fa4
SHA1 efa0b16ac635e07216e76a419d72694016708397
SHA256 a7f4718055c03313499db2966296413ac639eeac52f70a3487943e6a96c70daf
SHA512 d2ba9fc27740f9cc1c22e3b67812f23617b79ccc4e92e0f477c19f7dfe8517b2de163ed1c47a77c3d3ed18035efbbe74cf33db42cfd7386f4cb557924d20305a

memory/3336-11-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3336-12-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/3336-18-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/1924-28-0x0000000000400000-0x0000000000554000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 e1e71091080f337c11a3931c01086509
SHA1 78f580404842b0f16130be2076d2e17a90015be7
SHA256 20648aac9a71726edab4a3983db78dbf411ddd962cfb51ba79985a82c53904ee
SHA512 442eef84c02f395d6ad8357b725be51791cc8e6b6c1bcadce6302206aa812c091aa7ff4a0bb23cbe5f704054e8c64587e996bfc449ccc3e339d824e5261d5696

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 3227db5394198aebaa030a38e9ea4a88
SHA1 146a7b31c466421e449c20a05a78d075ccf49017
SHA256 f84921c6b9aa862ef04ab391712216f5976ffa263b8f40ee28d5ed9e5155ddc1
SHA512 300639a9ab71c01c141c04a03c5f6695e1d888eba1ab34c71b67897b201e18c508d2ca9b8e65e4b7b27520a117413d11d5a095a81063fdd68b635633db6e4ab3

memory/3196-40-0x0000000000C60000-0x0000000000CC0000-memory.dmp

memory/3196-39-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3196-31-0x0000000000C60000-0x0000000000CC0000-memory.dmp

memory/3732-43-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3732-49-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3732-51-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 7508bbacd003e14822d70daad8666cc0
SHA1 7e48404ee104a71ffccaa6f547a36e4ea304274b
SHA256 563f467311062aaa37406bcfcb7b709daa4368d972b5029766e34b0a43eb5a10
SHA512 316a20df189fb3275ffe5820db90d3d91fd675153065afeb7ff80d520f06b5c3e95c2f7ca7957cdde3b44bc58ebbc653581c77218a24b0fb443d8e224f6d52ca

memory/1372-54-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1372-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 da9ef053425d38e384188f0fe83faf52
SHA1 1b6319283e867c23d84f5487ef07f4d3c9885719
SHA256 31fe7d1702c335c58a69478b1464eb7e887bba8dd176804dac24d8047c6d4dce
SHA512 bd9c2d8bbfbced6d6524d7eee817d467a7a45deb3a776f990145339eae37dc0760348e730271e3c3e2da704a6ad7f0f0d05dbe32cb83fb0260e6780918d1f5c9

memory/1372-76-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/1372-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/4620-77-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/4620-72-0x0000000000510000-0x0000000000570000-memory.dmp

memory/4620-66-0x0000000000510000-0x0000000000570000-memory.dmp

memory/1372-64-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 583347876de3eb4cfc7d1f0479446399
SHA1 e0de168fdf28bc0645ae5a5dc183c0c076b1a95c
SHA256 4bc2c973e1f32223bf3caad2ec4c749ffc8009c47c4e5106ae275e27af09de10
SHA512 2f9ef89ed07a51922b670b4c83a94a4c5ee3561c989dfdfa433925af22b4b3278fb9d4f92884c4f64579ed726f928a816410eed15574e8fafe61f057a71692fd

memory/3336-236-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3196-237-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3732-240-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4620-241-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 93215ea9198d116712f448bab159518f
SHA1 1751858b8694504d638ba1dc72e7723ff397a28f
SHA256 8dc1915280308d38cba60dd620bc57af8112cf1c6721ff87a4ec01ff899dd67d
SHA512 b5921c73ad6fdf2b0964590666bb4aec34cde1f15cb5cf66136ed40d45b1bc98278ccb3893ab1eb0fb8e7affbc9c3fee8c140799bc8134987606c5d38cd0f715

