Malware Analysis Report

2025-01-22 08:15

Sample ID 241026-eb4mqswrfm
Target 2024-10-26_870aabe31135188f5d11268cec10db27_ryuk
SHA256 83c90bab42d120928ebfde3f04c144626f520c5828f9459c5517ebb70e087fec
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

83c90bab42d120928ebfde3f04c144626f520c5828f9459c5517ebb70e087fec

Threat Level: Shows suspicious behavior

The file 2024-10-26_870aabe31135188f5d11268cec10db27_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Checks processor information in registry

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 03:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 03:46

Reported

2024-10-26 03:49

Platform

win7-20241010-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe"

Network

N/A

Files

memory/2488-0-0x0000000140000000-0x00000001401EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 03:46

Reported

2024-10-26 03:49

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\3f78a1c99262766.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e15e6ed5927db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9e06eed5927db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016d728ee5927db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e7b102ee5927db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000467caaed5927db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_870aabe31135188f5d11268cec10db27_ryuk.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.234.222.138:80 przvgke.biz tcp
US 172.234.222.138:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 138.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
SG 47.129.31.212:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 212.31.129.47.in-addr.arpa udp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 44.221.84.105:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 172.234.222.143:80 fwiwk.biz tcp
US 172.234.222.143:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 18.208.156.248:80 deoci.biz tcp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
US 8.8.8.8:53 143.222.234.172.in-addr.arpa udp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 18.208.156.248:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 44.221.84.105:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 18.208.156.248:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
SG 47.129.31.212:80 ftxlah.biz tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
SG 47.129.31.212:80 oflybfv.biz tcp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
SG 47.129.31.212:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
SG 47.129.31.212:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 44.221.84.105:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 18.208.156.248:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 18.208.156.248:80 zyiexezl.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 44.221.84.105:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 72.52.178.23:80 wxgzshna.biz tcp
US 72.52.178.23:80 wxgzshna.biz tcp
US 8.8.8.8:53 zrlssa.biz udp
US 44.221.84.105:80 zrlssa.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 18.208.156.248:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 172.234.222.138:80 htwqzczce.biz tcp
US 172.234.222.138:80 htwqzczce.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 54.244.188.177:80 kvbjaur.biz tcp
US 8.8.8.8:53 uphca.biz udp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
SG 47.129.31.212:80 qncdaagct.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 18.208.156.248:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 44.221.84.105:80 neazudmrq.biz tcp
US 8.8.8.8:53 pgfsvwx.biz udp
US 18.208.156.248:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
SG 47.129.31.212:80 aatcwo.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ptrim.biz udp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 znwbniskf.biz udp
SG 47.129.31.212:80 znwbniskf.biz tcp
US 8.8.8.8:53 cpclnad.biz udp
US 44.221.84.105:80 cpclnad.biz tcp
US 8.8.8.8:53 mjheo.biz udp
US 44.221.84.105:80 mjheo.biz tcp
US 8.8.8.8:53 wluwplyh.biz udp
SG 18.141.10.107:80 wluwplyh.biz tcp
US 8.8.8.8:53 zgapiej.biz udp
US 18.208.156.248:80 zgapiej.biz tcp
US 8.8.8.8:53 jifai.biz udp
US 44.221.84.105:80 jifai.biz tcp
US 8.8.8.8:53 xnxvnn.biz udp
SG 13.251.16.150:80 xnxvnn.biz tcp
US 8.8.8.8:53 ihcnogskt.biz udp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 kkqypycm.biz udp
SG 18.141.10.107:80 kkqypycm.biz tcp
US 8.8.8.8:53 uevrpr.biz udp
US 44.213.104.86:80 uevrpr.biz tcp
US 8.8.8.8:53 fgajqjyhr.biz udp
US 34.211.97.45:80 fgajqjyhr.biz tcp
US 8.8.8.8:53 hagujcj.biz udp
US 18.208.156.248:80 hagujcj.biz tcp
US 35.164.78.200:80 ihcnogskt.biz tcp
US 8.8.8.8:53 cwyfknmwh.biz udp
US 8.8.8.8:53 qcrsp.biz udp
US 34.211.97.45:80 qcrsp.biz tcp
US 8.8.8.8:53 sewlqwcd.biz udp
US 44.221.84.105:80 sewlqwcd.biz tcp
US 8.8.8.8:53 dyjdrp.biz udp
US 54.244.188.177:80 dyjdrp.biz tcp
US 8.8.8.8:53 napws.biz udp
US 35.164.78.200:80 napws.biz tcp
US 8.8.8.8:53 qvuhsaqa.biz udp
US 54.244.188.177:80 qvuhsaqa.biz tcp
US 8.8.8.8:53 apzzls.biz udp
US 34.211.97.45:80 apzzls.biz tcp
US 8.8.8.8:53 krnsmlmvd.biz udp
SG 47.129.31.212:80 krnsmlmvd.biz tcp
US 8.8.8.8:53 nlscndwp.biz udp
US 54.244.188.177:80 nlscndwp.biz tcp
US 8.8.8.8:53 bzkysubds.biz udp
US 3.94.10.34:80 bzkysubds.biz tcp
US 8.8.8.8:53 ltpqsnu.biz udp
US 18.208.156.248:80 ltpqsnu.biz tcp
US 8.8.8.8:53 vnvbt.biz udp
US 44.213.104.86:80 vnvbt.biz tcp
US 8.8.8.8:53 ypituyqsq.biz udp
US 3.94.10.34:80 ypituyqsq.biz tcp
US 8.8.8.8:53 ijnmvqa.biz udp
US 35.164.78.200:80 ijnmvqa.biz tcp
US 8.8.8.8:53 tltxn.biz udp
US 18.208.156.248:80 tltxn.biz tcp
US 8.8.8.8:53 vgypotwp.biz udp
US 54.244.188.177:80 vgypotwp.biz tcp
US 8.8.8.8:53 giliplg.biz udp
US 44.213.104.86:80 giliplg.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp

