Malware Analysis Report

2025-06-16 06:16

Sample ID 230504-xal1eaed78
Target SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
SHA256 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5
Tags
darkcloud spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5

Threat Level: Known bad

The file SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe was found to be: Known bad.

Malicious Activity Summary

darkcloud spyware stealer

DarkCloud

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-04 18:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-04 18:39

Reported

2023-05-04 18:41

Platform

win7-20230220-en

Max time kernel

129s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"

Signatures

DarkCloud

stealer darkcloud

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8eb7489f826a969e.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{3D284F75-F974-4275-BBE6-3BCEECEAAD90}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7FFF97D3-ADB6-4D6C-9691-83872D809001}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7FFF97D3-ADB6-4D6C-9691-83872D809001}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{FDEC41F3-BFC5-4BBF-913C-AAAC165AD614} C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{FDEC41F3-BFC5-4BBF-913C-AAAC165AD614} C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones C:\Windows\system32\SearchIndexer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 1556 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 1556 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 1556 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 1556 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 1556 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 1556 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 1556 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 1556 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 1316 wrote to memory of 876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1472 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1812 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1312 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1116 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1316 wrote to memory of 1708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 254 -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 250 -NGENProcess 1f8 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1e8 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 268 -NGENProcess 1f8 -Pipe 1f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1f8 -NGENProcess 248 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 270 -NGENProcess 1e0 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 1e0 -NGENProcess 244 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 25c -NGENProcess 274 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 25c -NGENProcess 1e0 -Pipe 1f8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 25c -NGENProcess 27c -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 280 -NGENProcess 288 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 248 -NGENProcess 27c -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 258 -NGENProcess 290 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 25c -NGENProcess 294 -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 284 -NGENProcess 1e0 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 294 -NGENProcess 2a4 -Pipe 25c -Comment "NGen Worker Process"

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a8 -NGENProcess 1e0 -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 298 -Pipe 2ac -Comment "NGen Worker Process"

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 2b0 -NGENProcess 268 -Pipe 294 -Comment "NGen Worker Process"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2a4 -NGENProcess 2a8 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2a4 -NGENProcess 2b0 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1283023626-844874658-3193756055-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1283023626-844874658-3193756055-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 1b4 -NGENProcess 288 -Pipe 2a8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 158 -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp

Files

memory/1556-54-0x0000000000960000-0x0000000000AFA000-memory.dmp

memory/1556-55-0x00000000022C0000-0x0000000002300000-memory.dmp

memory/1556-56-0x0000000000410000-0x0000000000422000-memory.dmp

memory/1556-57-0x0000000000450000-0x000000000045C000-memory.dmp

memory/1556-58-0x00000000085F0000-0x0000000008742000-memory.dmp

memory/1556-59-0x000000000AF00000-0x000000000B0CE000-memory.dmp

memory/268-61-0x0000000000400000-0x000000000065B000-memory.dmp

memory/268-60-0x0000000000400000-0x000000000065B000-memory.dmp

memory/268-62-0x0000000000400000-0x000000000065B000-memory.dmp

memory/268-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/268-65-0x0000000000400000-0x000000000065B000-memory.dmp

memory/268-67-0x0000000000400000-0x000000000065B000-memory.dmp

memory/268-68-0x0000000000140000-0x00000000001A6000-memory.dmp

memory/268-73-0x0000000000140000-0x00000000001A6000-memory.dmp

\Windows\System32\alg.exe

MD5 4be51a1fc23926ba7ad4c1427b1dcc43
SHA1 d75d43540e7270b6563d550de2189b41010eb295
SHA256 64f72049afdca70da3f8ca7cb5155d978c5922090ccb6e1fcc960b6cc150865b
SHA512 4d896d017a8830617816064625aee7ea6c97a5d5801ded2efcab99fc51ea5520fee316db61c6aab9376b28beb946e2597b5dde806a65d6000b8571372e4e57ef

C:\Windows\System32\alg.exe

MD5 4be51a1fc23926ba7ad4c1427b1dcc43
SHA1 d75d43540e7270b6563d550de2189b41010eb295
SHA256 64f72049afdca70da3f8ca7cb5155d978c5922090ccb6e1fcc960b6cc150865b
SHA512 4d896d017a8830617816064625aee7ea6c97a5d5801ded2efcab99fc51ea5520fee316db61c6aab9376b28beb946e2597b5dde806a65d6000b8571372e4e57ef

memory/1864-81-0x0000000000270000-0x00000000002D0000-memory.dmp

memory/1864-87-0x0000000000270000-0x00000000002D0000-memory.dmp

memory/268-89-0x0000000000400000-0x000000000065B000-memory.dmp

memory/1864-91-0x0000000100000000-0x00000001001FB000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 b2d08d7e1e8863fe1e327caaa974f46e
SHA1 38b2d59e9848d7926b8548c240ca34989303a5b5
SHA256 0c48fcb1070a5f5fe6874d9cd7b4431473607133192f759cc69640a193414271
SHA512 448f46a8e79c81aa09fe43885129353b212d2500fd5ac576266e5b76b302353908a936ab24b2da20a2290b7525d99f26c999452274f55216d3dba8121dfb4d4c

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 b2d08d7e1e8863fe1e327caaa974f46e
SHA1 38b2d59e9848d7926b8548c240ca34989303a5b5
SHA256 0c48fcb1070a5f5fe6874d9cd7b4431473607133192f759cc69640a193414271
SHA512 448f46a8e79c81aa09fe43885129353b212d2500fd5ac576266e5b76b302353908a936ab24b2da20a2290b7525d99f26c999452274f55216d3dba8121dfb4d4c

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 0047d2cd24d73a49b52b38594fd73cc7
SHA1 17882d77146d485b7d6cfc4b134c16e24aa0c327
SHA256 98c5c919ca4aefd9d0f71f2a7697f46b0d583014e7cf2b847851bb8c8caa431b
SHA512 048bc4c87e34eb45a7c97c9dd35bbb9416a72ff05251ed5220855e96eb0f65a14c70747ef4b8d830d3b163fd495e8cde733516580df3f76ea1fa1c5bcdd5ea68

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 0047d2cd24d73a49b52b38594fd73cc7
SHA1 17882d77146d485b7d6cfc4b134c16e24aa0c327
SHA256 98c5c919ca4aefd9d0f71f2a7697f46b0d583014e7cf2b847851bb8c8caa431b
SHA512 048bc4c87e34eb45a7c97c9dd35bbb9416a72ff05251ed5220855e96eb0f65a14c70747ef4b8d830d3b163fd495e8cde733516580df3f76ea1fa1c5bcdd5ea68