memory/228-245-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/228-252-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/228-251-0x0000000140000000-0x00000001400A9000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 18fc515be6212f0b8a94ead6617c2e81
SHA1 aa06e79a9f82555b45254a808bceee13ee59ebb0
SHA256 fbf953adb813e5ff111594cbdffca79e4db65537067b7e3d7a5da6deba96c415
SHA512 7c018a5de0f71ae2d68559e5f5e647887014942ad1b94f5dcdb954cf5f87c027061d93fb83f3473bf8a593eccbb3807348274ebd2cf3ea12a35570479607a138

memory/5036-256-0x0000000140000000-0x0000000140135000-memory.dmp

memory/5036-257-0x0000000000E70000-0x0000000000ED0000-memory.dmp

memory/5036-269-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 788805c08a28312be9ff9f8f011a9cd1
SHA1 ad468f5fd50f676782267735035cd8e8c26fe0d2
SHA256 b2c5dd764133ef9c1ff4401c399c179862f9777f89d401993270ff9cc3aa12c5
SHA512 ae9cd70db16a52be1b89a705d1f509d9670b68a567ad5287cf9337cf330fa686c258cfee8c78c3d00686bb28427ca1c09ebbff59f5f53a21c9ed2aa1e86c54f4

memory/436-271-0x0000000140000000-0x00000001400B9000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 73a8d82d8729730dcb675e1d6fe429e6
SHA1 532807803e027289ba22fcbfca3d7ef4b17f8b4e
SHA256 56d9fee35c6540a8dca174158007ffeddd1b7e94d2709a44a5a725a394ee29a7
SHA512 01ff3062c2fea39f700fa1c6c731e14963bf788e851f4d60582c320c81d71dd266c1f23146ab0ec3abe64f23a55c6da65112a5433108b40a4cca1542f6b55ca2

memory/1984-283-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 654016e77785a8b7ce6853234d9263a6
SHA1 94beaf5bec9590e6bf3b05232a86e2ca2a060b72
SHA256 760898255badec1178b19de994cf16bce72bd8276bc92bfa945e7794dd113abf
SHA512 f72ccaeaeab2c5ddbc626b6fa5433a09a603345f0a025bd1ceafa60acc253186773c1504afe9aa2ce771edab5535980cbaad70aeb0b21b9d0c4350bc92d5822b

memory/624-297-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 462b7b9ecbdd4f60a2e6a4d513417085
SHA1 1839cdcb9979b8ef158447d5f429e0806d0754b8
SHA256 46dd262fe1d61e5f3f8673f376e82b5b18e475ac0b1c40f68564dba34e2c5278
SHA512 53d20b7db2b6eb38e807e53c8d2151a8c9a044bf92b8e112a02864fd16cd3070c79147a4c36896aa2296d162b8474cc4d5874511a856ac68baee8bb3d59e83c4

memory/704-300-0x0000000140000000-0x0000000140095000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 fc71ec4734c6de37b93b0c283953c8ab
SHA1 63df3cc2d23987d269b2dfe7990dc8dff86aa5c3
SHA256 11c30fe2fd13a68c7f21a14cc33d1d39089f28fc62494dbb6d77e5fc64261400
SHA512 b74ffc61129a3eafd9aa3499fe131e7490d236c98ef2d88b5fb5394fbbfdbf90869f76405ea03970cb5bcca47f9b156826fb207f4a9ac3ea160ec12f18eac53f

memory/2204-319-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4664-323-0x0000000140000000-0x0000000140096000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 a9886a8a27ff0f2ee0f0fe0714e48b64
SHA1 2bd53e375b9401a503f514fbdef301594ba9f445
SHA256 eec530d13cac5689bd149876d02b74ae5e8dd43e08a867339cb84b0d3451ce01
SHA512 dc4cc9b0e29f27982d126cd32c555fec1b339049cad10d53eb00e46aa3140752b7e2990f8f28215055a1e1f74666175aa59f9d7426f70ec9bae67a6ceec9ff8a

