Analysis Overview
SHA256
ec2f7f564f0d51b2962884a883279651c8afcfc5353ca1501e1da1eb46ecdbaf
Threat Level: Shows suspicious behavior
The file TNT Express Arrival Notice AWB 8013580.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Suspicious use of SetThreadContext
AutoIT Executable
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-01 07:23
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-01 07:23
Reported
2025-07-01 07:26
Platform
win10v2004-20250610-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3960 set thread context of 4896 | N/A | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | C:\Windows\SysWOW64\svchost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jinfo.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmid.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\serialver.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ExtExport.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\servertool.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jjs.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jhat.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\unpack200.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaw.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\pingsender.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdeps.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ExtExport.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpnetwk.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\serialver.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\xjc.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\dotnet.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jabswitch.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\java.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\extcheck.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\keytool.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWow64\perfhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003900d42c59eadb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062e91d2d59eadb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fc0fa2e59eadb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac95042c59eadb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ecf4b2f59eadb01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\fxssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\TieringEngineService.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\AgentService.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\SearchIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe
"C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe"
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\TNT Express Arrival Notice AWB 8013580.exe"
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 44.244.22.128:80 | pywolwnvd.biz | tcp |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| US | 50.16.27.236:80 | ssbzmoy.biz | tcp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 44.244.22.128:80 | cvgrf.biz | tcp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 3.229.117.57:80 | npukfztj.biz | tcp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 172.233.219.78:80 | przvgke.biz | tcp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| US | 50.16.27.236:80 | knjghuig.biz | tcp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 192.64.119.165:80 | anpmnmxo.biz | tcp |
| US | 8.8.8.8:53 | www.anpmnmxo.biz | udp |
| DE | 91.195.240.19:80 | www.anpmnmxo.biz | tcp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| RU | 82.112.184.197:80 | lpuegx.biz | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| RU | 82.112.184.197:80 | vjaxhpbji.biz | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 54.146.6.253:80 | xlfhhhm.biz | tcp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
| US | 3.238.30.69:80 | ifsaia.biz | tcp |
| US | 8.8.8.8:53 | saytjshyf.biz | udp |
| US | 3.229.117.57:80 | saytjshyf.biz | tcp |
| US | 8.8.8.8:53 | vcddkls.biz | udp |
| US | 50.16.27.236:80 | vcddkls.biz | tcp |
| US | 8.8.8.8:53 | fwiwk.biz | udp |
| US | 172.233.219.78:80 | fwiwk.biz | tcp |
| US | 8.8.8.8:53 | tbjrpv.biz | udp |
| IE | 3.250.92.156:80 | tbjrpv.biz | tcp |
| US | 8.8.8.8:53 | deoci.biz | udp |
| US | 34.229.166.50:80 | deoci.biz | tcp |
| US | 8.8.8.8:53 | gytujflc.biz | udp |
| US | 104.156.155.94:80 | gytujflc.biz | tcp |
| US | 8.8.8.8:53 | qaynky.biz | udp |
