Malware Analysis Report

2025-06-15 19:50

Sample ID 240406-fl9r6sbh63
Target 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233
SHA256 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233

Threat Level: Shows suspicious behavior

The file 520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Checks processor information in registry

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 04:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 04:58

Reported

2024-04-06 05:01

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\98d0d3ee822cf6b9.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\javaw.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_hi.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_id.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\psmachine.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_sk.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_lt.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_mr.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_tr.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM33B2.tmp\goopdateres_sr.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe

"C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 uaafd.biz udp
NL 35.204.181.10:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
ID 34.128.82.12:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
NL 34.91.32.224:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 34.29.71.138:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 34.174.206.7:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 34.94.245.237:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
ID 34.128.82.12:80 whjovd.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 reczwga.biz udp
US 34.67.9.172:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.168.225.46:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp

Files

memory/3276-0-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/3276-1-0x0000000000B90000-0x0000000000BF7000-memory.dmp

memory/3276-6-0x0000000000B90000-0x0000000000BF7000-memory.dmp

C:\Windows\System32\alg.exe

MD5 f9f4d81e1938f1b61620ddaae20d7a06
SHA1 32c1c370db5c13c8884245b6bffc2f0b8a491708
SHA256 0aa4b87f8209d8bf8311a3d78da0c9b71caab4f3cfd7abb9b9d1e927e503883c
SHA512 9fca0134d7c47b771f38bcddc75058f81a6cd91d3d32aeae6d9f29f706715fecbac7d56173c12e4a6c449d575a8c3c2cdc46fdef0241befe2308064c6953ead8

memory/3244-11-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3244-12-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/3244-50-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/3244-49-0x0000000000740000-0x00000000007A0000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 bc488d6fa4e22f50ddbf2d1977f82201
SHA1 9ad728a16ed94592166f4fca00870f5958d2eac1
SHA256 974a88495b41f32da0c2830fcb6d87b81b163040bb9293d1b85ae37298fd5464
SHA512 21f77bb5b290b98106b7b71a22dbb52af0d4d42e078a5a90769630fa2bbda175658f1cc11d4892f308ca22470c62c495737fe93314a15bd259737a2f620ff35c

memory/1224-94-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/1224-93-0x0000000000540000-0x00000000005A0000-memory.dmp

memory/1224-101-0x0000000000540000-0x00000000005A0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 c044292b1d8c2a4e48372837d346a4c6
SHA1 c40d3a9cfe39ff96c39f49ccfc9b9807288a2688
SHA256 455832291cb91f70fa0600be085c72c5183ffd0ff740ecdc8319d69a33ff6671
SHA512 ec78a6acc4caf8cfb7be8e278ab6e32fcadb7aa9071d72ade5a6cc7751e904fc66fd1c75948b6e2e0d49f5fc39b7012d25efad6b2f97d2863671624fcf69906f

memory/388-105-0x0000000140000000-0x0000000140135000-memory.dmp

memory/388-106-0x0000000000D80000-0x0000000000DE0000-memory.dmp

memory/388-113-0x0000000000D80000-0x0000000000DE0000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 c7fe8aa4bf05e076a17192a7d6a64fab
SHA1 1b2541e95878bc8d8c7c059c960d5b8c1d8b238b
SHA256 98909b5558239f4ddef131c1ed0216a8e7ac8b9477aee1756c828d360c254d5b
SHA512 aa0df0f741e87eb05b99b790daeae07f8b533833621d6cd0307f6329b6b32c936798d3ba8b0c31a803430084f9a6e0bb52e9c09fcf46f362a88f13adbf4e3671

memory/3724-117-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3724-120-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/388-119-0x0000000000D80000-0x0000000000DE0000-memory.dmp