C:\Windows\System32\Spectrum.exe

MD5 b5c891e539f4336db07c8b222fb6482d
SHA1 43b05ae90450e0d73bb2ea173a313e4e0150263f
SHA256 90b2117bc818d612cb506489f3357f01d2eec411a8267048284e7b2d8d7a1bb5
SHA512 61749fca3b34c053ac847532ed7be8ec9a734517287181c26377ce2dbffd486731675717ed28654499ee39c896d2cf257258e451767345dfef8086c31abc25c8

memory/2416-334-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 2c08c1789f761d41c1c876bd3d878a4e
SHA1 e290fce1f027dfe4fa807a56e4c7367a1bf315c3
SHA256 c1619ebcbedfd1b1f1ec9f60eca236fac4df91a463c0809756a0ac29e4e23f32
SHA512 2f16389c8e446fb47731d445a662fdcb336f9a7899996f1e1ad822efeed421d3578d47cc3b875dfb0f2ea2a83c5d47138e20a1a8ddf6d4d03b84e9bf785686dc

memory/3396-354-0x0000000140000000-0x0000000140102000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 4de81bafe79c03aff80198d26168e02a
SHA1 e1cc07e25c36b4042d4eb3de9e90502d1b8dce39
SHA256 73ba6edacde7403f34b7c94825494467b282e96fb9ce432ef610ca53e2515e32
SHA512 86035ba1691cbf559eb337783e863b78a946cb937b79b6516a7e640a4a8f614652cfee390b1c01b203f2606c84eee0690baae00a2432d6e78c0ff7dd6a7fad22

memory/1400-358-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/228-357-0x0000000140000000-0x00000001400A9000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 6bf629d5c9410908f942529810e59dce
SHA1 3226c0c89faf2f3751eec9d95a5afc79e2c5fb4b
SHA256 8c0b9cbf93d3eb988ea93ab8f0e72f207a2991e14afe303de08329cbfe064387
SHA512 ec7e70763cbb4ee7457da3c069a2e0a1d1fd7b2d9f373ff3bcc2839718bbc9888abec2baf87906598572c58dfa41b72ac5753cd6b16fab0b21922c8fd8dc8bec

memory/1064-369-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1064-381-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 569bf32d2bc4ef9f1ab9c187395dac44
SHA1 b8f65dea5fd851aa7d2cdf06462db61a61e71050
SHA256 72c763a2ee0dd7c08ca7f21058eee0beba7d1288a648517741e38aad483f3902
SHA512 e00e0d61896253493a2c6b6aca498d605eb4e13c1a1588c69bac7cb67591e065e0605a92192595bd9b4f9218f4ac70438ae35b9ccbd6ed8bc0f36b66033f1e96

memory/4516-384-0x0000000140000000-0x0000000140147000-memory.dmp

memory/436-383-0x0000000140000000-0x00000001400B9000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 82bd6632aba66d29cc4acf2a3c4761de
SHA1 2508c71ddb636e74854d821ada319e5b01d275a1
SHA256 b1becb4f74d5ddeff304b19b8c86e569ce74ce31162290b354bc3bfeed3d5032
SHA512 fee3bcc5c558dd06cc5ff54c0255c418ef917b1b2e35bd96d18d47df445927da235c0bc7da8e1375a53c2901719ff34434a44919719bd8ef2914cbf35884e195

memory/1984-395-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/1468-396-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 52a2d4fc14fd12be095b0ba83a0d486a
SHA1 df77fd667efdb7821dd0b0677e662871f8b513e7
SHA256 87132757acf8a32e82acaae404a10f0bbe690e9bd624bdb1dbc1da65d1bc9ca7
SHA512 c73ca25bb658bfa1bc76f81f3ce6e4ca88bba047c775b8a524408fd3e082a6ab340550cb477a1e1cc6f503c0da4fe9becb7437cdf73373e98cf7a7b2b8de76f6