| US | 3.238.30.69:80 | qaynky.biz | tcp |
| US | 8.8.8.8:53 | bumxkqgxu.biz | udp |
| US | 3.229.117.57:80 | bumxkqgxu.biz | tcp |
| US | 8.8.8.8:53 | dwrqljrr.biz | udp |
| US | 44.244.22.128:80 | dwrqljrr.biz | tcp |
| US | 8.8.8.8:53 | nqwjmb.biz | udp |
| US | 52.43.119.120:80 | nqwjmb.biz | tcp |
| US | 8.8.8.8:53 | ytctnunms.biz | udp |
| US | 54.85.87.184:80 | ytctnunms.biz | tcp |
| US | 8.8.8.8:53 | myups.biz | udp |
| US | 165.160.15.20:80 | myups.biz | tcp |
| US | 8.8.8.8:53 | oshhkdluh.biz | udp |
| US | 44.244.22.128:80 | oshhkdluh.biz | tcp |
| US | 8.8.8.8:53 | yunalwv.biz | udp |
| US | 8.8.8.8:53 | jpskm.biz | udp |
| US | 34.209.195.255:80 | jpskm.biz | tcp |
| US | 8.8.8.8:53 | lrxdmhrr.biz | udp |
| US | 44.244.22.128:80 | lrxdmhrr.biz | tcp |
| US | 8.8.8.8:53 | wllvnzb.biz | udp |
| US | 50.16.27.236:80 | wllvnzb.biz | tcp |
| US | 8.8.8.8:53 | gnqgo.biz | udp |
| US | 34.229.166.50:80 | gnqgo.biz | tcp |
| US | 8.8.8.8:53 | jhvzpcfg.biz | udp |
| US | 3.229.117.57:80 | jhvzpcfg.biz | tcp |
| US | 8.8.8.8:53 | acwjcqqv.biz | udp |
| US | 50.16.27.236:80 | acwjcqqv.biz | tcp |
| US | 8.8.8.8:53 | lejtdj.biz | udp |
| US | 8.8.8.8:53 | vyome.biz | udp |
| US | 34.209.195.255:80 | vyome.biz | tcp |
| US | 8.8.8.8:53 | yauexmxk.biz | udp |
| US | 34.229.166.50:80 | yauexmxk.biz | tcp |
| US | 8.8.8.8:53 | iuzpxe.biz | udp |
| US | 3.238.30.69:80 | iuzpxe.biz | tcp |
| US | 8.8.8.8:53 | sxmiywsfv.biz | udp |
| US | 3.238.30.69:80 | sxmiywsfv.biz | tcp |
| US | 8.8.8.8:53 | vrrazpdh.biz | udp |
| US | 34.209.195.255:80 | vrrazpdh.biz | tcp |
| US | 8.8.8.8:53 | ftxlah.biz | udp |
| US | 54.146.6.253:80 | ftxlah.biz | tcp |
| US | 8.8.8.8:53 | typgfhb.biz | udp |
| US | 3.238.30.69:80 | typgfhb.biz | tcp |
| US | 3.238.30.69:80 | typgfhb.biz | tcp |
Files
memory/3960-0-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3960-2-0x0000000000A70000-0x0000000000AD6000-memory.dmp
memory/3960-6-0x0000000000A70000-0x0000000000AD6000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | f100648a23d79d97479f9450dc4000e1 |
| SHA1 | 98b745864a83c2c5d4ca1d87117a8487000e8767 |
| SHA256 | 4b47cb451a44b1d2018780f9571c254278c20fb32cc41ddfdd16f3a1aa4a6d8a |
| SHA512 | 9ec92ac59b708bef2794b5f907bbc55793791e74220e2f77e79d1b3d75ab42b542af6a66198bc117390765a2dcfe4589ddb9b0092dd3272bf99b2499499bb5c3 |
memory/4492-11-0x0000000140000000-0x0000000140201000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | e0118a842592c816ed25f343af8049a0 |
| SHA1 | 908f8abca88e987ebe5edb1f38062889d8e5e4bd |
| SHA256 | fb80ca22f5b59960db3ad05760461041051b529094b0c02e3d01bc3c55a995ea |
| SHA512 | e80f3c6e03c7c4316a5f7bd3f06c26952ac7304a130f47bd6bec5345ac5a03a924bb553734400ea2cd74e74dfa555ea5519eadc5ef16f3c5e106cc3b991d267b |
memory/2520-15-0x00000000004C0000-0x0000000000520000-memory.dmp
memory/2520-24-0x00000000004C0000-0x0000000000520000-memory.dmp
memory/2520-23-0x0000000140000000-0x0000000140200000-memory.dmp
memory/1552-28-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | 7fd54fbc2d9450355457620f129e94b2 |
| SHA1 | fff043fcb8bf9de54d0ce2f9c07cc3b9aa7f4982 |
| SHA256 | 80af2dcd96d5f0e3d36283e33afdb00e34de776139ae0a0d08025006f03fed04 |
| SHA512 | 8ab83c08eaddf4e7544105369d018491cb0947ba24ace7c44a0175201dec502ce1c3a3b8e3d6802bcf721898b17e9a32337321c073f1142b31c8001005b23a24 |
memory/3032-38-0x0000000000CA0000-0x0000000000D00000-memory.dmp
memory/3032-32-0x0000000000CA0000-0x0000000000D00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aut265F.tmp
| MD5 | dc62fd5e3a2035e0e4b44b904f5bf8fe |
| SHA1 | 27012565ebccf910b25f72ea3e495883088c09f4 |
| SHA256 | 968c5ad9db392efd1f0a3adb2073ca00dd0d0a4dad0c134477639df5dcfa88f7 |
| SHA512 | 98cdf06924f8858f0b1ff51ca76fe021f9481fc443425d47625fd27738a8f7080dad1b6274f1e7ced804204ff39c3878dc2680bd7f0160f0b34cb4aa3112ae7c |
memory/4152-56-0x0000000000890000-0x00000000008F0000-memory.dmp
memory/5068-61-0x0000000000C00000-0x0000000000C60000-memory.dmp
memory/5068-74-0x0000000140000000-0x000000014022C000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 58e1dce2f7967b9d712e71f72ffe3c35 |
| SHA1 | fe18c1c11700da494e550da5d4d3723bf4cb94f6 |
| SHA256 | 1eab26d133ebee6ba59ee674f194ae61415113619f38e2317eaa7b69a4c237b5 |
| SHA512 | 873bb54e76e79ad18841c0cabe2fbcc00cff52a2c41b31aed028f685e32a9789e78ef3b55eeacbc26ae754e1ef33db4e0a8f769a335f3336a25f3842f322ac38 |