memory/388-122-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3724-127-0x0000000000440000-0x00000000004A0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 7ce4152859191f6e001bec228f5f1d2c
SHA1 f3e7722e4dd3c12513bb03d3e20cd002d2cc23a4
SHA256 4f5cdb63fefa361e794975b7ea285d0f31e1253b3fcbc7b8c30b33e941a14b21
SHA512 4d6ec0b328c5a6318c7f898482d8213a35f1e20e75bb5852a7f522e67e9048f88cda1294cf5f92afe438f93248289139e0eadf48cf277232926bd274d68522d8

memory/1640-131-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3276-132-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/1640-135-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1640-139-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3244-143-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/4136-144-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/4136-146-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 eaf4e224975a0412816c73d6473eadb4
SHA1 b5ddd8811c854eb44d685b14b7d955ef0cc2e651
SHA256 27e6639b3dc65020214d4f5b0c8627674ff196bef478385ee2acbf3f86f0300f
SHA512 04bf296a40194063b8dc1eb7e934af3aeac7d360ca5b6fb251d580458a2b90cd59cd73cc98de2077b8aeddb3772457849fbdc14f63f211fd865c2c57172e2ce4

memory/4136-151-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/4136-154-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/4136-157-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 2c9ac88315ffe0fbbdd7efc1481c7c91
SHA1 f3b3396ee4253ba954606e23db6b732a206e97fb
SHA256 4a4e098f8305ea8025d03b995e2de747bb08c23908fb8c5d0e7872de96808d3e
SHA512 0db41ad447fc81d41da5716edbf1e41145896b092c21394df9322b0fc4d5f9a528170b296d7e6f4e6518cc9591da7572bddb2364e3c0b36e7e3b4c9c8abacc4f

memory/1224-159-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/392-160-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/392-161-0x0000000000D40000-0x0000000000DA0000-memory.dmp

memory/392-169-0x0000000000D40000-0x0000000000DA0000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 a8982764f167310d263c93d17412f75e
SHA1 7da386238a7ffed26c9c1a9d2d503afc1de32fc6
SHA256 4dabf3d1be67d7bccbbd6e593e3df6e28cf896030255237b72006c940ea38b38
SHA512 9704c58feb3c2e3ccd0638f81d339719efa4433bc4d86c28ea94cc403130b91cdd811ea5e2fd5981b5353b13f6a82f1021b39e6d7f90254049046d908b663299

memory/3116-173-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/3116-184-0x00000000008B0000-0x0000000000910000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 0029049f834ba1a9ad43710aecd3ee0a
SHA1 5dc966605afcd20090c4e742d104436bc25ed1ba
SHA256 fdd0f31f7bcb87d80fe9d746ac0488f49922c1f768d4f44578e04cf012c7f88e
SHA512 c5003508fdfcd4b540d9607b8ea2a1d270f9ac1e5e8eb52216019738d447379f1f9de0068ad1000ed18c389491a7a43a08057b7f3df379915c9a04251b16983d

memory/3724-189-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2016-191-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/2016-197-0x00000000007A0000-0x0000000000800000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 53c23b6c3b9f93e81578f4e12825cad5
SHA1 42e7df7cd25d8f1faacd6dbf98fbe8d78883bfff
SHA256 446ca8b3ce9bfdc8ccd5ff42c4d34e8afe02da80afed8eed7ab48f99ad4818a6
SHA512 3918f94717eb92e967d0ac9a7c283d7a77a35e399745a36f5de51de76a38f60659f80c782cf8ad57f8578b3ecccff64a8c0ca58f5cb436b096c1d7d12d4cb086

memory/1640-203-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1356-205-0x0000000000400000-0x0000000000497000-memory.dmp

memory/1356-209-0x0000000000680000-0x00000000006E7000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 02f437a823fec303d800babe992c3a9c
SHA1 1d33e515bfcf88a98eb6ab93802b8afa164103eb
SHA256 5e9a9adf92ef04576cdc160ac97bd94e31e67ab820e3717b3d28eaf8d4b972b9
SHA512 e1d6ddea3ec0372092250336af3c68597575b1d02045907ddc8ae777c92a7e403a47a82ca16b1a09f3be33056e1d8040877e1a6d823a4595550d6ee36d5ccfb5