memory/624-407-0x0000000000400000-0x0000000000497000-memory.dmp

memory/5116-408-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 75c693acc1f263c6cbade53388037bfb
SHA1 c74e37604eabf9fec6e44242b36da118af4d26b0
SHA256 f4ee1bfffa1db81ce50bc5dc7b9597074dff5bb27f5bae214f026da7c8937a10
SHA512 1131b8a88055fa388a02f9088319b2cb7656d80499e0a1b8bd465ad8c2da3834525c44e2d1036e5616d885a16d521e5454369f62a31543a5f2de3b1982930208

memory/704-419-0x0000000140000000-0x0000000140095000-memory.dmp

memory/2804-420-0x0000000140000000-0x00000001400C6000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 5ee74b169a987674863a16642003c756
SHA1 19cc1d0ef071976303b3f668cd2a28c4a4bffa83
SHA256 1f2ff93762ef23077a37468c7c68cc6333a4dcd98792055dbbda343abe03fa02
SHA512 28f2fe2bd5d236f686d17d3ca7da6e365fafa2e8cefa6fd66fe7d0edef51125ac25fb87d4496027be591261eeb6fb70884146b58988af76aa4ae8cb27f35748a

memory/3724-433-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2204-432-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 fd03b3cf4a64211dfa0207bb96feaa22
SHA1 ea3dd3e5380b30a5c7e94a3ff3bd55b1c64744eb
SHA256 fd6387b8a698801deafd842e0daa648527d33c88fcbc0983815bcef3c5707298
SHA512 55ed7ec26d1034999d0a8f92734dfda1a0ddb56b8a9ce94baddc4f3013406c340c51b3f1dc0f5227561d614a6fd7ad5ee9824b0bf43bba59340d2b34c2584148

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 6579dbc2439eb33deda86f0a6f130161
SHA1 1fe1eb028722e73d347906d0a19dbc8da071a084
SHA256 0973a43f3881930f384b836ff6ab6a62501a89bd4c20eaa4839fdd1767dadfc3
SHA512 a8d87e16feae35cd31f52eec3987ae49e96e44cd07b22a3b59e0fc5006dd6ba27153847a570c660cb4a968b9ddfb156b9f823e54090e5a971e700c1d3bd8ceb3

C:\Program Files\dotnet\dotnet.exe

MD5 a554681eef72cfe5af2ed71b06314556
SHA1 920abbd7e5e04dd5c1371824fef40490684f9cbd
SHA256 da3a327538dfdcb45c2c33e04de287f359bf0ff836bd163dd85001307938987d
SHA512 352c20a28b7f050e9c3a8fe5601f40e8dbc3281e9d116d59806f9c719a4b3f90d2643593a3fd66a5776a4e31e87b8421014c64a7d290175cde0e784d6d9b07e9

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 af56eba44ac1f123f67e73ea47ebad9c
SHA1 0715be66e9b15055bfd4a7a08181ae3ab990f7be
SHA256 50ad1e2d3c0befb7dd81e1b7f2f78806d749066a793caf535f62876e6401f592
SHA512 056685cc12d812e836c15a30b51d4a861385157a66e8a127bd176bdd158a559d486fcc16dc9d6e4ec2ee588aa733785e4984bf2a5e1e456b66802b40ece52e57

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 bc79811f00b33df541aef8d1048dbc8f
SHA1 b08aad1df11471ba54643fbf324983021991b062
SHA256 6c8a8a341ac93b1ee88ae9ba8322edb3abd8ea68cfbb6931b8054d9e9d5dac55
SHA512 f09e1ac8343cbd22dff0a849f20678e9df462f05a35503910a8e64e4b1b47fb2eabffce4dd14a52d844ba2f84ba26d7ff7e65719b0f680a20769e46a72da8265

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 491ee53d28102dd56aa1fe424c98878b
SHA1 92fe6c95795a18411a1c1fcb1ee11ad46a2cdb7d
SHA256 579df65402a915f784f87719ec278a9c72e8971b6bd154cc40390ddf704f2647
SHA512 f9ad8a157e729b7dd28d5855283fc0b0d387ee1d8d15590440fd361a7a7a8824f94fe74809bf6bd5462779e0592859e069988920e490a4bd247493219cc436b8