memory/4476-81-0x00000000007B0000-0x0000000000810000-memory.dmp
memory/4476-91-0x0000000140000000-0x0000000140226000-memory.dmp
memory/2044-103-0x0000000000B40000-0x0000000000BA0000-memory.dmp
memory/2956-112-0x00000000006C0000-0x0000000000726000-memory.dmp
memory/2376-118-0x0000000140000000-0x00000001401EC000-memory.dmp
memory/2604-121-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4708-125-0x0000000140000000-0x00000001401ED000-memory.dmp
memory/3456-137-0x0000000140000000-0x0000000140169000-memory.dmp
memory/3992-147-0x0000000000510000-0x0000000000570000-memory.dmp
memory/2576-153-0x0000000140000000-0x0000000140239000-memory.dmp
memory/4932-157-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/4768-166-0x0000000140000000-0x00000001401FC000-memory.dmp
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | b59b6f2911b78d1dc1a71878cb590fcf |
| SHA1 | e72caccae509f1fd0534a7488c70bac95636b9d4 |
| SHA256 | 0fa0ef304e2ff0da4c7e6a3b7960eb9b9cb6acd92cb752723381cd9c71b86e0e |
| SHA512 | dda6ef18a1d0ee60e71283a931f20678605a6d9e3a32a30a502487f5a80abae30e0681a9935cf823487f4219a2e6a0155f0a2668332fdcddee22c1461f39c724 |
memory/4168-179-0x0000000140000000-0x0000000140179000-memory.dmp
memory/2604-178-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4168-204-0x0000000001A30000-0x0000000001A40000-memory.dmp
memory/4168-220-0x0000000009E70000-0x0000000009E78000-memory.dmp
memory/4168-188-0x0000000001780000-0x0000000001790000-memory.dmp
C:\Windows\System32\SearchIndexer.exe
| MD5 | a45bb34eb339b0594c57ea5b9521d9b5 |
| SHA1 | 4f02cfa5715f61246a87fcbbb33c54b506902d33 |
| SHA256 | 2292b91fe578477a59e33d23b94aa0e8e67eae40c68f95088b5ab163eb6e716c |
| SHA512 | a4519b2889bcb3a6a046fac7a6a75d14540c7559ec699ed22eeaa6b8ea16b9b71ddf56e2c7c73427ffa1fdcc70c6a15e81c916558257901d8ba8c049b0d32908 |
memory/4836-175-0x0000000140000000-0x000000014021D000-memory.dmp
memory/2376-174-0x0000000140000000-0x00000001401EC000-memory.dmp
memory/3896-170-0x0000000140000000-0x0000000140216000-memory.dmp
memory/2956-169-0x0000000000400000-0x00000000005EE000-memory.dmp
C:\Windows\System32\wbengine.exe
| MD5 | a09bb62ec6e413a0ed7560d0271fb59f |
| SHA1 | 6acdef996c3c6eebf49b2ccc0059291c45e091c7 |
| SHA256 | 5011124f48c46257fe1309a2a8e82d6e74b2820a5bad21ce7d98a220a2aa58d5 |
| SHA512 | 176f94074562913a06fc2c9d52d3e741245a9cf1218634b32820c79baa34896412c060312b5f554177bd7c44859eac0b303139a2d313dd0e0c3fb25ee02d8fc8 |
memory/2044-165-0x0000000140000000-0x0000000140202000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 37ad593619e6c2c621fb32c96a7d9cf2 |
| SHA1 | a114441814bace989a2e6f866443af6ef06d0de6 |
| SHA256 | a262983b23a2331952260b6d4a1daf6293c9a7101d9bf1abbf8678ae9eef3a16 |
| SHA512 | 9def056233b75f71c36913507295fda6c0cc914363b1c4f2a7f69dc8288a432712f56906de31103021b14784536e4c12b37aed21dcef527e32b2abfe887a4054 |
memory/1836-162-0x0000000140000000-0x0000000140147000-memory.dmp
memory/4476-161-0x0000000140000000-0x0000000140226000-memory.dmp
C:\Windows\System32\vds.exe
| MD5 | 3318e3b9b57218ab3922f634f77f40d6 |
| SHA1 | 9304a07d5bd69b51cb881f4b4daabf586e4fb115 |
| SHA256 | 35eb4e03524943e486116476fd7a7fe4ab4d58311f2d75fd02e279553adba1a4 |
| SHA512 | 86c4d86225814653599db7f3e33d216ea70ad10150cae9cf7fad7a48db465ea08c870c83a085697539706ad882e4ba8192e526e864bd90de0eeafcf57d0226f0 |
memory/4932-159-0x0000000140000000-0x00000001401C0000-memory.dmp
memory/3044-156-0x0000000140000000-0x0000000140210000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | 4c52ec571cefbe66e3d7c5c74c420e3b |
| SHA1 | 57de3d74c090dc5ddf499499138ec3fdd1bc906a |
| SHA256 | 3d819e559762080f43a5f781db1dd55f2264d2cac67adb9b183a6d07c732a090 |
| SHA512 | 37888bdcaa41045032e7c7d9d4ba9ff0f633a86e17ea6a4c19e842e27a28232f88cf94c8c113946ba4b63141c762c5af7ce1f74b157e85a8f2600aba132ff441 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 56f6efbca237d9bae4573ebe9e3c8e5b |
| SHA1 | 20b393b481866411a1728de4113c40fb3fd0d642 |
| SHA256 | f0a859a3c56805c9f94fdf8ea53301a2139f98a689fc5ca03e56ec60b19abeb7 |
| SHA512 | 91e91cb55c3333a8077499adf9fafcd725ee955581309641ab5ad2acc5727e8754410fe386201a63404eb284dbacb6c223c57d51fc4e4eed076a0ebf90fa37b7 |
memory/3992-150-0x0000000140000000-0x0000000140259000-memory.dmp
memory/4152-149-0x0000000140000000-0x0000000140266000-memory.dmp
memory/3992-141-0x0000000000510000-0x0000000000570000-memory.dmp
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | 3fc7908ae8351a4bce90af687df5b0bc |