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 fd01b4bfe0a759da6ea31e4655411a04
SHA1 adf528f1b829d6e96c3efcfd9829a8a7a3b14d8f
SHA256 5726a1229c6e10f794f73ba03b946b19c791c69f5082647a028cc7b08a754106
SHA512 5517c54a4f08428870749ac0c69f9420ad8e34a3a25b9a9ed09b6a1af1d28c1e7a8f8dd0e8652626b7e35c089f09b1b65ed2f1416c6ea404ba732de5bd43d753

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 fd01b4bfe0a759da6ea31e4655411a04
SHA1 adf528f1b829d6e96c3efcfd9829a8a7a3b14d8f
SHA256 5726a1229c6e10f794f73ba03b946b19c791c69f5082647a028cc7b08a754106
SHA512 5517c54a4f08428870749ac0c69f9420ad8e34a3a25b9a9ed09b6a1af1d28c1e7a8f8dd0e8652626b7e35c089f09b1b65ed2f1416c6ea404ba732de5bd43d753

memory/944-105-0x0000000140000000-0x00000001401F4000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 8cce643b0d44dd670b47005d1e6a944b
SHA1 956bcdad29630595f6a2fe8821ca3b2ca9d47494
SHA256 3a59ee4a3eb377d3f4391f3ad4fbe8476c274efc49a80a2b57bcc9eee7564dd6
SHA512 486158b2a014f224741ac4c43aedb49440f2be6ef0fe7689198baf6ffec7e6b1f54609b01a19e7cc9707244bc2f1e9019926095b61b1753f3606ee9e566ca6b4

memory/1552-107-0x0000000010000000-0x00000000101F6000-memory.dmp

memory/240-110-0x0000000010000000-0x00000000101FE000-memory.dmp

memory/1316-114-0x00000000006E0000-0x0000000000746000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1316-119-0x00000000006E0000-0x0000000000746000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 fd01b4bfe0a759da6ea31e4655411a04
SHA1 adf528f1b829d6e96c3efcfd9829a8a7a3b14d8f
SHA256 5726a1229c6e10f794f73ba03b946b19c791c69f5082647a028cc7b08a754106
SHA512 5517c54a4f08428870749ac0c69f9420ad8e34a3a25b9a9ed09b6a1af1d28c1e7a8f8dd0e8652626b7e35c089f09b1b65ed2f1416c6ea404ba732de5bd43d753

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 751c1703afe0f332c314a93f5a10c19f
SHA1 0071db1e52bacfd0e7b96deeedf1d9e11486297a
SHA256 5a8e578187cfac3e7dc87d82d3c9d661ec8819924c657b51a3897b1b05f82815
SHA512 f44d2635960afb2cba009d4157b531a559c682049b246a7bb0ecfd35e9bda4218085f63f5dd4df3da43edcbecbaf614164870de28d3adb5b09bd0f6396756460

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 dfad880d0931eda4b06194b47a537aaf
SHA1 faf02bcbdb95ef700c60d59bcc6f1ed29c747ce5
SHA256 e28b8399f36ab19747d88e01264b1b5edfa70427abb2ab4b8d697533c0e05198
SHA512 eb7948510794f681c13496cee33ae929668127cbfb3b75036fa8827430fda80dd7bf4a3ee4740e69feffabecfa0be37ac1a3db117bb7a14ecbbc5601c78b0003

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 dfad880d0931eda4b06194b47a537aaf
SHA1 faf02bcbdb95ef700c60d59bcc6f1ed29c747ce5
SHA256 e28b8399f36ab19747d88e01264b1b5edfa70427abb2ab4b8d697533c0e05198
SHA512 eb7948510794f681c13496cee33ae929668127cbfb3b75036fa8827430fda80dd7bf4a3ee4740e69feffabecfa0be37ac1a3db117bb7a14ecbbc5601c78b0003

C:\Windows\System32\dllhost.exe

MD5 d469ae707dc960de835d346098ae8c7d
SHA1 419188778d02a06248961dfd1fa237d996c9d475
SHA256 405ff0d8978effe7d8e48edf015f9db12ce031cd7cdb3cdafdbaccff30933ddc
SHA512 c2dd8b1465c18fe238f6b7907066bcb226213c888a6d1c181c707002e397f1d178b329fce32b9662cc0b80e41a4a0f55104de5d381b941b3b37f68111d975b3c

\Windows\System32\dllhost.exe

MD5 d469ae707dc960de835d346098ae8c7d
SHA1 419188778d02a06248961dfd1fa237d996c9d475
SHA256 405ff0d8978effe7d8e48edf015f9db12ce031cd7cdb3cdafdbaccff30933ddc
SHA512 c2dd8b1465c18fe238f6b7907066bcb226213c888a6d1c181c707002e397f1d178b329fce32b9662cc0b80e41a4a0f55104de5d381b941b3b37f68111d975b3c

memory/1568-138-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1316-139-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1036-140-0x0000000100000000-0x00000001001EC000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 2c889b915fb724f480c0b725da54acef
SHA1 59f83d156fc6d976f59e412adfa348a18d2f8a8a
SHA256 05eacbe2d4be4910eef196da67915b4b1b910340760401f5e26410911cd4ce50
SHA512 a353b903abfac30bded33e51f62f9a0bf9f3d8bb306eb8dfd998a0d4b3d0ddcaba50954e35c35d82a3744cc887e37b352637c65cc16f51b875c900fdef9dd145