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 e1f7e1eace75afbc9cd76780b65238ad
SHA1 76bba9891733f3f06f21407c9972fcdb0349bfd2
SHA256 de7b48b833429e28a9497e273d6a2b444f3d660f53cbb7bfe7a04fd8db4186ca
SHA512 ec91fac88e8bb6d33107fd05d8b2fdc0564e2fe19b6efa63190c8b58c4bfafd28f6e3e061b504cda352400eb9dca69519508588927f564574df50108e1461679

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 7d4e08e6a74bd383ce8946e30c8d6d63
SHA1 a59e9211774a05963138900b16233bb2ac335cad
SHA256 793a236cc22dad59bb0dccdf463de6ce581a0b7d3e14c7de021c673176a0a8fd
SHA512 f7afbd8473dce6b5b533d00c27f82cb7eb4fdc00394d21cef15f7696fac8b8d067c151a83598756de0df159dcb49a6f9107f151b776f7b918546ecbbd497da78

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 d0d07c3c86982f8e0529b55f7807be11
SHA1 55fb928261ea171425efd3cb85c046d19dc46dd1
SHA256 0549e23e837eb4fec75f0da92c452dbe080900545c7d996fc510909fab6c84a4
SHA512 6b55d9937d5077d6eb72757444012564a27ed39b1c2288aabb68810eb76c24c613e23b9ba1903306464929ecb9f965b0c62e3b4dbc266dcc68cfc40a72733cc2

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 ae354ade182e207a8f7ed68384aeee56
SHA1 e6c989251b4457a822278bff76f9891fdb394e9a
SHA256 f2515e2f798de8f19039e225ef5a39988841203ea260fd506458d4a29602ca3c
SHA512 5c6abfce8bc486c174ecdc60a54c48f546ed942eaeaedc1ca55346208cf4ac8403b72e58727a884966d09beaaa573534548e3843c9aaa4f85f60a48f2e1e0247

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 16e66a39cf3ecb7214ec92bed16696d8
SHA1 545fd6ca2c9d4e095d29afea65ff96aa0843ba88
SHA256 afc106788601ea2a52df68af1ced6c5dc8bbd546fd0745002806be8d81fea30b
SHA512 18d76281a8ce566856c5111c4c8e56fc2e5b686790e6f8e759fb261f798bf2d3a03876d6648fc66102321246549fbef3b10143057c719c902c6939aabbe1c3a4

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 1909d5884477b548dbac3f313e171b17
SHA1 aaa7c7a417ab2bfa5f40cf9993efb5c9ffd9ed43
SHA256 014ad867439cb0f50e3f203b15299d9b4c1adf98aa64710704d12f0e99ff8695
SHA512 e9c782f90ad2cd51af1d1ee258d9468274dae9a0e6a557e65adeecd513c7df0c645120aa01b655887295e898d4930144b65cea81083258f3dc42e4a353b77313

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 88ebdd4822067beac74ff10c74080b93
SHA1 e7e4322c2cef525f81eb2907558a47ac81813129
SHA256 98bb19b0e0d0c53a4df8611c3c42149bd0a38f44cb7014f7b4b50afb59268aaf
SHA512 d3b6ed0a790dcc017e99871bdeeb41698e0334942cfde3d291f4426f384832a40e7ebba103a8e053f37e15de1ccc4bfc88a218f0f79ecad90d5142a4d0040505

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 52ca468cb258760562da7477f5c7ccc7
SHA1 3a7c96b23aa91dfa4454d05091464bc36ba951a9
SHA256 fc65bf9ddf84789a8184464687aa86caa9090587a91e4f1dd2b0a37f968c3830
SHA512 07930f161e47e9dc6d7d7dc8948b67dfd9642cc0163d40d59485ec9787e2fd4efc6356570165d73348362a8ce41823d85738bb99746c02fc22105f77d8a0e9a0