Files

memory/1652-0-0x0000000140000000-0x00000001401EF000-memory.dmp

memory/1652-1-0x0000000000900000-0x0000000000960000-memory.dmp

memory/1652-9-0x0000000000900000-0x0000000000960000-memory.dmp

memory/1652-12-0x0000000000900000-0x0000000000960000-memory.dmp

memory/1652-14-0x0000000140000000-0x00000001401EF000-memory.dmp

C:\Windows\System32\alg.exe

MD5 b524b0a177d45fe6cb16658b95d4390d
SHA1 db7ccd67d45f25dfadc51678023b3ddeafc64db6
SHA256 1f6743c7555d19f1f24dd1a119c8442f5bae16e2361e133f58d5a6ff70e98876
SHA512 892fa928be181f03727ef91ed487293b0cc8273eb1d5507a23e46a8d6793ac42a476b665da1556ffc1ac4320165561595d4577e36e23829ac9f56a24babad6c2

memory/2704-16-0x0000000000710000-0x0000000000770000-memory.dmp

memory/2704-25-0x0000000000710000-0x0000000000770000-memory.dmp

memory/2704-24-0x0000000140000000-0x000000014018A000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 45482ad050305b755226f597e5ee8337
SHA1 ba5aaf6983e1c405916cc8165be0af62869b8e43
SHA256 691c9069c5f8010a62c4dfd1035382e078de6437e303e46940fa9ccd19bdcb2e
SHA512 b28f0dbefb9f3a219a83e6a3e2ab7e9b4303201b2a0efef3754a2336e5b4b86f92831b4de83c3ab3bfbc90a5ddaf568308c54e5d951bba5126e72a54946a9b34

memory/4568-29-0x0000000000C40000-0x0000000000CA0000-memory.dmp

memory/4568-38-0x0000000000C40000-0x0000000000CA0000-memory.dmp

memory/4568-32-0x0000000140000000-0x0000000140234000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 f6dc7fbb049c97327c2903fb82c14ead
SHA1 bfd7594681f1da15986bacb19328c0504eff219f
SHA256 8ca8ca870dba271b0365d282d548fac9287ff059f8f7153aaed726a7433e53fe
SHA512 c056aa2aa5532e0a40c17d1cb1a27b8bfad9362cbb04927104e631ab09f8c1a5d9b293cbbee2aa6cbd4839110c37f50ecb632ce6690fe206ea2f945b733c106d

memory/2040-49-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2040-47-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/2040-41-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 a953099bff2ca3af89e28df06f96d837
SHA1 a40b1458abd3e50ecbe45dd95e2bdf63cc27229d
SHA256 69af1bc6cdbc5f5afd2baf67a154b2778d0be23f73e02fca0ce7aa777e4a349c
SHA512 d24a682efcefbfeb07d5127620e7051019c38aec35912d8c45418244135c98e026043d5140fd9efe07f646d8208fab20eddf293ae8cd88b5b1d3c655c5c079cc

memory/1340-53-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1340-59-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1340-52-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1340-60-0x0000000000C00000-0x0000000000C60000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 0c8428871e8a6196def21dee6d3cb3b8
SHA1 67b3e7620049318248b1aa81ef30a92f51eedb44
SHA256 cf8d0e929ec27a41031e009287857f677dc3d57fcd7fc41e166b3b2a109ff661
SHA512 e3e5f8da26f25729cebee7c42b1818843da4e74be9525abff47752608826d86762bff80bcd802a3221c73ea30c86eaedd296712f8241439ac234fe446d5781e3

memory/1340-66-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/2904-76-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/2904-74-0x0000000000820000-0x0000000000880000-memory.dmp

memory/2904-68-0x0000000000820000-0x0000000000880000-memory.dmp

memory/1340-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/2704-104-0x0000000140000000-0x000000014018A000-memory.dmp