C:\Windows\ehome\ehrecvr.exe

MD5 2c889b915fb724f480c0b725da54acef
SHA1 59f83d156fc6d976f59e412adfa348a18d2f8a8a
SHA256 05eacbe2d4be4910eef196da67915b4b1b910340760401f5e26410911cd4ce50
SHA512 a353b903abfac30bded33e51f62f9a0bf9f3d8bb306eb8dfd998a0d4b3d0ddcaba50954e35c35d82a3744cc887e37b352637c65cc16f51b875c900fdef9dd145

memory/572-143-0x0000000000170000-0x00000000001D0000-memory.dmp

memory/572-149-0x0000000000170000-0x00000000001D0000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 e27bcaa055228464b759e4af47fc30b8
SHA1 ed17bfc243032f7373007f968d22dd2b53780f1a
SHA256 d6e57a4ef340bb8b4f2db9e20d3c5df3ec57ebf27a8e47a65f2456491226b1ac
SHA512 fc6b49d31d93596b1fab9b33d4a73f45d6438068b9af48017ff0352a7aa97e09cbebacad8b0fff5b00afac0cb4a15cda3d7f9ac10cd58fdaa94a61f243f02081

memory/1364-154-0x0000000000820000-0x0000000000880000-memory.dmp

C:\Windows\ehome\ehsched.exe

MD5 e27bcaa055228464b759e4af47fc30b8
SHA1 ed17bfc243032f7373007f968d22dd2b53780f1a
SHA256 d6e57a4ef340bb8b4f2db9e20d3c5df3ec57ebf27a8e47a65f2456491226b1ac
SHA512 fc6b49d31d93596b1fab9b33d4a73f45d6438068b9af48017ff0352a7aa97e09cbebacad8b0fff5b00afac0cb4a15cda3d7f9ac10cd58fdaa94a61f243f02081

memory/572-155-0x0000000001380000-0x0000000001390000-memory.dmp

memory/572-156-0x0000000140000000-0x000000014013C000-memory.dmp

memory/572-157-0x0000000001390000-0x00000000013A0000-memory.dmp

memory/1364-158-0x0000000140000000-0x0000000140209000-memory.dmp

memory/572-159-0x0000000001430000-0x0000000001431000-memory.dmp

memory/876-163-0x0000000000280000-0x00000000002E6000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/876-168-0x0000000000280000-0x00000000002E6000-memory.dmp

memory/240-171-0x0000000000C10000-0x0000000000C76000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/876-178-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/240-179-0x0000000000C10000-0x0000000000C76000-memory.dmp

memory/240-181-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1340-184-0x0000000000800000-0x0000000000866000-memory.dmp

memory/240-192-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1340-199-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2020-196-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/2020-215-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/784-221-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1472-237-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1812-238-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1812-249-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1312-260-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1292-261-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1292-272-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/268-281-0x0000000000400000-0x000000000065B000-memory.dmp

memory/1864-282-0x0000000100000000-0x00000001001FB000-memory.dmp

memory/1500-283-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1876-284-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1500-296-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1148-303-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1116-319-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1708-330-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/884-331-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/884-332-0x0000000003D80000-0x0000000003E3A000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/884-343-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/572-349-0x0000000140000000-0x000000014013C000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 4aa276c696bcc21b45bb3b7fc3c35819
SHA1 61b8aecd4b3e50b9256867fa09c478b9fad72628
SHA256 9b3c34c3f604a7a33b7764ef3f04be02e6a3dd66d424643d89adf45cad62c1f6
SHA512 c8fc066be82c61d0849ba19e126eccf967ac4304ec95168f1b4dd9025b74c5915525f526f2eeb7639a48b199df1d113eb656bc5a30eaa8f0dfa7113d66f7068a

memory/1300-354-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

\Windows\System32\ieetwcollector.exe

MD5 fec4c7c1bfe64f6781e1ad616652e0ee
SHA1 48b376f7cb5d9b8be3f86ebe9ec4ffe6e41eb511
SHA256 1d4ee60a314c3d89db83aa2b97e402eac5f4690386ddd314b6128d15ed176842
SHA512 c4b3c8f6d66a6ac4557bea39ce8a8c273b6b07f58feaf728fa292c468abbda987eda03640b59f7148942d925c2d425986321f0f5583b7b671e9a51895ab49ff6

C:\Windows\System32\ieetwcollector.exe

MD5 fec4c7c1bfe64f6781e1ad616652e0ee
SHA1 48b376f7cb5d9b8be3f86ebe9ec4ffe6e41eb511
SHA256 1d4ee60a314c3d89db83aa2b97e402eac5f4690386ddd314b6128d15ed176842
SHA512 c4b3c8f6d66a6ac4557bea39ce8a8c273b6b07f58feaf728fa292c468abbda987eda03640b59f7148942d925c2d425986321f0f5583b7b671e9a51895ab49ff6

memory/1116-383-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/308-384-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1980-386-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1108-388-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/1980-403-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 c1e5766afc48ca01e5c6cff47479dac4
SHA1 b11370fe33ec1af027d8fffd7518529fff31df80
SHA256 3138a6d18a383ff75b4332db10283724d40e86c54d524553335fb5bbadf88b58
SHA512 ecb0dd2e36c299710f4f4f18635d6a918ab1591393e270b036f8396a2650b153d17f95b0ced02d197ab9fad4efc360b564275b20f267f41fa3c448bc112b920e

memory/980-413-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/1940-415-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 b7135b568ecb586ee9497a8e93592fb6
SHA1 707b29be5af2254ed46b30f6e544e3e8c3ad87ee
SHA256 663c180072aed8c49964f3a025172851015ea7fd6fcb3b259fb27679e3febcf5
SHA512 e0150094c279f975c0b965a1791a7283245cdb2f3326e6b2a2f3519a809652871b541538f4eda79dcd6fe8d8752b8c81c705623d076ef4899946b90c8e130f73

C:\Windows\System32\msdtc.exe

MD5 7b33cf86c22ce9b4df8d0eef81672d87
SHA1 a44b29e121169e99392b617747383d2be26401a7
SHA256 668f18a693f72a672c74c94f99dfa15693b95d9bbb60cdb3b6d9d96fc4103cc4
SHA512 95fe0b2ee7c40b36adf023feea1472694fd185c4a7b8400346a1cfb56e33812e3186603923d6dc76663d622f2916972c57ccbb3fa09e4010bb2aa2eb885631de

\Windows\System32\msdtc.exe

MD5 7b33cf86c22ce9b4df8d0eef81672d87
SHA1 a44b29e121169e99392b617747383d2be26401a7
SHA256 668f18a693f72a672c74c94f99dfa15693b95d9bbb60cdb3b6d9d96fc4103cc4
SHA512 95fe0b2ee7c40b36adf023feea1472694fd185c4a7b8400346a1cfb56e33812e3186603923d6dc76663d622f2916972c57ccbb3fa09e4010bb2aa2eb885631de

memory/1292-428-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1828-431-0x0000000140000000-0x000000014020D000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