memory/2008-213-0x0000000140000000-0x0000000140095000-memory.dmp

memory/2008-221-0x0000000000500000-0x0000000000560000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 3fd51aa567cc378024354ea074bb8b44
SHA1 a65ceb23605f4461e62c5852b18ba3fb7e146940
SHA256 4b857156d32b5322c5317948b568a0ee333c014585d7b1c9924ba4db94d88c98
SHA512 d62dacba4ccc59333a8797177be516e01209931dfd955d5bbcc1f8efd80e8448107118c90da93c8d3d3e8530dce00a9e5abf37f7529dff512dba2153b3889ffd

memory/392-225-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/396-227-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/396-235-0x00000000006E0000-0x0000000000740000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 28c64775e65718bd152744f5b6b4a5c4
SHA1 ecc2fc5e9dbec447dcd3f0544526d896295a468b
SHA256 e17e882764622ae4499f8f89f9b7d293b92a239651850409c43ba53f8a71768c
SHA512 f2a9e66c1c5b101d6cc6bc1507ccf9966228aebc7b3543b9ca5a085bc8b658b8a6e7dcf118c82effbec9f55c1c69d72decb224807ca497b921745e51c18e1fbc

memory/4384-242-0x0000000140000000-0x0000000140096000-memory.dmp

memory/3116-239-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/4384-248-0x0000000000700000-0x0000000000760000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 60590c19ef723a7fccb827805ff66e4e
SHA1 6e096c37bee8dcec96bd8b5f9581e8aa7717bbd3
SHA256 823dc68bc57d4a5c1d240c56f9f4d2edba8ab58a47b7d8279443e0273d0d9138
SHA512 78fc986b72f0ad6150fb4a2427ee1678a5e097603f89e1686d8de55a61dd5a27f547752584d1b6f5c186d01ec88de65c14315dd3e4f99ba047fb00503d3f2e96

memory/2016-252-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/532-253-0x0000000140000000-0x0000000140169000-memory.dmp

memory/532-261-0x0000000000790000-0x00000000007F0000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 81b60d0670b65720466cb09f7a65f323
SHA1 a84aa8798038cf23ed625201503b8ec4152d4898
SHA256 6074babd659e4742f9962454b1073198f9491e901d2ed372804b1fb8a968de08
SHA512 d92139a6de0df722ee70b53083ddd5970544b473ea0a2cba34d24ed3673b55a55e19b0e22d70fd3ce0622d41d4151cc3ccf03889bb1911fc8c6a6f20e221a048

memory/1356-266-0x0000000000400000-0x0000000000497000-memory.dmp

memory/2824-268-0x0000000140000000-0x0000000140102000-memory.dmp

memory/2824-275-0x0000000000EB0000-0x0000000000F10000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 e46a5cd7ddbb4892f61d2cf5f1a8a1d3
SHA1 12d5b155ee8a1cfb1c860e7a8ef0123f78d6496a
SHA256 fffa53141082d125ddd0a4b9520c57923c4c946cdc88ad422db302326292fd28
SHA512 7ec0c8f06cfe9cc0081ed35394c807c544cfa8c2f76f19d8eb973b0063f93cd20c1f9b34c22b4369f68ebe9aec1a252815e0c932539c0e6d4936a51f3b403e68

memory/2008-279-0x0000000140000000-0x0000000140095000-memory.dmp

memory/4084-281-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/4084-289-0x0000000000500000-0x0000000000560000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 72b0a8ca97b891942832eca097bf5acb
SHA1 5e39a186f34bac477ea6d16cd19fe4ae5da87701
SHA256 c7783de38d8884fd395cf2cc9e410e03a7274364ecdddc5f16367d9559dc4756
SHA512 155b6274f3662fe6a662e0f45a9808ffa44f215fd9616afe16a0589d603a55f65057736e08247d32623537b25e3b6d7ac737ecf5ffd6ea2bc46db447eb9ab750