memory/4568-211-0x0000000140000000-0x0000000140234000-memory.dmp

memory/2040-231-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2904-235-0x0000000140000000-0x00000001401B0000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 60b8146d43d26c922d136314ee1856cd
SHA1 4614df1b3aaea8d7b6b4601fec42e8ccc3cb7b95
SHA256 aeaff1966d96689307d2c3b5c00d63e6915a2c13dfd9ba88144a47f81b6bb695
SHA512 96c8f8c982a5dece55ea7467745f4c99c729b4f5c80e635602cf5211e5a27d63760d89b6ecd859377da4d105043dd746ce12b4c98d7da5f4c1ed6bc37a9fdd9c

memory/1100-249-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/1100-243-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/1100-242-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 840a54a527d634b6bd3feae9d3b8c91e
SHA1 6a322456c09de0fe11e2b5f6618716ab429ff575
SHA256 4f9200bac6781c2ef7bc8adbedb0e01250c0fe1bb5164fe869486cb59d107e1c
SHA512 07f280d953231c0ce6435bb442466d89ced2727f3916495f447e3682f46537208b66395c83ff5bb3ce81526e065ff3477e13703c8beea25ea253f2c68dba80df

memory/2936-253-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2936-254-0x0000000000970000-0x00000000009D0000-memory.dmp

memory/2936-266-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 af8ac891bcfd1d1d6119bf8db95ab0f1
SHA1 5c25117524ea71c3b33291239ca1ee276c17381c
SHA256 7e08faac9d13f780b64cf7edeb6fd0d340e00c878dd54d6c65d79aa3b008a9d0
SHA512 03c542d14e496cc6bdb3b44c622c5a3aceed25d2c8f5ca5024952292ec29125b9e5d704289e3260fa264e1f00f6c6cc3a58b8768b67649f2d7419152fc3713ec

memory/3988-268-0x0000000140000000-0x0000000140199000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 9fc565314d2e1573bc67e36f04d46d77
SHA1 8b28d970508067b4fe207a63b5d7fdd14cb48e12
SHA256 1399eb2fe16cf42f0062551b6a11e2de54e7fe9f4825b331966034d8060d33cb
SHA512 8eabe3eee09d24263f45682d7f4bfdcb47278ef47ea11afca0174107489c6064af08251f2f5a88933b9b58027fbcf2c3df9dc8ea58d2c4dc367fc5755d9820a2

memory/1988-283-0x0000000140000000-0x000000014018B000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 3b0b4e36acfe61de02be9179a09585d0
SHA1 b63236eeb78f651785c8a305f12e3fdcc767e489
SHA256 a86160a5022e1fd4707c887f3bdbc5034ecd4cfc406b68342983a549df26cfae
SHA512 c3c008f3f88eae4317e81b61abacc6507d4f56003ec1a717b8e6802761b07e1dcc9f9fb6b971eff54fdc94e599e9517bf73d45f11b0dc2081379ea1c695127f8

memory/4352-294-0x0000000000400000-0x0000000000577000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 29efd2ee7bf3ed332d67d160899536a3
SHA1 ce2a3a1abaf732b725aee6e500e696f2d6a63f62
SHA256 f892a43cefa38e567fa2af97ac8e72401d2b94345d3cdf4859d203fd60d30921
SHA512 4bc39961dacbf3c1a8657330d63fa145eb40e6428df4fd0872cb4b229ea19560ee699cfcfd475ca002233a0a5204f158119966ac1df92b42ba6110af139a4d2d

memory/3748-305-0x0000000140000000-0x0000000140175000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 77e45aae2b714d2c30fa68a4e9be3105
SHA1 b757c5b34c94b662083852d1c0b96a9b411a54ec
SHA256 9d3be8d0d92f980d503bad19f4322ac62696006b8c7d9aa81c1e71d593f66645
SHA512 014e6e5a70cc21511c3a3c82c25f906cccfbd56996f74706c187208147d518a1f88b2bea5f0e20fa46f6b775ed68d9a277f793d85815879d0d689c2bd12dba6c

memory/448-308-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 6293e5be32a672018902e04f3f1b455d
SHA1 cfc00208bcab0750dcfec766e306f2d743117999
SHA256 b6ff3ed1711852159cf48035635dc7e6d7f9ce093afb6c79471711e413a0284e
SHA512 bb7d8b8be757a2a6b52e9f414cab59e9bfc2add3d46fad8822a4ad7695c0cb34049551eed42d7eae021e18acaae96fd44fcd052c5a3fe15f4233e784cb697506

memory/5104-327-0x0000000140000000-0x0000000140176000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 061d105d6879a67f1462eba71b569a82
SHA1 9a15eb47ebef03c62e4c38316ef7f92e105ab795
SHA256 b460284a95cc1df959ed58305832f3fd9b86b63e8b73b840b42b12ca14cb48d8
SHA512 0a3127eb6a0db84cedf2de985ce9a5b8d0e4e83ee44623f91439f40525f7dd7192677ca4544a279a311e4c155c66d787ecdbe5ecf8652465306b6ca8c207d169