\Windows\System32\msiexec.exe

MD5 71e2f8b11d8a8245c85dc375aacd5c92
SHA1 19c4514a1438e93f1cbade0202fcc26f1de1519f
SHA256 ccba3479449880aded15fa0027315840b338a28d2efc577541e6e0883420777e
SHA512 87e75281f13b325b866c9f89bbf224463030c9242747c624b1c0419d246590773fdba58dfe680fdb982b59c2c44ec6c9c7d27fd8cf8eccff4de81f036d9629ea

\Windows\System32\msiexec.exe

MD5 71e2f8b11d8a8245c85dc375aacd5c92
SHA1 19c4514a1438e93f1cbade0202fcc26f1de1519f
SHA256 ccba3479449880aded15fa0027315840b338a28d2efc577541e6e0883420777e
SHA512 87e75281f13b325b866c9f89bbf224463030c9242747c624b1c0419d246590773fdba58dfe680fdb982b59c2c44ec6c9c7d27fd8cf8eccff4de81f036d9629ea

C:\Windows\system32\msiexec.exe

MD5 71e2f8b11d8a8245c85dc375aacd5c92
SHA1 19c4514a1438e93f1cbade0202fcc26f1de1519f
SHA256 ccba3479449880aded15fa0027315840b338a28d2efc577541e6e0883420777e
SHA512 87e75281f13b325b866c9f89bbf224463030c9242747c624b1c0419d246590773fdba58dfe680fdb982b59c2c44ec6c9c7d27fd8cf8eccff4de81f036d9629ea

C:\Windows\System32\msiexec.exe

MD5 71e2f8b11d8a8245c85dc375aacd5c92
SHA1 19c4514a1438e93f1cbade0202fcc26f1de1519f
SHA256 ccba3479449880aded15fa0027315840b338a28d2efc577541e6e0883420777e
SHA512 87e75281f13b325b866c9f89bbf224463030c9242747c624b1c0419d246590773fdba58dfe680fdb982b59c2c44ec6c9c7d27fd8cf8eccff4de81f036d9629ea

memory/1980-452-0x0000000100000000-0x0000000100209000-memory.dmp

memory/1476-454-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1736-457-0x000000002E000000-0x000000002E20C000-memory.dmp

memory/1980-459-0x00000000005A0000-0x00000000007A9000-memory.dmp

memory/1940-462-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 209ccaae9e7807676b3afad04b98a234
SHA1 766c85d9907ca9d0d7bccbfcb1d72bbf8f6cf0fc
SHA256 655226027c3aacdbfcff883909d26400049c7eb3cac99ac74da18e2cef9a7d48
SHA512 b0361991952cbb824ab5e997bc443bf867cffa7f6f53823d5215607bd36f0fa5d214feecdce2fe0cec6345780089c35d84230b31fd17387da8353299b9d37b83

\Windows\System32\Locator.exe

MD5 cd253ecec6de93e767ffd33f71636b10
SHA1 c124a3bc617ebd64b1b372791fd9d5f6b97ab435
SHA256 5cedfc3c4112b93f3740098050b7ee5ae568779a6174e48af7de2261925d3c6b
SHA512 48ab6373b22536e3383fe3fa0da1aab2b8ec635e1017c4c14f33e18beae29154f0125e1b19b35e1ad0a81cc7268e86da2747b6f27875f4594892deb1231dcb7c

memory/2240-465-0x0000000001000000-0x00000000011ED000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 cd253ecec6de93e767ffd33f71636b10
SHA1 c124a3bc617ebd64b1b372791fd9d5f6b97ab435
SHA256 5cedfc3c4112b93f3740098050b7ee5ae568779a6174e48af7de2261925d3c6b
SHA512 48ab6373b22536e3383fe3fa0da1aab2b8ec635e1017c4c14f33e18beae29154f0125e1b19b35e1ad0a81cc7268e86da2747b6f27875f4594892deb1231dcb7c

\Windows\System32\snmptrap.exe

MD5 4281ab1ee24d6759c3d924aafeaa665a
SHA1 637c1daa3c1c7ec48ee500c9c326f35ee1928d1e
SHA256 2ce0cd432d906b91162170d06f4b2db0c68cddefbcc74f450ba2d4af4d694478
SHA512 fe6f7b795f608109b89bd7908dd3f0ea7a4b445744789c87db59b62df4c67c78a6085c695f26ac8146d00a2f4739d0d047fb51a4f8b6f8b7ffc0df69ae072982

C:\Windows\System32\snmptrap.exe

MD5 4281ab1ee24d6759c3d924aafeaa665a
SHA1 637c1daa3c1c7ec48ee500c9c326f35ee1928d1e
SHA256 2ce0cd432d906b91162170d06f4b2db0c68cddefbcc74f450ba2d4af4d694478
SHA512 fe6f7b795f608109b89bd7908dd3f0ea7a4b445744789c87db59b62df4c67c78a6085c695f26ac8146d00a2f4739d0d047fb51a4f8b6f8b7ffc0df69ae072982

\Windows\System32\vds.exe

MD5 c6f59dc225f23450e31ec8a1fc6ce984
SHA1 1330919f060803cd44653939238bc8e4bb1e9f80
SHA256 e57a8b22c63ea3ffe49683e6b94377ea46cf020de0bd87e93061f8c83e025050
SHA512 0cce47f176fd73a61de3943aa9286ba5ea74357f3817863c3e95dc0aeee83ace3cbb137f3b3cdf391a90af7b3915e523a7119c764458822d9555624ab67745b3

C:\Windows\System32\vds.exe

MD5 c6f59dc225f23450e31ec8a1fc6ce984
SHA1 1330919f060803cd44653939238bc8e4bb1e9f80
SHA256 e57a8b22c63ea3ffe49683e6b94377ea46cf020de0bd87e93061f8c83e025050
SHA512 0cce47f176fd73a61de3943aa9286ba5ea74357f3817863c3e95dc0aeee83ace3cbb137f3b3cdf391a90af7b3915e523a7119c764458822d9555624ab67745b3

memory/2280-491-0x0000000100000000-0x00000001001EC000-memory.dmp

memory/2356-493-0x0000000100000000-0x00000001001ED000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 d738d2ebfedf241c2ad39e305daafda4
SHA1 0f3d114ecb417566ba696f2805fd169f7657298c
SHA256 521289ad3e28e41d314ad301e3dad2fad55f0344a8bf0199d9c6d696d3be951f
SHA512 34975ef615ab5ac3e52194cef52ea556dc19ed850cf464efcf96fe587753da548d5237640c06b34ad2dd4cfc0c0edbd3e508e1a02b2e4bfdb57464a07ebaada2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 ca3b3619d47dfaf26c80af96199ce690
SHA1 80ec2eaa87d72e712bb0746e475c57d3f2f7a6cc
SHA256 b6b4d799ee754e7a9c062a39426afbf1a00756713588fb5061ebfaf014d6bc9e
SHA512 6e35ec6066e49384b150703635272a28cf2bcf36e44f2044f4df69a5ca210649d650a587d17fbe862059c03b877ddd2ea104636947361b2a98a7612bca93d732