| SHA1 | b728e96b799eee6852a219dcd143072b84cd9b68 |
| SHA256 | 2a48b7b2aea122d45921494966637b2ac9bf93e9abd646c0a93431d9a84cf4de |
| SHA512 | 620b2f72434ff81035c2f331858fb0427990a47ac97160f376f338226d95cb361adb98cadd9b35946a3ec9f2ac0c4da1571793d2cc52af098fef838cdc878735 |
memory/3032-136-0x0000000140000000-0x000000014025F000-memory.dmp
memory/3456-134-0x00000000006A0000-0x0000000000700000-memory.dmp
memory/3456-128-0x00000000006A0000-0x0000000000700000-memory.dmp
C:\Windows\System32\Spectrum.exe
| MD5 | f6b3d23b5b62e0ad4790af4c88a2c426 |
| SHA1 | 3667871152faf7a1ca1ed5403620bed04b90c8f2 |
| SHA256 | 84338640ffe4ce6f15f629d61fd0096b6f35dea70966b35d064600c969a4c752 |
| SHA512 | 4dc51cd00ccead3357372f3f1544dcf5330d1c13335de38eddbf67fdcb3901b758f499504eca159f5c1ca111b3b12c97d9ffa1f129acaac0ba9605e4c092ba0b |
C:\Windows\System32\snmptrap.exe
| MD5 | 26feb35e997da34822aec655c37d1226 |
| SHA1 | 06a8b9e5ab62bfb6bfbec91e3953755f2b87c250 |
| SHA256 | fd84f02765716a6e9a5c0f6010a586aca6d4c619499014b2238d217633426679 |
| SHA512 | fe7a2201abc3d2b2ff586e50c6c284f62b3e818675324358fb4c07af9dc4030ab2b849cd0c54b8faff96d53408d701f72f19a99e852eb086c96061c9a959e2e4 |
C:\Windows\System32\SensorDataService.exe
| MD5 | efff52e6a090a483291691bc6597eb7a |
| SHA1 | f884ea3a639d3502017b18b8b28e3a7b8081af3d |
| SHA256 | 0074b89ffb5d68ce0873b7bccecaaa82cf5ed8c30a72c7da734ab2ec32a29c72 |
| SHA512 | 83a9da88202a67c2e27216f703a4d2b13b604f2e5b62424afcd90c4ee445007965639fa193028cb055df940c20af78fa124a533db42b4181370a8ec1406309ba |
C:\Windows\System32\Locator.exe
| MD5 | b993f40265fd051e5414f017de8e226a |
| SHA1 | aca086ae7bd4ca880c60a32925ebfab20d4e179e |
| SHA256 | 828997abbd42670cdd2101b6af06874fabab0fc61298e9ba52b82844875a6e1e |
| SHA512 | 94dfb93e959fccaaa6af237d6c7d1024e3f5ffd3e51844fcb6a42f5e57ea4540dd418452db9a19a1e64b2425f53147a2ddff2caa5231506dd6f0a717718ffda9 |
memory/2956-115-0x0000000000400000-0x00000000005EE000-memory.dmp
memory/4492-114-0x0000000140000000-0x0000000140201000-memory.dmp
memory/2956-107-0x00000000006C0000-0x0000000000726000-memory.dmp
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 08d3aed447734aaaabf92610b7b5529f |
| SHA1 | f484026f086ab724978143eacc78e501a520be7e |
| SHA256 | 43571f1de0c96ec85557e132426533e20d56fdbc70af95e07a8aa5d8a4ec3a68 |
| SHA512 | e4ae5c406f6adc5f2055f018a21588e96442957b9161f383d679f25e1cec3bd81077bed5f52169bbcb902c8b8c6a2b000efe2c054c327d90c8f09e554eb56b8c |
memory/2044-97-0x0000000000B40000-0x0000000000BA0000-memory.dmp
memory/2044-96-0x0000000140000000-0x0000000140202000-memory.dmp
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | e5ee336708ae89c7ab371385a5b45775 |
| SHA1 | b4f7f0f69141fdeaf88e6b6ba8b283da603fd054 |
| SHA256 | 2715e3bb8083c0ac4890d2dc5d9275f62b420de7c901d60decbc612e49a29d9b |
| SHA512 | 3bdf4acf90b9aa15be9f23e91c11e6e556cdb348f3458a637f7bcb71f5d2e18471e485cef5efdf52dc895726442c77c6d4af6eb6b1e92d922c7c39fdcd4c89f5 |
memory/3960-90-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4476-87-0x00000000007B0000-0x0000000000810000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | 39402ef76449c6cca427b04469dab908 |
| SHA1 | 61b4ebf2a1fd47e3214dde02e8e01ad3d7259755 |
| SHA256 | 724c56f8e2e9ae1e094d4ee2e2a371cdd0e7813d7a03ddcac5cbcf8d62552986 |
| SHA512 | 8b800a1ea692c302677a9980ece5519a572c3c40a67dc24225ecaf877ede0c9f90ba3002270e09bed48c0ac548caf48c69ecf0ebc65730c2686a43368150aec5 |
memory/3044-77-0x0000000140000000-0x0000000140210000-memory.dmp
memory/1552-75-0x0000000140000000-0x0000000140135000-memory.dmp
memory/5068-71-0x0000000000C00000-0x0000000000C60000-memory.dmp
memory/5068-69-0x0000000140000000-0x000000014022C000-memory.dmp
memory/5068-67-0x0000000000C00000-0x0000000000C60000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | 3d40a19c2b4212b74465756a9fac667f |
| SHA1 | e8d196c0032c93f77bce5817681f158d15491322 |
| SHA256 | bc55f3fb1b49ed811a37fd75baa5db8e3c9c6720c850765afdca53186672fb8e |
| SHA512 | fc741241fe3dcd0055efb2aa1892eac23dfa33532b82145fc4247070660352bdad35b5769169e302769c4ee12d542b5354932df968d6168b0055b5d2a34e6441 |
memory/4152-59-0x0000000140000000-0x0000000140266000-memory.dmp
memory/4152-50-0x0000000000890000-0x00000000008F0000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
| MD5 | 1e9cccab1ea33d8f9f8aadeec327b63f |
| SHA1 | f072830f49af10979d3bb071fa5245ebd7806d80 |