memory/1252-331-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 296be9239a8423d460d72cef2966ba72
SHA1 20bacaad080dbcb942e3e199f668e228eee06dfa
SHA256 70f1a99bf5478cbb899b4db98f375b783a854e62b958efb7499763e997c758bc
SHA512 db66f66ce3a075026c5e37a3085706e505602ba30eaf8432fe29c8f654985bccad3ff3e93037ed84efe732195c77f0213ddf0a91bad46465a25de5bffa136bfe

memory/1996-349-0x0000000140000000-0x00000001401E3000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 85bcfccc2bb7201fdd2e1854b87dd17c
SHA1 6d56bd99c77572bd71d4ebc5b3408d90404b01b3
SHA256 7d350b2d359159a139b4a08d8236c86283689ea49351b0c1614a7692919404e0
SHA512 44ca89fb4b4a8ab9dd68a0c448706e3be20f644b3dee8f836f378e44c08d83e8de9e291144a97c968ee4cd94dd543997179a8929b95afc937c91604c3842d744

memory/2160-362-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1100-354-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 ea5f3942131f0bc02b6c78fd20254f3b
SHA1 54340ea82c13f48a5bf78db5daba9f9a50b246b0
SHA256 52ddd3a924034b18f9b9adae66060f35d45d4625a445f9de502e0ad7a33869df
SHA512 c907d146fb18b1c3e19f35772e1736d3a34eefbbdf25bd1e189b964d32174c8a2c2df78a6fd368e22b7206fbe8f1a5feae86d56b5c7c52315332b36897e67e13

memory/4500-366-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/4500-378-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 54950f8b39b69219cb53fa6d868f521c
SHA1 832edea8226ea2c96f8ba564bdf0a8735cbd0145
SHA256 7c09b2fa2df79a484ef0f4918143ca5d5db9583069f62b203bb3b1caacc18638
SHA512 704e3f042cc4eb3fc4afe88ca1decdd56e9a89d834fae0173ea47c3f722057694e40dfb5d866b25671d31b961064e3e8f58ff049ca0b93fabae6a1842d0905c6

memory/3988-380-0x0000000140000000-0x0000000140199000-memory.dmp

memory/5004-381-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 cefdd72fc233129c292aaca9a27c37a7
SHA1 1b178d1c74d1ea3488da844acffe0aaf56aa3d71
SHA256 8cde88a21175e413e973cac8151d371ffb67c3b9ad9286793191aac7a917c780
SHA512 1af488192110f50ae8cc565a90a067b3ead41c40d2baedbdec4da4b4b2d27ec1fa3c730ddeba34dd88195dc53fd0ab5336b17dfd9181f10173ad9a9e7493bf53

memory/1988-392-0x0000000140000000-0x000000014018B000-memory.dmp

memory/3540-393-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 11cc1b516e2ba102eab6368a7aafbe6f
SHA1 0160fd4ab9bc01fb14059083e461dede74fa6eaa
SHA256 3c51738746a542910f13c50a1e5d201c764e799dca8c2aaa37351942f19c1b27
SHA512 664bc94cfa590fbf42a17d93652d263cd70aabd0e1583cccc62f3fe0e23699cb87bb603b649518af5562e5b414fa636268fdec794f9b568642f13f116da9e68a

memory/4352-404-0x0000000000400000-0x0000000000577000-memory.dmp

memory/3360-405-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 1ddb28f3ce8930baf8a1e33192213fa6
SHA1 c52abe1cd7fe71e2132cea75d39223e0bbfb3c51
SHA256 f006f18766e11e6da398f0ff0c758ee7269cd5224763f6ab7cdd740d9b2ead7d
SHA512 5b7057de16e04595a0644a295150c2446f649df73e6e8bdfb2b74c5b6e7f7254818bbda69bf133f8930f32a16032d8acfa087d01857cddb5cd9777bcc731219c

memory/3748-416-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1124-417-0x0000000140000000-0x00000001401A6000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 f2d9951cfc9feeb2a0c8162e3a02787f
SHA1 989e37251ce0af28e2b22f2cd4540e055d4c490e
SHA256 261afe47533255f1ccc46d9a766a768cf1fe52d6cce067f40ee018bd2b556aa9
SHA512 10b1499514efe202517de3a490cebcff8680cc061b15701f863e0fdeb1a5706293ab7c41dfdfb1ab8b3b2098cf709e276754f84db458be120c417abf7bb29c5b

memory/448-429-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2464-438-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 5e2bbf0468d56ec7d429866a22cd1fa9
SHA1 3c23606a209edcf1dbef4cd27e69f8e02f8c0ca3
SHA256 f2c5f593ff10a0bf44600390a883d1af72b56d9d58d81e7db748969aa1efaf49
SHA512 a929bcea5832fca5024cf9ff2d8ee3b38f595e1c761e78436faa027baf38a481a47289829350434770bb4a38148c8228a1eb1d3cf93823f5d9df87c36c45630d