memory/396-292-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4564-294-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/4564-304-0x0000000000580000-0x00000000005E0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 55f36741e13b1176f5d0acc27bfb9bcb
SHA1 14ef8cce4d21a08a67f079fdab010e676d26ede9
SHA256 71fec4d2677d1a2288894f118afd755c824f97ecefd748559808c0487a588c6d
SHA512 8da10ba169e4d83cf9a3356767730f4f2e67c96a9c5bb92ba2652655845d045494ba7301edb29ddb7a22741cfc5c65454877f9765f11cc08b2a989a865cad2a9

memory/4384-309-0x0000000140000000-0x0000000140096000-memory.dmp

memory/864-312-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4564-310-0x0000000000580000-0x00000000005E0000-memory.dmp

memory/4564-308-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/4384-319-0x0000000000700000-0x0000000000760000-memory.dmp

memory/864-320-0x0000000000BB0000-0x0000000000C10000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 2047c5b9f6c3c5cdc1d043572bd6273d
SHA1 575080dfc58f9901ad6df45c21914dee5c3510d6
SHA256 4f765b61396900ba565df833bb8c69dfd432ffa88b053efa85c08e952db38c34
SHA512 b108c9f8419e1c54aefa9b433ac66731b04a816703e4737847068eb4bc7ad1ac638e880de78d774cf835272059fb9bb33e500d82300acfab4131d17653d2fe7b

memory/532-323-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2452-324-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2452-332-0x0000000000750000-0x00000000007B0000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 253e531f3771a9517aaf9d226ee830e5
SHA1 bd09d2f3cece0fc96c1cdaec9b1455a491d663d3
SHA256 a416cd68a79c88a00710a5c80885fd9f1f32823047d473d1e9db99ef85f91bac
SHA512 ec81742a3ff2a5472d4dcc1748d22d8954ad89937dba59f3c8e668294a06d8c317d5d2a03bc1c7d0991b6158177602b3fe009598a14d969a5f50fb3c80643221

memory/4388-338-0x0000000140000000-0x0000000140216000-memory.dmp

memory/2824-336-0x0000000140000000-0x0000000140102000-memory.dmp

memory/4388-347-0x0000000000770000-0x00000000007D0000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 88f7a3f9db2c4e2d8d8e1f4c20f650c8
SHA1 60f7097145d80aed1a4215ddf966dea6f2d24dfd
SHA256 6e348feb14e70e69815d05c1459919641ea4c3092763c05e2b8de34d09e3c466
SHA512 5b055dcae1546ca66c986a073b363a52e6100c1f7562f2a87fec119af952c6c11fd36d37dabb5a46b3629ee1ded3968209adb5bb414f311d8c4582f2b958f840

memory/4084-349-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/4588-422-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3276-432-0x0000000000400000-0x00000000005D4000-memory.dmp

C:\Windows\system32\SgrmBroker.exe

MD5 c4af3e6a53d629c6e12141262eff8a62
SHA1 8a0b1dd393f340736c20084fbdca309969c3096d
SHA256 c6161d403a962b1823632ead00f70a2091145c1023c973a856bc7962e1f729df
SHA512 d3928d7824933bd610409717542a08f059be67f0a68a4564e3932e31c0f3a8dfca06c1e9e542756b2c86e0d1bcbeda587d968b7a2f289d0e28b26a67ffd76385