| SHA256 | 19a55be32bdfd0f7fbd58bc1437f51ad87cdcf0fa8b84a850fa1cff99b148852 |
| SHA512 | f470b17615b57281c2ee9534d63eb12e022ab972e63b172c100d31882d5873d5d9ff7cfa7f37213cd0bee650cc99fae00a32ac9eb82894aee8d45907680a1f42 |
memory/3032-31-0x0000000140000000-0x000000014025F000-memory.dmp
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
| MD5 | 0fcf7f8890db43a1931c7eaf17fdcbee |
| SHA1 | c3502a729c636d290576f09f1694ade2bb21784d |
| SHA256 | 2d6c61c224ff8d819940b43a4752a9cd1010e28acd440f4b94adc1a7afe3c2c4 |
| SHA512 | 88c1fa8e3d30b0976ad66d338912c9101ca770bc6c2234d162cc96998d8ab27f3df09df4930f37e3aedb3cd554c913bf17ed89e1ca9091c91a967749473f372f |
memory/4708-318-0x0000000140000000-0x00000001401ED000-memory.dmp
memory/4896-325-0x0000000000400000-0x0000000000448000-memory.dmp
C:\Windows\system32\msiexec.exe
| MD5 | a4ca070019956ec331025de78307bfe5 |
| SHA1 | 4cfe65f5ce15445ef1e857d62b0695486c5ceff7 |
| SHA256 | 5af155329b7bfa9303a97e98950365816105bfec477092872bf524f4c6d6098f |
| SHA512 | dae78f1d421e89759d805983618caa0c56c5cc7440c0aa4b39757bc538a33eac2d115e305784306bf7ae596b50116d2ec4d6d4c88c9381fa579fd938b003a368 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 17e7726f9a5c287cff3cb938ae5e6888 |
| SHA1 | 7bf3e06c536d23eb9a2c22eb85f14c693a99deec |
| SHA256 | c2d3281f14654f3b7cd7b6ce1550b33fe42659bd753ab8447e47b219eb1a4ed7 |
| SHA512 | 1f89a832992837e124d0492ec81d70be7a884e821eef05dd1d21477fd790bdef5c64579e32172d7bcb899b974dd406d913a99174aa6b0ed2a95e69f8a699b4a0 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | e7c4ed17255e16eef66db84f9499256b |
| SHA1 | f0714a8b57b9eed6fd037dabc50e2489eea8ce42 |
| SHA256 | c6cfca329fd7474bc5df6518b14060d013d594e72801919251294fc9db8b4bf6 |
| SHA512 | ec2f9c148f4736ac0ac487f64d408c201bc4bbd0dbd12f49166c51a4a3da8d2db7d4e06f35a1f8987daa97f6976e21b3b6a961120f4111d4a4cde9fb7fe4aafc |
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe
| MD5 | 3187411470ba5326bd5c3f8362032d5f |
| SHA1 | 4b27ef11f61d2258cc7dfbaa32008524f61eb75e |
| SHA256 | f84fbdc6f7693162d8c847aabfad7dace6dd97440baadb95b34635367c787339 |
| SHA512 | 43cf05fcf4ee3a89e135132aee316f21992123d48c51c69e0d710056a0114bb54459ffdaea006b479a8c050d6fcadc72b8db4cb3ba9e4f4cb0a18fa93a484421 |
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
| MD5 | 22a0e2130617399f352a5e87b730213d |
| SHA1 | 48d3d8840c52eddad6cb7d712df4a67ca463d773 |
| SHA256 | 3076a56bf70cd1194cedc17a418d44577091851ff817a654b9bdc1373e9fccdb |
| SHA512 | 8f8114a83beff1ab79213a8dfd0dabbef58ccc34a1a397e6a94fc226ea08db38b6a1db28750d04c00a320d5e71a7888d14a173f42e89ddb29a118a75d9e7c377 |
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
| MD5 | fd397d0ed63fb83af0f908cde00c6483 |
| SHA1 | 89c3f3b5b13148cd7087585e53b90427ea96b690 |
| SHA256 | 5f10b69d48316f3b5b3587fdba68ab48728859c09cfc3d2e4f0669b3c01bcf06 |
| SHA512 | 969cb97cd1791515fc929c45f78b00624d8f4c30d27deb65a9525c02bc0839a5cf847e2faf78f012f2a04a297712ce9aae775e66f0189fdf948cf9d5d8bb1777 |
C:\Program Files\Java\jdk-1.8\bin\javap.exe
| MD5 | 5d1603d1d928167ebbc9b01e505337ff |
| SHA1 | 42fb657c555995b00433d354df985ef4937c4b0f |
| SHA256 | 44b13b27e3c2a324a2c05a3037c3fd61f3d0ec623779026f69d4dc732a24c759 |
| SHA512 | d357f7972aa5f095166c95c3ff669d770e135ff5ff99cd616802f93e5bc69baf42a482c458bb1dcff343352f5261cbab4e56b3c8c2845a94c59dbc4e6f038ec1 |
C:\Program Files\Java\jdk-1.8\bin\javah.exe
| MD5 | 5c5fc782029cac2039e4b32aba4da505 |
| SHA1 | 0ced1c7874aa0dea046133c69f6a80ff07c182a9 |
| SHA256 | 8483c77f82d427abac179942bfc5b95accee7d434b050d93c92c18fcc3fbddbb |
| SHA512 | c3654ca510516a5dfd15222c13e3e636e3d9c0dc0b1b0e59f8d489ac9eb0a1061b8a0f48c49c6c63f3046756edfa1c51da4cdfc194ac29900a11345f33fd67b4 |
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
| MD5 | e1e3682726ccc976c567d3ff981f1f55 |
| SHA1 | a12e669aabcbcf5c17497f7f7495fdf21e1c153a |
| SHA256 | dfa5309328765c2861f012482e9962325a7bbc79a6b09b4547969b659c9941c7 |
| SHA512 | 727b81c2228bd0c5f48d2124c7d38ca05d808740e7303df7756a5505aebc61541a9b7523e893308f3d15b5b3183c82ebb605053e2c1cb45ea792eb6cedde226f |
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
| MD5 | 0cdf9f181b0a9891e3e610bd589aa471 |
| SHA1 | 596f2ccab5fcf7042fb66e53255cd26b1171c6de |
| SHA256 | 0d6bce69b452d3a0e59e58644089f6b401c7b3456458069107d228d2b3645ba2 |
| SHA512 | 2f331e940888bd56a0faf6bca071e9dbd715a1c5c9fd48e2d6dd2757d5d0d2af79a4aacdc087d8cd60b2027d7ca8ee89f3c3506be2ecb41df7f9cd7cb4e2f44c |