memory/2444-517-0x0000000100000000-0x000000010026B000-memory.dmp

memory/2548-520-0x0000000100000000-0x0000000100219000-memory.dmp

\Windows\System32\wbengine.exe

MD5 59878f2f224c548254e152178693fb6f
SHA1 cdf8752a51a86b33ae6e724c227c8f3ea718ba3d
SHA256 00f53c97774023101dbc5713dc6aaec8d24783d0fca3244763bfb976c45cc6e4
SHA512 a9d32e6578a6609650243a759c9bc1e823c5f3756aeafb02b09c1f26d6902b35bcd0e8b646966c0ead6048b6803ed725e39a289f8324c2132340d97c9476d98f

C:\Windows\System32\wbengine.exe

MD5 59878f2f224c548254e152178693fb6f
SHA1 cdf8752a51a86b33ae6e724c227c8f3ea718ba3d
SHA256 00f53c97774023101dbc5713dc6aaec8d24783d0fca3244763bfb976c45cc6e4
SHA512 a9d32e6578a6609650243a759c9bc1e823c5f3756aeafb02b09c1f26d6902b35bcd0e8b646966c0ead6048b6803ed725e39a289f8324c2132340d97c9476d98f

memory/2700-534-0x0000000100000000-0x0000000100202000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 84063e82663af836f911c33c79004477
SHA1 e733684a3f0de53f1a47646fb6c33e994d3482b1
SHA256 f734f17aebc9f4d3b574cba7b3fb4cd8e05e6f644d37f9b0b88de9cb2fff918c
SHA512 dbc7b0f858a4d3576b36b994ad280e72b2df048f0091e37a53b6622128ca861762d30bd0fbc5bc3267a0025338b8b6169348b4e0b36ca37cef09dfeb41bd1108

\Windows\System32\wbem\WmiApSrv.exe

MD5 84063e82663af836f911c33c79004477
SHA1 e733684a3f0de53f1a47646fb6c33e994d3482b1
SHA256 f734f17aebc9f4d3b574cba7b3fb4cd8e05e6f644d37f9b0b88de9cb2fff918c
SHA512 dbc7b0f858a4d3576b36b994ad280e72b2df048f0091e37a53b6622128ca861762d30bd0fbc5bc3267a0025338b8b6169348b4e0b36ca37cef09dfeb41bd1108

\Program Files\Windows Media Player\wmpnetwk.exe

MD5 a3a3cfaf3ced5f349a1009bbc1416d78
SHA1 e3d1f91f943e81d8880f24c0467fa391bcae682a
SHA256 1f5c7141bb7a7ab4f0c013e5ad372a1ee701d54af51fc72a1612a738a320cf37
SHA512 6f9394e0d3548a207b4d95b2fb8cb50a7bb158c00ba43d41034feee63b7d093b347e7ebd30f2791e2a4b48e0a96b56736015048b68ee95665c21174722df2434

memory/2784-556-0x0000000100000000-0x000000010021B000-memory.dmp

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 799d113a8c86b6cbace6bcf31b44ae92
SHA1 3b65338cc2472593acd647d19a010ce29d08f31d
SHA256 fceef6857cf96621c3bde221105dc8693f33282826248d0af03be72cf4fb7624
SHA512 1aa44b19466184ee8ded91698da2bdf99d9b55b217a7b56f63e48af96e0aa932bdeaf90ec686151b312bc8def771015820d533e2bfd18a9b45d4dea4d8e6e3b9

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-04 18:39

Reported

2023-05-04 18:41

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"

Signatures

DarkCloud

stealer darkcloud

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ffac0b9fea807a0f.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005db54ca8c87ed901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ef852a9c87ed901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000315893a9c87ed901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038071da8c87ed901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ceea4a8c87ed901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1b311aac87ed901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 2544 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
PID 4436 wrote to memory of 1644 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 4436 wrote to memory of 1644 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 4436 wrote to memory of 1864 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 4436 wrote to memory of 1864 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 117.18.232.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
FR 40.79.141.153:443 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 122.184.231.173.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 58.152.191.206.in-addr.arpa udp
US 8.8.8.8:53 25.106.251.63.in-addr.arpa udp
US 8.8.8.8:53 88.35.99.167.in-addr.arpa udp
SG 72.5.161.12:80 knjghuig.biz tcp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 12.161.5.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
US 8.8.8.8:53 251.182.224.103.in-addr.arpa udp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 223.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 93.184.221.240:80 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 173.231.189.15:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 63.251.126.10:80 ifsaia.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 173.231.189.15:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 63.251.126.10:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 8.8.8.8:53 15.189.231.173.in-addr.arpa udp
US 8.8.8.8:53 10.126.251.63.in-addr.arpa udp
US 173.231.184.124:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 72.5.161.12:80 vcddkls.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 173.231.184.124:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 72.5.161.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 99.83.154.118:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 63.251.235.76:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 8.8.8.8:53 fwiwk.biz udp
US 199.21.76.77:80 deoci.biz tcp
US 99.83.154.118:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 63.251.235.76:80 tbjrpv.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 qaynky.biz udp
SG 63.251.126.10:80 qaynky.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 199.21.76.77:80 deoci.biz tcp
US 8.8.8.8:53 118.154.83.99.in-addr.arpa udp
US 8.8.8.8:53 76.235.251.63.in-addr.arpa udp
US 8.8.8.8:53 77.76.21.199.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 qaynky.biz udp
SG 63.251.126.10:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 63.251.106.25:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 173.231.184.122:80 dwrqljrr.biz tcp
US 63.251.106.25:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp

Files

memory/2544-133-0x00000000001B0000-0x000000000034A000-memory.dmp

memory/2544-134-0x0000000005240000-0x00000000057E4000-memory.dmp

memory/2544-135-0x0000000004BE0000-0x0000000004C72000-memory.dmp

memory/2544-136-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

memory/2544-137-0x0000000004E30000-0x0000000004E40000-memory.dmp

memory/2544-138-0x0000000004E30000-0x0000000004E40000-memory.dmp

memory/2544-139-0x00000000089B0000-0x0000000008A4C000-memory.dmp

memory/3952-140-0x0000000000400000-0x000000000065B000-memory.dmp

memory/3952-143-0x0000000000400000-0x000000000065B000-memory.dmp

memory/3952-144-0x0000000002EC0000-0x0000000002F26000-memory.dmp

memory/3952-149-0x0000000002EC0000-0x0000000002F26000-memory.dmp

C:\Windows\System32\alg.exe

MD5 75d2eda9aefa11dcb9aa17f178bccb51
SHA1 9ecef98a07ed55e56fd0b225ae2d0c6a427268db
SHA256 628446d6b7d660841fc35907165175ec5801653d7817885ba7107502f6d66f46
SHA512 b80cac9c46ea02b9785060163db949e2786bf7745a408c6f285f907b2600ae2c66636fd717c3207bb74a410aca6d2f91a4a82fb321e6437340f29f956787abfc

memory/1844-156-0x0000000000710000-0x0000000000770000-memory.dmp

memory/1844-162-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 97a28ffc81b1ff11826a6f2e35140626
SHA1 d782299659aefcff82e41d4e4a0a20186a6e2796
SHA256 2ffe97fe4024d1b2de134af63eeaa6243599643494c4678624d3c0bf569313f2
SHA512 b3340a152c5e74c63f678bc8d257d46560016993944bc74f7b0771a08a246b4e552f91e3fdf79e14c1b0bdad1f09c6ddd8b3d61139f64de047f51af47eaaf9a0

memory/2588-168-0x0000000000550000-0x00000000005B0000-memory.dmp

memory/3952-170-0x0000000000400000-0x000000000065B000-memory.dmp

memory/1844-172-0x0000000140000000-0x0000000140201000-memory.dmp

memory/2588-174-0x0000000140000000-0x0000000140200000-memory.dmp

memory/2588-177-0x0000000000550000-0x00000000005B0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 f371e283704b2bd5cd25ebdaa6d190ed
SHA1 92626e34da33c088439cd2a04ddf24c14d00d1d4
SHA256 047048a935b63cb8beea1b45435be9c17dd61cb33f111ad3d2305a39ca7587b4
SHA512 986dd212019c028f625989f6b3f3486abaad69b964ff30db6fd02de3ef683407a6ddb963d6f6b6c2097fbda47c379bf4cb98d1f69f5cbe061a28fcb746b05465

memory/4260-181-0x0000000000E30000-0x0000000000E90000-memory.dmp

memory/4260-187-0x0000000000E30000-0x0000000000E90000-memory.dmp

memory/4260-190-0x0000000000E30000-0x0000000000E90000-memory.dmp

memory/4260-195-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4612-196-0x0000000140000000-0x0000000140237000-memory.dmp

memory/4612-193-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 067d3210b7cd3deedb89c4c88f87c4b2
SHA1 8ae9ecd76ca8857ddd57d2802e537a330c0b4b4f
SHA256 beda9335387d84ffa3caf6d905a73a9b219b16f751c8234c25b51064c25c75ff
SHA512 0ab14d976e271bea7485e155079202961cdd189957dc34f79415c982d61fc41d515b6d3e7145f297255908bb76d5e80966eef60b39d6db4000e1b04b7aac3279

memory/4612-201-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 2a006cf883489c8f505f50faa1da7030
SHA1 a3319c2804b1385b18cc99545bb4060936004f8b
SHA256 0b774af7faf19a73f6646a606def25eb81cd557153a47b458dec68e3705d14fc
SHA512 d2ce6e9f2a9ea5179201826f44ffe66e2b7913ea87ccee651eefa8efc536b5ab9b6aab54aab45c348a7f236eb5b216aa7b77f18187c84ae8fa0638fc22e4cca5

memory/3444-205-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/3444-211-0x0000000000190000-0x00000000001F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 33652f2015b675d08ba1ea87f954480f
SHA1 f1a3865b985e647ee38d6948b02d33b5c7578a72
SHA256 e1b71035854dc61c323f0a41f3dbb5aa4a71e5002ec2da6e7c01503a442847ec
SHA512 84048cf0da9ccefab0dd4012128553008a0c8460f179f0fe4d3db14b362d060f6ad1499eed29bba119cd05682edccd45f1ff206143360e6362ed96b710cac574

memory/3136-215-0x00000000022A0000-0x0000000002300000-memory.dmp

memory/3136-221-0x00000000022A0000-0x0000000002300000-memory.dmp

memory/3444-224-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3136-226-0x00000000022A0000-0x0000000002300000-memory.dmp

memory/3136-228-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 06851909f581f7a84a178f95102bf74d
SHA1 5ee682f492a1688621e5e20d1b84902846a620f1
SHA256 cebd356c5a6f6b46ae5def8a453d8dffe84d28d38566dc1e9e003f0dfa7e9d36
SHA512 0d9ee5818ae4f2b5eaaf0b29500be4277b5e4e6899e66bd95100260c4fb1249796752faaea9533a7327e9d4cc50bb28f5d33d2fa3b607e222aefd9774d0a252d

memory/4036-230-0x0000000000CC0000-0x0000000000D20000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 0d0fcbcafd0e242fc2a2c03634ba8efe
SHA1 f5b946cc537dfbac1d6c99e2768ad7d8c4cabab6
SHA256 afbd8fd3ae835a8bbcaf25cde3c9c5eaeb43ad71d10367e7ef68e66a77f2b055
SHA512 370c1333645282a7e5c3089d67b4a1d22671b3bf29d3b451d1acfaee35045a1df3cb382b5fefde8e1e960eae63cb5b458be4b3bfe62a272cb43d3fe6c4bfe62d

memory/4036-252-0x0000000140000000-0x0000000140210000-memory.dmp

memory/2760-254-0x0000000140000000-0x0000000140226000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 712d534f1eb75b10f76bef4a4ab5e51b
SHA1 830181c128931456ebfbc1fa3fd603dfec21e9e2
SHA256 972e1856418da0dc5fb726e098ecbd09416667a19b53197a5dbad3d475928ae8
SHA512 110267416743a5c6408f7afa12ba44db212266998b45c931fb53a1be2d27d624275dbca86ce2e12d64969e7919ac7d754c789c04e159e92a03d52def94d5720d