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 a72eeda3b60f53b058041d701b062149
SHA1 2d7901760e957a20fde21263cc4c234f5de3ee88
SHA256 fde6f3bf2ab581c2d45308fe9e53e7884a209501fb61766a8a2deac8fe140017
SHA512 fea732ff8d9f7159c341caa86f29af8dcb140bb1cd086516d15137f42119af0ed82b69292c7025d8625193dd87f12b6aad1d84f1ba3781fb47ad1877ab236696

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 1cd3e6e6515537e910d7766ae6497de4
SHA1 ac3a4b8c4f207e3992c66e23d32ae69ab0c07b7c
SHA256 29574adcfae231de5acccc88fb0ede8db27254e7f349e814621520d5aeaea238
SHA512 701b354ab14867780bd999470dc707a51d25c113d032b65dad5c2a78a9047684ebb2dea573dd4ea007501ae1de1904a3498319bcc2cc43dbd5495ee6ab02f273

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 08f927e6d2c24d9b0ce44ff2added104
SHA1 ee5eaca2cb524f9ea4c450cad8a9b58641dc008a
SHA256 a88265f9ff826af6beb679b305728aef2f55b5ab5e8f7509f0bae495d8cd35d0
SHA512 760e4d2338590852cca46aeb1ac70b5062ca1b17659c19dec8a44230886712913dc8a4ae95dda6b6cc3a38b49f4dec89261771e280e4a313aac023bd5e750fe9

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 871bca73d96cfdf5ab3f56d849b93616
SHA1 d7d8f16007e73d691e94c8583dd1188f4f88b773
SHA256 5e9d97f4a7a1c7c44579a8b7c88d7781a4fde8ed7aedf070cb35ea42aa47eaea
SHA512 62db75c3fe9c867cfd5cd8d0c671712519d2666600fc693d008335c9f9235a3244a317382f09e21f060de6288a3f006959cd31f6c1de63ef72f377ff992fe0bf

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 3ca0974cddc75a25356efa7cd0785aeb
SHA1 e9bff38550d495ea34f03967374a707a6aac5367
SHA256 2187eaa150ef789ed7659c908a23a94968f243186506d7a4e00e1629da8116d1
SHA512 b51df1d620e7d9a30d3f9c4d8cc82e5c3decd8282aef7059bbed5f31741e3ec32f86bf0c321830c2a3fb91cebba97ce1df0bdedfeb0f2c481122096aa6794244

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 2f12cd9fa19c987073598f993185f8d0
SHA1 8b95a058688a80b9ba3730591eefc4916f9c4184
SHA256 6fb215d4ae58cf4c1b69f93189b2bfe063e69f16508259cec1379867da749338
SHA512 531e570c61af5bb6f797323c5917e64e4ae03f81873d0e3453df4018ff2b32e3141d961bef5b5e7af7360d9f89a1d861e3720f48cf321bce21b8ad739a17457d

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 1145588654c22c37044ecd788a0ba2d9
SHA1 277afc636c077585901cdd74f018368b4a31f577
SHA256 7fc85b120a5d1b046589e607a3070026171ee64f5473a6fff23f6f7d70531c4f
SHA512 a1b86622965569c0283f0498980561327917c360a3e70e811c8671939acfed96f083aeadc4b55228ab1cdd0ebabefddd6ef4cad2f5d542e0886f978b22e7a095

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 cb214768a2d6bf952b09539a9dfb5562
SHA1 bf5e28125083e6f89e1dceabdb38177622143e07
SHA256 acadd8cceb27481b32051104c0f6d09f726f79f1ee9afc9a6b05e1ff691a5941
SHA512 9fa25b821a94a185bae6c791beb74d89d906956c51ce718ddfe6e03d2d10b926f17ec16df59d326f21e72a166d4c08344c0eaa3086830db0a91ec1d3fd847301

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 4aa6a8d8c44cd99db917c1f5a8f1a446
SHA1 b77493e74be7732370375a7432af8d9052322160
SHA256 c007a67beeeefaa8fb1a04981bb7f59dc1ab22ecdf9ab9cfe5bb96406645ecc5
SHA512 d366b9e509aef67e88d3cd87118c784170d47f805d10ca6355296659ed847d7ea9b9538b0f79ca9f342a5f6c59c072bf405ea7a5c4ac54dd82298d33570c655d