C:\Program Files\Java\jdk-1.8\bin\javac.exe
| MD5 | ff9421ea97cf9a81b4693f1697c38944 |
| SHA1 | bfca5d0ba7ee5e25eb364e6a81b9ae4a33cbb223 |
| SHA256 | 20db9f6c1059354b3e60d25742f677b45829bb6b02359ae539b4fffa4003c03e |
| SHA512 | 22b61ae317ed5856fbc3a29e35706900fcd89e7948802246b2de337e3af55e18d3fe8e2feb02df609a78390fec91af31dffd768294ad7ec8e4bc37659c2a0614 |
C:\Program Files\Java\jdk-1.8\bin\java.exe
| MD5 | 589cf1bea7a81ef91b7144c3d77338ab |
| SHA1 | 665dcc495ce421017bf8001fc532e75214420013 |
| SHA256 | f3d19bc9beaebad09424af9d026f0153dc1e556188f5d384c0797e014b7071dc |
| SHA512 | 6d72908ca0c842533f9938e664d66b2a925898c5c41ff6bdc9c10cc6ef08ba83a2b3224beed4905971c4be1e1159b4cd852aa8c193f8b4130a3a9882a2b9df53 |
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
| MD5 | d6ac76ec99e3718022af5ee0fc97a716 |
| SHA1 | cf59cd21bb6dc5c093801f2499a29ad2edd4c4d1 |
| SHA256 | 0cfebe1809924507d3f7a7b58115e5fd21acf33b3d886a8881c28fd7688f99b5 |
| SHA512 | 408a210cafb78149c98070c7b78386eb5df047230ece79f1a380dc0395bfae86ea14cc1429a8d76cc15236a1926e1e82c3023e4c0c470e42aa2bacd3d98da671 |
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
| MD5 | d8692a104be1a65ef9f0cbaa9fde9a7d |
| SHA1 | 1654c81fec6e96068db982970ad0453dc52310d5 |
| SHA256 | 272d073822dba97a853fa12628ea1014b04d214f08d325318c33013aa39c45d2 |
| SHA512 | cf7a74ce342ce555604fbb3f99d6d7c9620afcb729a86746718dab5c7e49680d4e13947c790e5009c37d560ec4b644fdc67c31c71d7156352c09437e47fd7ede |
C:\Program Files\Java\jdk-1.8\bin\jar.exe
| MD5 | 52223daf1cd7fbfa0c56f6de0e736056 |
| SHA1 | 906ca46c3b641220395039ae2ef37cab527110e4 |
| SHA256 | 3eb51ff8be4e8f89d4c69c32bc1bef456f277919a1f1368977bcccd2769044ad |
| SHA512 | fe9a42c09630b74b3822aebe9892553c38da275cb0dc1185cb0dd77f25847ff1cf154fcc71cf6828c8218630bc8c8df2fcf18edaf37cc31eb11845ecbcf1b01b |
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
| MD5 | bd3157e35a21598469f46e5cf8244b73 |
| SHA1 | a4683ecdc8a4ccd38c6e8d5cfc768f1b1c71551d |
| SHA256 | 99ed2227896f15ce97911942b7e5ac1affc019efddb9c2e8a7fe3a546d9f6d5c |
| SHA512 | 5b45a02798d4494ba9a6cc3626b85985106e6cb59269321bbdce3152bc5688694d713cb89a7ace249029619db18d75342c1e0c54978b31211d89dc0227acccd4 |
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
| MD5 | 9e7a7a59401ffc4db2010ba382069ea9 |
| SHA1 | 6d5fb87b97813b08ecefe066dca90db25317577f |
| SHA256 | 5fee89cb7d16295699b2ca08ed4875189e774be10460ebbd3bb2549d5c6ef687 |
| SHA512 | bf8ee6add7831c77817f52d61261929a352e81518d2b1becc0f49e3109313892d50aac0dc64d3f27743d2ec8f8de5b97a5781e3834056ed8d4c7574a48005320 |
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
| MD5 | a9f66339d05e0278294b15bc781bc70d |
| SHA1 | 7f7a9d520e058ac580cdbeb0b37540515b208499 |
| SHA256 | af85cde60e5346a3bfafd4e5a94e61db02d39fb5863d455d555092d8165414ea |
| SHA512 | 34686f8370703ddea5ff92a8edada2155ecd217646a640f0bcd41fdbc26df879e627e49bb06cdba6d07dec754039255f4124a76898fa4b01c779cf60bfc60db7 |
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
| MD5 | 5c3fd568dc0e5008013759f41405c101 |
| SHA1 | bbc92a647ef2abcc1cbb66c54674153e1d4e6b17 |
| SHA256 | 3f0de06b7b30a84fe44ff1d39cfe339f1ed553edf89862b94712c3b75b29cb8a |
| SHA512 | 69c2ab5819cee9b3e7b9fff30233c23fa81089b4c214654d6fadfa7c2918e8e69d75c3228ffd29bc2ce5f037d4474d10256ce65092b35bdd3f6f61f1d986fbbc |
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
| MD5 | 04d02135311044cab58c8a3b227ab3f4 |
| SHA1 | 6e329a458357c46a1bb1a7f5577f0d4810850573 |
| SHA256 | d1ce8c5286df482b1199b0bcdcd62b41de3ff8b040038be4ed9b03c1f62aa1fc |
| SHA512 | e55d99c20eb27984b8bd4ba5f4984117348a48d12766285c40bf65ea23407ad5c65055d0aeef8348d61c5a355328fc398886519f5fea44fc4ebd585c742edb13 |
C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe
| MD5 | deaba727420b87d1563e95a96cd39b5b |
| SHA1 | 665b9de0f425d8ba01a0726a7fe25418d9ffbbf7 |
| SHA256 | d2926758a5be54616cdc0c4210b6d40ec253d7b828c9ea8639e91d4c9a07f5cf |
| SHA512 | 87f4831f8640280b3d481124570f37e7be33968b6ceba0d6a9c86fd555df55ff5faf88f293d6bae1668330015c09feb33b56b1df234171a1c825820d74200d2b |
C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe
| MD5 | 0679dd5297227ef84c23e895a300cd2a |
| SHA1 | 1d7d6599b02d6f95a816d255db1357f20a77a464 |
| SHA256 | 879a28f183fd5826b49da867fa7640fe439b0519a2d8f8737c57e51939aa920e |
| SHA512 | ab4b83385256528e93c95a42a94793d0fbebe422626c98224815fe9a1d40d9d4e2d70cb1ab11b286d48911dfb23d4efde0708064ef6a93ed37df529a6534bd97 |