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 37122b0c9ba351750d5b77703a2e1827
SHA1 ecd6d57f2454a4d56adb9a985316327fa2dabdb3
SHA256 4904a8832ead34e27f78eddf5aad41ee175c0d6aa5197c6f8f12ddf4e651a427
SHA512 775aac4028f71c232d1459dcdc28fdba06348d2c85c84ea45bff7e04e7af89963e09470cc5e4e5d170348b98bb045fb8766c8af1dbfc224e8260890ee73684bd

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 33b86cf521de52d61855699fe93871f4
SHA1 1678ec1023a041b6171e36738a85676e2f49c4a5
SHA256 d4849591ce33bc1917907db4c9db9259ca3e371dfc95908d43716d94e7658d8d
SHA512 26c7a94f28a2a7869a7f5cf2689acb39392a5135709cea78bc26217f7252c384de8a725d95e2fed2bde9567fedbb7ba0ca915f75359f20b093ca9112b2e2d00e

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 559023e5bd03bd0cade7f2af34c6101d
SHA1 76bd9b60bd8f5fe2b418b0f57a44188e9a642fd3
SHA256 c0cd99285933182ca1c7a9102a01caf839d21262e7e594ae5845c5c7f296ccbb
SHA512 63e05f6abb44595bf4e035d3950bda8f6d077f1e464c830407612cd3a2755406d19658b1cfa727970ee1431f5132b8f3468d7ef66ff69ca260ab7f30a80af2f7

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 400ac6f5441cc36964bb02496c670acf
SHA1 a9301aa3c2d9c963d878d09ea661f11593a93c83
SHA256 a880d0dba79ac2bbffee839028073f0e7d9e31257a3b8d5d222a4b1d4d1bdde8
SHA512 160c33000be5a2ca4b8bd9a8a9d4330f9b7245f38b8eab6d9f875e71cc873c38aadeb5034e00e013a03bcde7dd8c0a71456866142a11c4ab5fdefe8ea890d34b

C:\Program Files\7-Zip\Uninstall.exe

MD5 b9f52eb5c7c6de22bbbf7197ba29a588
SHA1 b2891a4b1857a21edcde664770d180494613c3cd
SHA256 9705517ccf178dcde5223ae7297000b73dea6c2c5ac126a2cb471e433e367b2d
SHA512 be0fafa4451b0979e6cddd1c57722db3474b8a344a1165e9d9d34555688f29954e324ed7e10dce0bc8c2c1cb80e1acedc9b67fac70e0d4e2c19969f7625fa114

C:\Program Files\7-Zip\7zG.exe

MD5 3b3ae7a75edc2447a8dd4354150bd9f5
SHA1 654397dde7264e7a82e895e1d18be9a5df661d90
SHA256 832245dc51bbec1f292bcf129e0c720c48031ac735b957c2f54b30f2cde594fb
SHA512 107c752a1190a0f99f7517f28fb21c426dc49cbb384f6a97ea021459873f6821f83eb1e7cb58f889bb4f037a553c275d648628d8f3083c673599512d1ccda5d5

C:\Program Files\7-Zip\7zFM.exe

MD5 231d0529fcfc4e17502926d4ac68f564
SHA1 d42227d642c9fc38a3ab46e35f1b8271eae3a523
SHA256 fe301bfe0e15b37c65b458d794dc8cf75dc4055bb4b9e34db444c120827e81fa
SHA512 8662895fe1986a89a904602fc65aecb50173267d75ca33a9deaa299c9cb6935722193376c8e7fb5ec93d662ecda42f56c2f23dc3e5c9fc0139dcf10773f076df

C:\Program Files\7-Zip\7z.exe

MD5 fdbde44e0f2f469b14c2af17d9e85616
SHA1 88f0a47b479eda9360995d25532e82159410914e
SHA256 7f496cad5de889f3b8ec0f9f0b4565fd35f76e248d78d6ce93154e62bc274005
SHA512 8625f743260f7256f20122dd458f779056dffb03844b9dc5abaffdff99524511bf9afae2da2612594fbaaf82f8d2fba56fe5bf28fb7abf06ce2ac83b9c9cd164

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

MD5 b20b4e352d156897fff53ccd2570c7cc
SHA1 cfc39d266c5158a87b67ec1253b33ab458f31b0d
SHA256 b70d871da308a0561bee4bcbff3bc25e9e929a93bd6727a1d64a909366fb2c7b
SHA512 fa4e332777f6cdd36ea6454ce5d11f15ac22da1925824b74016c2949f56d6aea715e75d794f817cfb0766b5e822cfe828f09e5f7bfe3d4d7779650570b0a99f5

C:\Program Files\Java\jdk-1.8\bin\jjs.exe

MD5 0d1de5fcff1f9ad22928cf4af61c839f
SHA1 6b4a648dba457715d291f9ddb889c19692aa1a9c
SHA256 0d94c80884d32418bb62294d4ce1317d85d47d9295af01c9b2b19b13913f2183
SHA512 9cdafe13f94aa5d8c0b105b873e3c148bfdd8d557f308df1cad4c448d486a27e84572a6cecddf39232695ed89fb2b27939a30bcc35376e9f4d31b8dfee2d07cf