C:\Windows\SysWOW64\perfhost.exe

MD5 4020619d9b7bb2e9b4b1edb91a06c8a6
SHA1 c664d60110843bf051f97f24219df4c28704d7cd
SHA256 cf5f3483a004a73cf4c153f9fc2f386c2748895f6e241e905d266ac6fec0c509
SHA512 f07412259fba0bfe36c37cd60fb6e3af1f475bef0e7107964412319a71acd96ba161d48bc85bf8dbe1b7f2943e3d41c01d1e2b094c6d1e34503475ebe61bce75

C:\Windows\System32\Locator.exe

MD5 95d6760aa48d209227280596aabdac61
SHA1 fcd2793ae28c21ba17f6e8a3fb38958c866770bf
SHA256 34206d7b656a28bbea3cfa290ab02ad829a03957c8ae0e1fc766187e087f568c
SHA512 bcd9126eee02fd6c2611f8ba3cc72ec78af54733e7e39da19643a6ab409afb3d4c66fdf952b94a2277245f49ce28c4cb09a5e651f6ee90b05da51730fe43fffe

C:\Windows\System32\SensorDataService.exe

MD5 32d741869d6594548a4727578f9b8777
SHA1 1eeb8f5408bcc843359de01ea4e4cffb26322a14
SHA256 f8441cecb08607246f24d8588f282a56f4d919445d2c46f67e0461d5190520a7
SHA512 c6ff32a9c6b38ba555d74279dfb341838e6fc02fedcfa42e57218b140eb5f70308d35f515af30490d7d61ebd029ac63ee7d67c648bbe068b2c8a54d10a1f89bd

memory/3820-286-0x0000000140000000-0x0000000140202000-memory.dmp

memory/4724-288-0x0000000000400000-0x00000000005EE000-memory.dmp

memory/4732-290-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3352-293-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 ec6f03dd2f8ce3cb9be7c430435f74cb
SHA1 8c79f6c71f58f935516b13ea7e85a642508061d8
SHA256 1667ec884906a666d4abcfa961f35003df8fec6fe13f104912e031b3ad46474f
SHA512 4272aaafa057bf1d2b34d9d60160d80dfa28df245eddd7faed04d38981e79c1ecf06b03ee453981e1c1164d1d64671a8f6d2bd693fb68374506ddf926a75d2ae

C:\Windows\System32\Spectrum.exe

MD5 8db87e618da5b33d66eb7a70341582a2
SHA1 609b556923e92b162dd7957c20d2cf221deb2411
SHA256 40fd9f69090a7357cf7f1754a25ea08e2a136e81403b7188828154f70eea697f
SHA512 9f029430cc431cf6da2690ff91a556ab8079895fe64c6a7df49b57c90b610389bbec5e0b61ba461e939445f6dc655634c7928883c78317e730b7058c1810e7e6

memory/972-310-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/4644-311-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 749fe5c44e8c36cd2b2b1a36b3de3d7b
SHA1 fa13d3e87881b7da45ec474b5eeb7ffc11db2ba6
SHA256 7cb7a6e2fbc914d505d5816c73ea9ba804448b6ee3765125e8d545dd62f01827
SHA512 be0c55ab80f1293534f7e74fe43ce158f000d991c0c3cd3e826612c503b2646009d05b970daef13a58a8a1aa34f180916f6634343d409cee3c7da2aaf8836401

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 749fe5c44e8c36cd2b2b1a36b3de3d7b
SHA1 fa13d3e87881b7da45ec474b5eeb7ffc11db2ba6
SHA256 7cb7a6e2fbc914d505d5816c73ea9ba804448b6ee3765125e8d545dd62f01827
SHA512 be0c55ab80f1293534f7e74fe43ce158f000d991c0c3cd3e826612c503b2646009d05b970daef13a58a8a1aa34f180916f6634343d409cee3c7da2aaf8836401

C:\Windows\System32\TieringEngineService.exe

MD5 e0a76f0532552a9dd398b7569c960228
SHA1 8b584035b4e7b61912f49a1f8416a182dedcfec7
SHA256 162fb2e11d7867b9e67f2c12cf760c92deafcf32eb6af985bf2ec20d01608361
SHA512 8c9cfb374f03ff045673541a5ad6359f2ccf30478f56e947e0b4d1098923858edc8aeebb8c502258ca8dc0d7ac6c9ade70b3e7e580177a5d8ea8c036208bb1b1

memory/672-333-0x0000000140000000-0x0000000140259000-memory.dmp

memory/1172-335-0x0000000140000000-0x0000000140239000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 072030a2796b7d520fa4804cfab4efe2
SHA1 dcec67c5633570cc8960932c93ad030fe5d37416
SHA256 ce30523efc68a9342b1a4c84e4541d946a2fd93fe9a8080deb64c87dab6a4493
SHA512 64a36bd53cf35d370150f1149cdc68261d80393906f6f169aa1ff60ebbc06819ff32a48ba2030570ae0ae55148e15c3039e010431e4d97740deb06000e3c3be1

memory/2656-356-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 ec507e7533e931442c92e2e83054acbc
SHA1 91daf3b883ada6e7e7b3638036b44e331c55246f
SHA256 9e4471cea5aa3d2598e013e9fb2407bb607e90cb9532693937e4745e103caf34
SHA512 37ee227b51bd2794f5f4be0091e71f9d592a9d7bfa5e1d995110379d603cf23558d3491983d16da9ab574b758d39ee2336f0b55d073ad730b3e47664d49cb76c

C:\Windows\System32\VSSVC.exe

MD5 a740ece32f6cce0ac0af1d1d47681b29
SHA1 dff7b3c8939bd7fc55d980a556bbf3c1cfcb5e8b
SHA256 63075b0002f539afa02c5a0d72514093ab698a2b3b25cb67ca1390c00b827276
SHA512 5322b6d6076b2276bcdf3d2cdc4e668c2cee47f4ac9a61c3dc3151183f91882439a0c54609354a9730c3615a14ff3ef52b743f2745863bece1b9c8e1eb92616f