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe
| MD5 | b71437a3371ec235bee5fa18d73cecae |
| SHA1 | 99660721f7fa10c1052c42564e1ab2eee192cd67 |
| SHA256 | b1f08157440ef788c1d6767ba39b83c3ffafa06d2ef6bd1712f95ae146e20ef6 |
| SHA512 | c6f8d087ca4c6990eae944f8c720ee3e115b77ccf168c3e554bd11a03e5889480c5fb20ad5137f1ed364a848eddc45e2b8f76f9f151ce119bb98180f5306fbba |
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe
| MD5 | cabfcccb51fd91341287d4bfbabd3ad6 |
| SHA1 | acf4371eea2856e56f16c4aa33bb5ff3de7fb86b |
| SHA256 | a2e2eedb4e5846430945a305c704d97bc6eea9a686ab76d4f6c0ef811729c5aa |
| SHA512 | 584890ab99dbda5701c603910ca096ed5fb174c7ba4f78dad5ff2cdb66dc50a46c8330e7a78cc525f00a7b35c0e4a06e6b89feb3eafd4c76df91e2ca06b300cf |
C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe
| MD5 | 3a0716fac93be13ebb238dc881b6a3ae |
| SHA1 | e7ad9b953a571526fdcd633b34a7dbf886778720 |
| SHA256 | 9da469364e3e04a0436b035b3bc4b6bde6fdca9d474067e5aa1a65453ead9eb1 |
| SHA512 | d4c97e4e2fec894dddaa6ce5d7f65c01d6ee44fcbfca3ece9930a3b261aa1253c72d776e2d58d54cee6ce6105689c524bc678610365ad47403318ff4ac83f397 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | ab2ff3be7091d73c3f4c3f662277a50b |
| SHA1 | 3a6eeeab827f427250cd84b09f54624cfafdee47 |
| SHA256 | 2d2d839c5d8a7ef7ae64a2acfd92b18cd9631a0d1f6584f0e04f13469a112720 |
| SHA512 | 712b9787d218c3dfa9addfac8053772cb8a3c4532b60a3840967cfa38c03a192618aae17702103d46239c232e385839633221690aae17d3d1ec0546dd2af655e |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | 526dd9fcd8ef7cb72c82342ad289134b |
| SHA1 | 78dad3afe1fc82e30a25fccbe7f8e6b94e838ee0 |
| SHA256 | c902715644866aa3a4ba22f8a55815883264f6c4f29f78af668643a6f4ee28b0 |
| SHA512 | c7f0cf35139b0501c3b07df1f3bc6023c712ecfeddbcd53871fd9140e2442e244d8b6a4a1ba21e2755ee84029c81b77c3789dd1bee855328915764f204b58dd2 |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | 914ff92b61a2c3ab3935ce240aea96eb |
| SHA1 | 4b3dc53bb9a74aec97ec87f817cdce0dcd99af56 |
| SHA256 | ad96f155afc4b7b713d979da264dc5b23fa1342c2fbf692de5d26fb848c84473 |
| SHA512 | 9a51f2db13f446942d6da6f24fbaf6b5d9cee72849da4a5a746d52a32a84cfce1f2a55f4f00338915a9be050f60090d94d07003db77fd211cf4e2db901a1b18b |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 4872fe261d5d7d4ec421cd426992b44c |
| SHA1 | 8a0150912fbc8f9bc8f70084f053975c273cb390 |
| SHA256 | 0ed895ba282ae52e049b3ad5204d450b3e294501e799292c5ea9611fcc133161 |
| SHA512 | 93d21118c93af5154433758f7665a671c90fa1730d52b8d21a8d45cbbf6e3feedf09c1774331f9e1ca3cf2376211f41fb458679f23503b87b9739b3a1bd1c9bd |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | 674ee05d415d9cc9b66e42a17315205d |
| SHA1 | 3405edaa75643be543599571a7049a602a933fec |
| SHA256 | 33c5bd46a1cb026e8322dfda4d83fbfff00db50b9900c9f2d3a1a7c7d07d0dd6 |
| SHA512 | ee663cff3e4cc918917df963b165a025cd69f5a448283f57ac8feb2f76918e0305cef805c6343ff9092e9e291643060a8a0120843e6669fa9edcfdd0bcfcf3d1 |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 04eb85c585a5766deaa71cdef5f305f2 |
| SHA1 | 1c9482329039468712230deab60aeea335191096 |
| SHA256 | 7d9153cd66553f94f8973d263ff488f51d151136c409113480b706613fbb95ea |
| SHA512 | c9b013e903b347f98b5fb38960327082d93cf82f36e449e58bd933ea1205e3b2eb45def0c3b166fc6bcceb7ec26418f1f03f616549d81737946eec3c8b2039c8 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | c45dbb85fec131390c383e048c06a286 |
| SHA1 | 02a87cc28eb557ac7b4c15475efb0d22d44a18ef |
| SHA256 | be663d80688a22e24a0ca45b6e67c2422ea74754ad85aaa60e53222e7cb8dbf7 |
| SHA512 | 7b25d5d9e9b23fe4720d77640bf07349b4c736f3f0362ddf5080b7c147f671a5afed6932ae03871135e6648de06feb5c8d98d4fe310742b576f49363ebb3d925 |
memory/3456-411-0x0000000140000000-0x0000000140169000-memory.dmp
memory/2604-412-0x0000000140000000-0x00000001401D7000-memory.dmp
C:\Program Files\7-Zip\7zFM.exe
| MD5 | dbf7b59e7f9cffbf88644557416c8592 |
| SHA1 | 9381669c9f6dd64119d37b354fb0a3b08ff02d68 |
| SHA256 | 91ec76961d1ee9894aaab5085486dfadae530aa303f55cf12953fda285febafd |
| SHA512 | 19518d4e8cc716a7a1e08a13af59a21c7400077ef909c0e26a03650e739450d2b2a59bf02046bec9c72cde993abac2266bc8a7865fef274551a70f8b4e5d8955 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 715765fa690b9b69fb9c47a0f6bf0e22 |
| SHA1 | b245ce130ba8ad5e1780cec29b32c78b84565431 |
| SHA256 | b673130beaf23c0fa86b0a61c2bb7163dfb2e9617bed52f091d58dfe0ebb2e31 |