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 59e827f25d62fa32adcab948f489f5bc
SHA1 ae90ad43966e4e0174a08f52a6a1548a7686f172
SHA256 0b8697e8bcf1782590dc1dc4cb6c4eafda203cda2888eddd7314a8959709be43
SHA512 c22261c81a15afa32fcdf0d5bf093cd4e5d7c80c5432871981b42979b90f2e61206afd7df0511757df2ed606d2e5a997502d9a8f2240df57d6cb3e06445359fe

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 68ba98eecd6888eaad465f22391c51f2
SHA1 90d1a9b66ed6d6cae81e92c7d1a19c2f0c0b42ad
SHA256 2e6f76b0d1c001454e05d0e85c40ee11bb592634e873e062ed20f62fb5703fff
SHA512 1b0d92d570e1da0ca32736f94bc4c4a5d8d0ac89b955fe8e5f9de97e136b784894e9093dcf83099a70e687cde06551cab5b5a3d3102bdeb613e0454fabef5623

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 66058c36c9fe8a8f08b61ed8c9632dd0
SHA1 a45deab527e6d47dd04900e1b6209c3f60af205e
SHA256 fcd249a6d1988bc515a1d36dee9e273bb51497353547859206850791654ce6e2
SHA512 5dd09f37e7befe46bff267a5b3ef326579fd9b734cfe3544a5ac1c5d8f04ae3aa1b7e541ea56d315d8dd9c1c4f61550a1ef25dbd259207ab19ead869a9ee97dc

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 0e8f1a21d23817928bc6b7c0632d768f
SHA1 f0927669a5e10663d0702012ea2d6e8080ea33f6
SHA256 22ea40ed9538ba8246d492ae53b4f6b947b51d0304a2119d2fc017e01238b949
SHA512 b010a605de9c580b1cf63ef71adfa613c12b8c1c2b5c70931b9ae810adfd06cfd0ebed1d2b18871541fb9332f7e87d6178f5512d6300c8661557c317de5d0065

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 353c4d049735d64d6a41d76fbc785d81
SHA1 2f8cf02b31a64f2ab200f44f6c4abcdcf6f51ad4
SHA256 5abc5f577ad3cad73b9aec80c614eda05efc436fabfb2031aade82c437503a5c
SHA512 56289f5c36d85a46b09e0a075ccd7c5b8c5e5a0466e9f2a5b59f58a304574a457f43b28ec293f2ec67708d05c70574630d76d7b4d49b1dd9cd54994c526f478d

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 f8adc606ee652cc0c79d2d23dcf60f78
SHA1 66bc3e3a24335f0cf460bb76ba75e9533db68071
SHA256 e72294242796a44aeaa4e7bbcb00804ac0c30d42eb384f70e85381afb0ac5c7c
SHA512 008587be7bc9e6cac21513f7c5e3690aee761b72842c840383198f1b58a99b221f9ad49748d04537f8d93520c1f98f219fa4251764b9e754fa6ee08dba8006b9

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 8669c1ced4768244defdcc6c7eb58958
SHA1 76afc75f99bb285a03e95893dfcb8dd9dac47433
SHA256 f6eec5c3ceafa0bb2973d3218616e29b9f3bda7e89b1928b28f299202f950fd0
SHA512 458ec33585d4b44afe3bd6a1ca9b85aacbcd8941ba86766bef723285e6f0bbca2418b8976500bdbca705b36094aac47da2a3e84984a944d3333d3ffcb683d68b

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 d2973064c63ab30e75e5c3119f78976d
SHA1 9f4493382916d30f00c48f737b6537b77ca5e00a
SHA256 9e6f24c680b229c1557d7a819876b1b01314c137646fde0758f8b740b6a7aa50
SHA512 8294afe1d4bb707d3f05a2357afcd88f8689cb3f90687b0deb6927c75721c8be49310706235e7403c8137876889292c0536dae899f62457222cb5612c3f6a2a8

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 184d62e1e3e14571a328f53e87aa23b5
SHA1 3817e7899d2104a761ceb19059f25abaaf979a39
SHA256 bceb4c13aa32551d775ac3b5f44993a034bd12f60767b9fc8f35f3c282fac024
SHA512 c7d899a7c2701ac8212ff1f14cec9b55831819e0496d434b62ce780474d69a4e8b1621abeb1f35779180a42a6d968502dfd48257124bd81099618ae97ddfec9e

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 618317928be5f23e9e2fa0aeb4748d58
SHA1 62344aec65eb533a9b787431ff00f53fe1199857
SHA256 f938f7ca83d037e2cba2811a076c0d9dec59627531648c1429b69bfcc5955c57
SHA512 2e116280c848153cda937d6181ac12c33a7a40e1426f9608e97a0b51c114d6496a5a22f163da3f0fa889f3350d40c05810f969aaed67712a8a1e592494fee919