C:\Windows\system32\msiexec.exe

MD5 ff20d29a8d196e605dc4633da82de689
SHA1 85817c11c5dfebfc77b592910bd0ea8a20b7daf4
SHA256 33303ebbd63fd681365b0feee6e6370a0af5ee5609179986cb4d10e22bc80fff
SHA512 70ec4a876df265789c17c7d90cb27ec27c929da15a1f88ae03cf17e79163ff961a45ee7da052ad30d49af079599dfc9399dc9b24bb2c9b0afac61bf819c8cf65

memory/4588-437-0x0000000000790000-0x00000000007F0000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 39351a4576d274123c5a94720e36189e
SHA1 4326794a82890fc4bdd0af6f81a8cfa86837cc3e
SHA256 e2483dcde5077980dc3d30d45069775934ebda6562c4f3812a0485ff936fa73d
SHA512 80fa318eab793c40c50dcdbe6ca8401fec62b131d2f39a59c8624a0bb863dabbfb72327db576f402553702dd2b6fc34fe25b6932e02b3298a75af0c8c2e4c809

memory/396-599-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/396-600-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/864-601-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 a92cefaa22c66578d39317d7e60d833e
SHA1 533d19545d46d1ced89417a7c7f5406a9c4f238e
SHA256 1a084deffdacaee05a80ff1b39dfea42cc08de20dc108eac9884b3aa32c3f02b
SHA512 81c1238650b001f161e8b22e1b43b0e6e5f30fd6a3afcf20bc4413921d13550db10f5e1c7c0aaffe77798eea7228321951aff9f707e05aa9a0277be83d2a11a3

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 1b29d28ed3e424e901ca8f7e5cc8f07b
SHA1 11806ee5668b74388000da454ab8fe8aadd9be7d
SHA256 0adc5297d567ee60c2d618d288c2709be98afaf94d6b3317be6c027c8da260ec
SHA512 58a232d001fb0f4f26fcff6c7071f0489684ec909a98f41a9e2c650e6dffacb8cff1c9297811bace0f2e4e8993d7952d11ccba1fbee3e7100040e26f699d92cf

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 9a9886658aef563133db2eb4e5a39680
SHA1 d14e276b9a300b93bede0752c0df649d4cf5bbeb
SHA256 a69e33ec04375099bfd95c0715eb4779db4d9556eff809e61b41e6043fe516a3
SHA512 448a7bf5867aab51b940731229f87570344a4976a46c0526cbade234e270ef5df643d9d696e0ba12ecbe74a0bef442fe902078191b6dd1bcdb59cb021d0360d9

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 709fcebdadf4eebc6de28487bc3aaf7c
SHA1 7f59b545b31b899a050acdad48aeff11fbf16499
SHA256 4676b58ffcd3d7a89c985fb6c2fa8a6cab390831aac31ad9b5939d25ab05c992
SHA512 8f0e35cbcce929585ab55bca2c42c52918b065f107f65ca0cef4f64ac6c085e5d7da43919051f971c0ac9c2d6cd28061890b851533d5e0e7a1c12ed663ecdf76

C:\Program Files\7-Zip\Uninstall.exe

MD5 6f72a7dff29901b7a101d5a8249cec32
SHA1 f2467a86ec2ccddaf16e746dbc528b58f17a9270
SHA256 6aae04c46299d3d2864f29d16575c7f0747d839eb11873d27b57ac345d2f7b0b
SHA512 38b3af08fcf40c3bc216910a06ab2234960da3335bfdc06963b90b23009893e3c0301036ff9fd4f822f8b838cc5fe7557ad69c9a1017658934e68b8af91ad82e

C:\Program Files\7-Zip\7zG.exe

MD5 65af1f23bbcc0f1f5af2dacfaa43b69f
SHA1 bc0c5d69ba6078863aa04c83c1cb2754e4d83639
SHA256 b40a62e5087e7a4596644f9eceab182631353f171ede86f681214f8f23fb147b
SHA512 0a6d507f8e7559615f7c9c192f0935a03250a9acd6d1af7fdf302066792cce3a5847f4978fa66fbee92558eca878d2786ea9d13071952f3158f302c5e2c39393