| SHA512 | 406b958641363f2dc5f85ffde5f3edda5597e41c240934922f8c764ed950c64b339c496d4004c3931aa7660168a60d468e18e7bc235a583f90fff233111dc89f |
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 913047c498eeb119daa708acf7f33090 |
| SHA1 | b907bf694161050f1c5e4aabffed66821a46c961 |
| SHA256 | 1c0772d75f7ad7367e27176e7ca6f6748f547758693452667cfaa2ef4cea5f7b |
| SHA512 | 405e2fafed5491fa2f1950d982eb1148f44d24d76b803ed53dda36f61772c03caa4ed550d336541d967c4e6cf7693cf9cefa4e9e7d0f6b5ce6b4d903a0b0394c |
C:\Windows\system32\SgrmBroker.exe
| MD5 | 7a9d8c324f0b843a2242dd5834a7c523 |
| SHA1 | fd6a1b3d9b65f1c574121f3896bcbea417f89b5a |
| SHA256 | d308c8d12af805bc5954173ce696ae74e742d7b3001ff2f315f53d0d8101653e |
| SHA512 | 328ab3ae27f343d2b869583b61f8d23cbdf678f8f0745a8839491ef6320c6cee6e42964f05a16032e91f03eb16178df13fbd110062e36ed6f57eae0ce3e52bbd |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | eb83ad94bede12063e152bf1ff6eceba |
| SHA1 | 49965329b4218178975d339c78c4cc0fa8b4cc0f |
| SHA256 | f889a601e0572ef717debb491ea69df5ef15f0825a352d819b60f7f01f3388f8 |
| SHA512 | 5d61e31e19fd16a385b66e5a2c6aaf1d9e724548f1076b5b642b2448a9112eb647f9d89658679a1290de2383db5ba9e560ff43d0a17aa72354f03718c7de6e31 |
C:\Windows\system32\AppVClient.exe
| MD5 | 50d6b706cd90061a6b34e1278921be7f |
| SHA1 | fe120894b6b2a1be65ed52bc149e89a77c4e7cdc |
| SHA256 | 3d7fe8e0c12332a2a439e1e1ccb5a6a9da4e7a8509ff968fc0fcb563a75f297d |
| SHA512 | 9e912f086e92f540ad7e3b6c0c9f1347e28117957e84dd4a4607978ca5013d78f78ad33a5b4dfdb62405ab83feed2a795c374b6df9585e12736d145292211179 |
memory/3960-332-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3992-413-0x0000000140000000-0x0000000140259000-memory.dmp
memory/2576-414-0x0000000140000000-0x0000000140239000-memory.dmp
memory/1836-415-0x0000000140000000-0x0000000140147000-memory.dmp
memory/4768-416-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3896-417-0x0000000140000000-0x0000000140216000-memory.dmp
memory/4836-418-0x0000000140000000-0x000000014021D000-memory.dmp
memory/4168-419-0x0000000140000000-0x0000000140179000-memory.dmp
memory/2836-422-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-423-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-424-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-426-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-427-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-425-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-428-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-431-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-433-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-432-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-437-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-436-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-438-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-443-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-449-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-453-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-459-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-461-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-460-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-458-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-457-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-456-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-455-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-454-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-452-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-451-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-450-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-448-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-447-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-446-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-445-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-444-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-442-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-441-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-440-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-439-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-435-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-434-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-430-0x000002051AB50000-0x000002051AB60000-memory.dmp
memory/2836-429-0x000002051AB50000-0x000002051AB60000-memory.dmp