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 597753c7fe110eac4d2f648217f97c6a
SHA1 ffec7752dc27fe4325fbc0cc4fffaf831040dd76
SHA256 c03b971f667068afa6c5e72da46d2f2a19253086ae23752ba36eb085bce2e045
SHA512 ad2eadca2f0090c791297e1677897ce8500a94f9932f6a0793f991da1ba081102a4d7b1c4b341d9da69554a263996980da60724901b5845ec292aa707a44ddc0

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 af6be041f20226c6c137ed1f2c4fad3d
SHA1 35f773125e4f23924fb2344ad98f7f43c2007791
SHA256 4f56c9c16eb9a3e1afaf9287550b58743edfd3a21d3ce9df5d587489445b560d
SHA512 a851fbb040e4095d4b99e150b82d0e4834d9fa24868769e08734aa390e21ac4da7e391a37cfabd3319b0281f35d9ae32fb74fc286db6e73da35f58831eef3202

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 478648931a904b1fa9d6137f44233dd3
SHA1 f109b60bfbc05ec989ce5efaae717737f1918432
SHA256 aac455e8c43af35e6df5e5373b55944a3f5b0c1525e463c1a6fb3b756168c1eb
SHA512 f21ba3b89c7efaaf84e1e67a69c08708cec3c57300d5addd0e1fc3d057dfa2239c237a6885c7b1c8d2a1f5a0684abd63fc747eda66034b1e7a638ead62f188a8

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 a81b5d0f97537617c25446226c11fb73
SHA1 f1e80aa31d014144cda11cb64a8229fed8812413
SHA256 3a5dd021aef532f25933304303da208e39f1ac31797ef8ae9390c70f901708d4
SHA512 30f68091d221a31e8a134bd5d52bb7a0df5abcf6a93741adc35ca185bd8532e854eaccaba82ff6fbcad3b4956bdeffa7ada825528926207cbe90834dbf687b2c

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 178741cbf2cbf6e2c2f3e7975ad50153
SHA1 0610358022890a8280ba1aaec2ef9816e82a3ee3
SHA256 33b4ddacd8f229311e6345cccf2aacc7a4ef7b5d22c2431e5cf92ab37a876f6e
SHA512 ab7838d3376486e4f86e38b8cd363109645742783ec6fd299edb1981e61f2af0ab1022a3dbfd0c10b9504551ffd5286a3114aa4a31d374f45080a352a940c4f5

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 0eb2fa099efaf2df48efbea2f69b874e
SHA1 84953c98b1285e841e6084ac10fa27a889323e02
SHA256 3205a295b281ab93214629e6607cc467df664879781ae96ffac6111bf3ca0f55
SHA512 8409eed3876e7a207e6a8c973f68995ba2cfc022d69ea8a18d5f866d8648bb86be782d1d452dded49b0d96a5dd736bd2d59122f5c373a2811b23da324aee69fc

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 4365db55951768ab6ccc57bb77b94e8a
SHA1 a444abc35f7ed8c9e86fc47cfe1ab9d0cb729c39
SHA256 0d34da30d47644884225e725675736a37a4c05ed13ad725828657432cacef428
SHA512 f5ad5bd5805b82cf9644835368abe73f449c7b936bec4cfc35ce961bc946021a1cdb2f830e2b4de012f07b2602fab87409bccbd73ce44b9c938c815cf3310901

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 38a07e46232c0c07f3b7d902030c298c
SHA1 6ff7114af3502c4d3ee89f5054487e7bd747fdc7
SHA256 34810b0beec3b0b2d489085086cdf5fffcb7ba231396ddabbd2d37f9072e7acf
SHA512 427e6224a490ef33bd0e4bcd72c8743f67d481b87a26924ce1add2c43561b080349cf43f56ccb57e32b93758e9ccda693819d10de0839cf6f35af3732827e71c

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 59a48f1d8400b2748651fc36fe4be394
SHA1 15d824a5792857a49803259b14472bdfc1f32c33
SHA256 d612386e7b5bfc66f65ff5a3d3aecc82dfefc962592093b66b15a83bfe0e39d8
SHA512 aaf6d8df361bd3bf9d179a49c9da055fc4349325ecf671009adfdd6604b3755c88f4604b9eefe9eb0daacc18257246af275267e6fa7c22dce329f9cea81f003f

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 dcdcb95657b262c2cc4ff46e8aae6f3a
SHA1 d464e02e13d146c11287d3ce7cc2e514846cbcd0
SHA256 3a384de59d301f019866855bd836f469eec5c2a062068207a332292f829b98f3
SHA512 ddc60f66747fcfd90b6162b483111a7ff6edf6fd6c9016bdfc07192456acfa3a9e727902b068b1bc6d3e31adf9ea8c367c59cf95a85097082c9595ad67bbd1de