C:\Program Files\7-Zip\7zFM.exe

MD5 0671e60d730f54c414880156dd736df1
SHA1 ab0d8fd337109ecaf6d19a03a986d612ceb0ecc8
SHA256 7c5372be0447eadcf99d6dbc63f72ab1645a398d546bed2e6431fc9053e3b984
SHA512 63d04809716f23ff26798e42f6c069c723ac93e8ab3fcfaae483d35e3567997421cccad5ad60131cfc184f1bb1103649a4507f354024a3ab6d4358085bd00cf7

C:\Program Files\7-Zip\7z.exe

MD5 bea68761b68afe4197a30796798d4942
SHA1 4f8c5070b5df2cc50a4364f85eb35ae11078e9ca
SHA256 6831b24b6e6270a6400c5052606060a3a51398302ec23deb03ff5a02a490fa11
SHA512 097dff0a83fe097b2f910f46ce448fc6846805ec99cee5f94d7d26596515d0dc5b1095dcdf8e0ca6376a2c49a30931fd0868dd9234986d778cc9c0b0f5bda1ea

C:\odt\office2016setup.exe

MD5 b590413ed93bef6df9c9f10bb8b7aa46
SHA1 9bf5202c8358ba0c3529cc328d40127bca4b39db
SHA256 b1d25849392dabc5bbda88e64a1ce22c4ac3abdd9e601792b87a76f38ca08ccf
SHA512 12cf74ecc1548abb77b54228ab11f8dea10d5c2f67f4d0f2067d452225587dcbca7e3af846a280cde3d7d20735846b3b3890549c46b8ffdb159a26e41e57494c

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 16ad5d591e18a1bd48b70ca458674d0a
SHA1 8d86dee9903a406736e652645549b2a7c100de48
SHA256 5b91ec8a7d274a83ee11f353589c6cdbdfa0fe4a11ee0f1ab535039963015703
SHA512 2d902d98193067f27e0d831a7236c33d04fc174bb8302420da47a2a6337c6d2aa67a0fa0611ff1676f945a1d8cc7550910d93e8c0c72c4592fbd16243bcbda6b

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 1efc21509570da7aa70a21cfcee8e42f
SHA1 4d493768dc76cd8881bb612c5fb0488a4e5a0c13
SHA256 05d8355a20ad1f44ddfc1af59c7231be54e44cf2359fcd4c640d8f16320a9b8f
SHA512 78d402e1f33d681e0317709db230ecf9a6d2270e4d4d49ae68d54a1b08a9ae7c86d7b320242e470a848b32cdd6b5ed5facaca86638126cd855453bde547d3231

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 d3cc3cd61458e97ba2fab871b515a06f
SHA1 2bea9cf808da09fcb12ac5dc0e62f8a87d36971b
SHA256 416587b2a67d258fc4e33eb32a34f92f5afe20a74d2d13f30624d1663c1aafe7
SHA512 a982d5ad4aac7173af20e72e95c9269666d5f98985863688a7b65bc9852b7fbe895c1d1b35ee41841943e5b98af66faf260877d7f7425f7186560849dca88daa

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 692f19af04a70b08d704251797c6a70a
SHA1 1a3be1776c3736ff5b04572c47a71f454bbf06ec
SHA256 08bb956139c1878e900f7ded82576cb245a43d3c4138930c3786346c8ad990df
SHA512 1267648305b8e11503c003194ffc6bee05d4c6d3ee197ebaae2acd01d7b2d89d9aa0cdd2ac36776e102f18fa03d139b7d5e5e2497e58164e9a1853a2a61155e0

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 b2a1f915cd77a2b7a2f09c3ad3cdcf3d
SHA1 0dffd20ed10f2e356083bd861716d9af25c1c04a
SHA256 45f13dc29d3a43b1aed876f1aaffa539a5760dfa3cded406bc3474a6a2d15464
SHA512 b20ba58fcc9e293e390dcf6acab3fccf0cff0e6a4021b0725af4fca2f67cc0011dae209ba6d061aa5c3eb2d716d9f648df995e9efce3692add3c98c7847afb30