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 848667cc918896a813668519aeff556d
SHA1 177dfad1fb409d18713860c453c887f58aa0db7c
SHA256 56ac3aa53fe512ebd17d9ea240d95044dcd68e6ead65763ddac385555ccf2b58
SHA512 4a4cea94d9685c6e853c9753963b6cb0070783f0c11845483c452723ee7efe0fbc0c7970d081db73edc8e67712b0140274efdf944b9a1023072e0ef9ef700458

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 e98584f5a47c2afe5611e63f276ff687
SHA1 a8e30cdc7303ef7dc10e1f39a58aa0597f024149
SHA256 30f108a0202849ea8bef69e69a4f5478539dd8bdb5704210f1a27f818e3bb622
SHA512 b8d1b72624337eab4bd7614471c1bef0eae34eeab53a2326117f65ef39763a49993fa714a3fc7534dc5f3b49a7a6cbd9be37d0c78fad025ede1d25995e44bda0

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 f365a1baa4d3312614f2941d26ce27c9
SHA1 959bb1a27f2437f99f6715c76e2422271a481530
SHA256 b72e723b2c7bf131f69181adf6907de06dcd76f23b5e61e33533b91643dc4fe8
SHA512 a204379b2da5bc43f2892c58bc5a9f8bd8624c179a12da05dbb4b15c484373a8043cd87ed5401f32e3c00f03b5c79f7a0552541d877d475b7ffaee4b401df894

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 c1e8f19b01e994bbd0b09b4df3db9c8c
SHA1 edc96d97173ca362759a1b44d9d9beb97949aa6c
SHA256 4430337edb3439b347d8c2171f3c9526d411c12fb850dfdbed140a0c171bdab9
SHA512 2647edd9678a60557bbe3c45f45411e58163148cc43e31687737f2f475e60c4aa233e92d253c6da4883ac9a6575a12bc85717a58de4407bc4ebf36ebb20d1cc0

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 cb34a853995b8ceb60694e9bc0827875
SHA1 aa5d12f4476b32a53dee88abc0a186f4259643db
SHA256 566c35d8005b007a487cea1aa341bfbcd720a1bc981ef75bae228af98c22c4df
SHA512 6401aa54abe2aa8ee50e0bafe1337d384e28f1e6da469a5dad381b70f719c48e26608ef1e0636da48b97907a9931fda8ea038a8a8991b77dbfee6e4b5a0545ee

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 46aa23b1d4bd0a7ed84dee0e22e62b61
SHA1 1185d595272c56e2e524c234a08e7baa57a5d6ee
SHA256 ee62ba8f3a1d738d3848ddbc1c85aa74dc787e5bdccba880cad0b56072d95b49
SHA512 ebc086870e0f5a3c96e311e622b40bcf13a498344324115d485d435d1e1f9c3cabb12b7ee950b54ae9f3bc3012af620d0d4d589f99dc287b92a870321189a88a

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 d4056a1b691bd3af47d7f5032e7ed0a9
SHA1 97d6bd397a8ab37203e2b169b160b524c5383109
SHA256 f17df4abec8926805d35f984a2d0c70d3136087d45e03c5d3e8de82569ab8bbe
SHA512 581d77b38bb1344a59918aa2527aa39bd146ca594f2e6c44b17fbd94acfe84ffa577d5cf41e19616d124f905c0dd103bc3327b0ae15c51c8c356cc06039eed83

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 2ee2cd6c39807ddf6a327336914f3b56
SHA1 6b6074422df667b4d2b13842a43bdfd0e565fc74
SHA256 84707fac06d78d2dcc001d3db2eaeca40f19bcec4637fa396ed06ab04815dc85
SHA512 88a42f853dde1086f695819ac075a0d01090cb627ff30ff4b30ca208f23e886517b9f81d8c22976df448897f556633a6cae49d876e9fa874ced307ab591c58b3