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 c2e2061c3698fefec7f361bcf3ec4d12
SHA1 cff1c8ebbfc479cbecd96e46b28a0b43838adb27
SHA256 1281448acafe2fd79f9c167882848a3e1c68fcf5a043c3ae75627504e0d2c3d7
SHA512 8f6e139654b7a0d890f6550de0d60137d5d24b2ba26f24cde6110e0afa604e015dd89a5e313441465438be80406a1dbb10542f925be3d25058a3129b8bf80313

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 f5a40eca52af590b01b8ed8be4920123
SHA1 9bde2898c38e440009c34c4582af0ce98e5095c4
SHA256 d2697579bc904cda7ca7140cde537e439636c984754102114965a4746b1c3c75
SHA512 e1916b4a57ce43fbf2a53e0ce66f33c0e2cf4277bd816b76cac274d4dd3b9205d20da169d560712bb1fb478e567757c61cbb42a0a332e15cdfdee780310a3f8e

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 c1bacbd328c79a19fc2e052a34785c96
SHA1 c7f8a25e96c4b329cc77de1b803eb4ad568dee0d
SHA256 ddda86c1fb3e8eb95116f3484f76dfa64d81456e430da250c03020c128b114ec
SHA512 41d9549ee5db5e17bc4485d953119f7f179bac4f3d29b65f9dcf2875c1ff5e269bfebe37d6a0b886f578e8e75325ed3122ae2a1e992cacb4b02b1742cc5904e6

C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

MD5 f62af1c81bbc922ae52e0c968d333c5e
SHA1 06308c8cacc504773fea83d28c043b282002e221
SHA256 87d0d2ba6ab525afc18543e13fe198f359e8f6839709eb97fde18caba3ccb18d
SHA512 0823da17df0242b2c7e297efdad591d15bc91276fc86756eff2d7a85741f34cbf498ff60360a7b5f5f9bb88a8a750547e3ca82d7b673be847f9bbc715926d788

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

MD5 bd8cc132018b9b2986f5a6a8e9a4ae21
SHA1 71607c62e006eb67baec35d6d7e61043091bfcaa
SHA256 0cc8668770117b52c689fd64397162134a4887086d99059bcc1f9faf8a4323fa
SHA512 9ffc80e7cac6d08386486c5fd1692c3336a2a78039535a06170670337b0cbae6a394570bc62232262cb8e3f9f77c517a4ea92c4ea40463746e9a6d3998a4d7bc

C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

MD5 d30a766864e428820781ba3dc150e471
SHA1 5c1965a1d193ab014d63018f68f949e1ccf639e0
SHA256 3fb9fd7289ae5ac1f8a02ecd3c63d99e48ec9b17756aaff300efd8db2c19e027
SHA512 d132ccf4bbe92b6c405caafa4c924a04513d48af773842716da0cd42d5c2bd575237a70fb7a1faab6cb20b7846678c248e7af6d21dc9f88b1a6f4bb3f1ab7ba4

C:\Program Files\dotnet\dotnet.exe

MD5 10600291ad95b436f5d6651da7516ba2
SHA1 7c40028fb1cf1795118383edca88ebbd7e2a3ba8
SHA256 dab816dedd5d12bc243ec7ffb8ed6ca5c0258bb2f237873dd5c6e3382b353632
SHA512 5d2fb49f17e1d3aedfd074c5cd4a998b34462f0fb622e3da79a5d36d9fab9a9dd2c359ea6a3d3ed015b47f4d6759dc3a12eb9517647b200733f5f09bca189fcb

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 41d85017efe0cdb87a5279ce78c1c75d
SHA1 fa55df9acf140a712acc644dc2fef67387648f9b
SHA256 b7562d2522cb4c5cae44279590a226e587ed03afd7317f54abc2af2fba701d56
SHA512 f2978bda7bf2860ad80e544658e1a5aa40efb391843ff4c576d96572bd16d8fcc2a7a4f2a8159df610f1acfa6914f8bbb485a5ca5f2d0e5892c9bca114561424

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 d5ec7a84397ea329da6f97adc3866d9d
SHA1 9a53e91c05daa34886c6aa64f5d9ee24f6a6e2b5
SHA256 ed4c4eb7896c0aeb161483dc19556afd15d287e8a3fc2f1f28d380d726cfbe0e
SHA512 c9cb98b79fd21ce7290b7cb5a17cf0bf52a0de726fdaabc992b1f7e2f34cb30f572f3615d70e1d53758a9a178679afb3e935235d15a580baca021ca5c6b45e47

memory/5104-513-0x0000000140000000-0x0000000140176000-memory.dmp

memory/448-516-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1252-521-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1996-522-0x0000000140000000-0x00000001401E3000-memory.dmp

memory/2160-523-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/5004-550-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3540-557-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3360-558-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1124-559-0x0000000140000000-0x00000001401A6000-memory.dmp

memory/2464-560-0x0000000140000000-0x0000000140179000-memory.dmp