C:\Windows\System32\wbengine.exe

MD5 7ab2d38960c9e76e5d34f0baeec31c9c
SHA1 f171b3db7d9e94bfe2035291b47f2ce05fb78d18
SHA256 155112f10b6353e764f6ad5d0b1a1b73602a544b7b0dda983ccc7203053a22d3
SHA512 626ecefb9041c7adc87f052e1f10007399881e07a6372a8692a9026807f832af246addfdfa2a40f96f637116b0b5d02d6131259882c852bb0a38fb2eb117af21

memory/1696-378-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3788-382-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/516-384-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 385abe7657d36b71786f8b4793a5fed3
SHA1 6a0d17cec06ceeef702b51edfdfd944bd4e6ef48
SHA256 87cb2768582f61cc7ef01e745e83650139df1ecc903808ec939709f4d3052da3
SHA512 a85bbccd9a3895d8d5e289fea6efc5e290021264f030790f2827d5cedd20cbf265fd522d7f88c01403805a5c592689bcfac3019c337b5a30f186c5cbd7bcf3d7

memory/4816-401-0x0000000140000000-0x000000014021D000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 a594de02c20d879d239761a0252c3d60
SHA1 2d81671b67c3aadde85eb6f89367ff91a2936832
SHA256 d4ff1282097b17d4f290bd6dad91a69f160e408aff0f5d868416737a922e38bc
SHA512 39c7375b9ae37126646f1996bc914049fef177202fd53623e71845cfa3b84655f9e6f70d0ddf9b1f053d2e1ce3d3edb7e2d4b1e2a56c7c57995f234a06a6e408

memory/3952-454-0x0000000000400000-0x000000000065B000-memory.dmp

memory/2588-455-0x0000000140000000-0x0000000140200000-memory.dmp

memory/4436-456-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4612-471-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3444-485-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3352-520-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4644-542-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1172-570-0x0000000140000000-0x0000000140239000-memory.dmp

memory/3788-592-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/516-593-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4816-594-0x0000000140000000-0x000000014021D000-memory.dmp

memory/4436-608-0x0000000140000000-0x0000000140179000-memory.dmp

memory/1864-626-0x00000232A71A0000-0x00000232A71B0000-memory.dmp

memory/1864-627-0x00000232A71B0000-0x00000232A71B1000-memory.dmp

memory/1864-638-0x00000232A71D0000-0x00000232A71E0000-memory.dmp

memory/1864-639-0x00000232A71D0000-0x00000232A71E0000-memory.dmp

memory/1864-688-0x00000232A71D0000-0x00000232A71D2000-memory.dmp

memory/1864-740-0x00000232A71B0000-0x00000232A71B1000-memory.dmp

memory/1864-741-0x00000232A71D0000-0x00000232A71E0000-memory.dmp

memory/1864-742-0x00000232A71D0000-0x00000232A71E0000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 00cdb477331ad186c8033fdbfe2d7c32
SHA1 0d57eb41e90bde61a2009577cbfa8c3c1e784e76
SHA256 8a2f9f26d2da1eaa56c2c8686561922e3e7288faf13bf96046fb88c72d789a95
SHA512 a1cc248c2579c0933ee9fac88e00fbe41efefb5e1a6d677136a7420fe993f622c740c34d0e5084a74b1689dbca89d8bb45f2ef3291b6b1ce3773de0171d7bcc7

C:\Windows\system32\msiexec.exe

MD5 f0d96188907857e4fc61530db7fe9581
SHA1 34aa417f3c1286e2553063f41ef3474260118f48
SHA256 3c3b393c28b3513832580e9a14bac2b34b061ecd52142f57172bdcfb771f8f0e
SHA512 06182a97ceaa03a34a5d65dc751945bc58e71545cce7a47d77e63f40276b8d101a5d60e5ad01e9a5cdacf6d2aad6a06b2bc6b13d979473acbd9644c9fac8ab7f

C:\Windows\System32\SensorDataService.exe

MD5 c1d8cc5de3cdd3bc3aae4e2611c28f71
SHA1 a2c8ab0865b1ed0b0fcf0917bbcd5bcfb1c2b708
SHA256 5ef7edc4ecc3b2c41e0ec71dadf03be8b70ccc778542c535f8cf6126526fd8aa
SHA512 66901145f88b9948308be8c8b729a202cee2e1d4ff19b4c3f8d5376f111379a0fdbdc08ce6ef798468289b37fd1a1c93518237fecd1dda0903451b7b90f8458d

C:\Windows\system32\AgentService.exe

MD5 bdbbfd34621f88ffdfc29d39318e1ccd
SHA1 1feb1874f632f468a68a4f193614aedc4a5b45b9
SHA256 34f520cdba5d5d74c4802de4f01a719ff7d7049443eb1b305251b8e6786305d0
SHA512 c3d797142eb920c29b720e71597ccf89bc5722d4ddfd453542953b0f698c187f33b7adec1cd76c0a9aa28cd234a15ab04d6a30bf6d960aa93ca8591b2f6562fd

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 08115c21d9ff7bf67a3f18959060205f
SHA1 93a023b0235ea02693271cf2396b8575e0912f4b
SHA256 8cb551ee466ec692c12606d4b95b212a3beb1c41e21e64cd17609cdc30431886
SHA512 c611e06ed06d2df0767807db7abc6fc3497205fa85af21ede2be5a00b6d0254fbc14020de8da9258647047b2a96c694b1751dac724ca5cb04ebd989ffb225862

C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

MD5 5294ce3027c2cc4176f0b4fca98baf12
SHA1 10a87f4530129e287061519a2f6b8faf62679a0e
SHA256 7d3823a88b3915e372a1d8527d7417136d891bfcee981c63dcd9ac83d0bf959b
SHA512 e646592367048d8e955ae4c788439aa19058920565756539f5888713d062521d794c0d0ab3cbba92c84ec2de13a6e784cfd71f5d2c46acb5ff2e8cce4dba0a65

C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

MD5 9aa7043bcf790978fbd1b03f6d8c1ae9
SHA1 c796e18b3a4db215605b08530f4b312a850707b0
SHA256 e21570d5c8e4205c40ad202d95b71855af73ef40fa382077853029e18073e5c7
SHA512 c2b080909be3cef666a6879689d91d24526c33763e390e478f44f599bc03952bb5be3ef14675cf9159afb08881f247ee8dcea6f138f39c0be82297765d5ccd25

C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

MD5 bbc40a2bce4a7b6f3cb79105ac8900ab
SHA1 41891d263a95bcd18ecce1a4f786803dd3f36428
SHA256 22b7563c2a258ddf7f9966d1f5108c9d3a03031429207c7b2740e5841475d6d3
SHA512 ac07b3d15e4c2a5ff6813af02a4199cbb464abb86c5667fceb010372f25eac6218d699cce63be87a50ff439c33584af5902006abdcf49892cc5b4e7b9f728f8f