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 372b36b94f6a80f5372a884de1d5375f
SHA1 b00a8b13b1773c96c23cfc6ad24382e16118be6a
SHA256 f3fe2208d86de1e0a025a1efb852fa6b50beeb28bba65a97e3274ec71612670a
SHA512 694d02506ee0e02b7f1a227ae622575f1fca30371d2460e814508f5caf929639d0835d01605527bfb12268ddc4af13407b44b3793672918324a06b418fedea99

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 7d27100239bdf067bee7183621adc091
SHA1 49569096ea8d5b80512a5705b9c40f76d0d890af
SHA256 4963526f77d5a6061203a9e81814de4318a82b2b28d37066f22b80a15a0fb376
SHA512 7dd293e81474486eb96efa56e210df1cb48760753318797da5e5d784119d903325d02fe192f29980fa18727ab0c03e2624625e87d19fa05c864c2765752515d8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 8fb4a448d3ef7f1e116cc329d498c209
SHA1 ab26cf0b41e4276044406974038bd66c3220b8c1
SHA256 710ab31c79beeaba9162724bc4f654b8d3aa90aca2a2753154d8eb20e4c9590e
SHA512 9c8ba54933825d4fd439947192afdae2c825e3ff18601416f25ef6a709c88bfd62ea9c96b25a7164777f80e32074699fc6fa79a2bf4ac922785c59d4d9248c04

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 921f4569b984b8bf60a8f61bfbdf7340
SHA1 e71a28e4883c5d9e3cd04288da0326f0f04e9f1d
SHA256 efa75fc70201ff37f49e3eacd2c157ba9f80a8417c88a1dc2394cd92234b6fb4
SHA512 559117499d7c460e3ece17e998fd2d0ebd98cf1db125395c33ac71c1cd81f87c023babe26f7c330d31186cdf9a0355f6822f91b801acea60c52745c3b2b5047c

C:\Program Files\7-Zip\Uninstall.exe

MD5 9ddebfa2654b63925e99dbfe80e11a82
SHA1 27cdbc44607d3d1600960d808eaf96574ea9fcfd
SHA256 982c991d9fd422f96d6d7f05ddc176df6363f9682dc60f54345fa8cdeebde011
SHA512 e9b141989ef16ac7ac3b7c0ac83e39d5ba0151f3849777bcb618db2c3ecdacbbfa4b123ef00a23b6fed04c35708b2a002bc934f69dda9cbf7071d89e2b78f2f4

C:\Program Files\7-Zip\7zG.exe

MD5 2935d9d591e73c0822f74f818a89eb2a
SHA1 53af2b3dfb619e14569eb638dc8a94824f3abfab
SHA256 6ab9d4bf9999928d6ca0b740c704e559ae4ad9bf6317424c0324d05a4bd4e033
SHA512 feca6bd2ed1b6689b9c517d7b8a41f3399af7380a4965354b24dce8b63d9130235d57481ee04b54689014388ebd99fa9b13a43f8830580b78fcb44e18f2f7933

C:\Program Files\7-Zip\7zFM.exe

MD5 9aecd9c44fe85f3509f079e30d670de2
SHA1 bd6aa84098f41409be226ee05a9c10b0b5782e16
SHA256 8c222546308caeae6bcdf4ba8bd67dc45023e7abec49ac02074ea2068c762fc4
SHA512 4c3719fbb79f57b1616748fc7cc8cda5cf357dea314a5f12b4f953e8b973dbdcaf0b0e1071bff352b2b00efa8ca3bc74c81c0dbdb955eaa879d54373056cb5b7

memory/4664-586-0x0000000140000000-0x0000000140096000-memory.dmp

memory/2416-587-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2204-590-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3396-591-0x0000000140000000-0x0000000140102000-memory.dmp

memory/1400-592-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/4516-595-0x0000000140000000-0x0000000140147000-memory.dmp

memory/1468-596-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/5116-597-0x0000000140000000-0x0000000140216000-memory.dmp

memory/2804-598-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3724-600-0x0000000140000000-0x0000000140179000-memory.dmp