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 161ea79ef1e8f250fe4e79c7875e263d
SHA1 ddcc7af2eb12686388c70dccaf837fb401f6052c
SHA256 4f18934da01e8ba662b92d87b5acb7b075b55852b9c616c9ff75554f6ee7e5ca
SHA512 fc55e9248b811ddeb6a5032508df23ab896d5956f6e33a391c320bae9fbee546a57a7cedef457f6727c42c26477180e5ac9f24c394806c8d52c0e6c44aeec6b1

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 7af785d2e419db356ed95c699e6f904b
SHA1 4c6b87ff7d82a2134492a42f77998c680ca477fd
SHA256 9f9110ab703dcd5330ee04ccdc541b3cadb93940e182212b4323ad6781d32ad4
SHA512 1947d71e8ced6c2352e1c24a1c0e434fad25a26564ec83c9e73bb0af60c401d1830bbb53d4e05d90712421b18bb72a06b29c1ee1c6fe0025f18da4c55d551891

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 341718e41c9bd94b0e17c0d61d4dab1e
SHA1 669e7701a327a20e236a33749e4d4adc61d42d6a
SHA256 cf0b3b0de9e51ab86767300b51d3f352e9cde258fe09d00e0262a60a289c2a27
SHA512 54ff1029e322e6582a9b9e6e01080789cc7f3b6f11a55c3129f76c9dd5eb799500186a49eded889d6499838d312ca43cdab9b32ae810c3f4b1c1e5b6b1b2a780

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 b0e5f11aedb7edf11e74d0070ef2b32e
SHA1 2e82c08f8a490232ef32c46717cb5dbccead2af5
SHA256 e1c3ade0c0c8bfc8586948ddfa0a482f6ff7655e1563661a341301916b71acef
SHA512 2481b864cb4c37a7e0dbe49f17e5aa488be2bacbc29b98bf954cde859c6e941d368ac4037989f0926c3a73ce0773e7adf5630e019b609036623612d7ecc2293e

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 687afdd48595b21f1ae24364865d3085
SHA1 56a87bded1c21d916ed8506f2601cb3d7f8caa23
SHA256 f0158ffd0f7eeccbea51e00545f48ae2acc76523a403ad4fd0c92f6efd719baf
SHA512 d3f11c83882bc482896ed76f379e3066e3f4322d36a0ea7622d5acc8edc0579d544d6567294553577fe885a986aa7d29da5c0d799738ea02da154a280c2e2cee

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 1f4996102cd8b10aa01ef370574e7478
SHA1 0b32b17231079cced9b48f4d8b053fe93aa46489
SHA256 6260178f4c8929c822acc539d4c335f8c1d852d7c13b2770153577224671c041
SHA512 c47d85ced2327134bf9e41b85bcefa6470e15b81b9eb266fca33980a427f21ba8ac50aa65eab51f8733005bfe24ca6e3161e03a0d3acdf439bfd1596fd5c1f35

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 fa7c1df169565f3cfd1be0ab239bc5e2
SHA1 183b830cbbadac1269dc135a2426892006b881f0
SHA256 a1bc0c3bd88fe261917229e80d41925a5beec42840d7e3419eb736907e417f86
SHA512 8a166a7563c7cd1248c75c1805ccdec19ce695220223320d4b9cb1d31a18b9ce965a42bfe3ab61dd8e45c12300ab2ddce8b32b21252b0d209af0cc96d6c70256

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 75801b261e8f0ee8654206ca78267448
SHA1 fb10a59c5da7dcad714cd8e278d4e41abae3d49a
SHA256 e2a4f57aa0f99eb15fd619f037a078fa2fd6b6afc9a448178b20e5f6e1d2a6e2
SHA512 3d45bd4a43d160084d81b51d61d0c000c82dc84d736a1098db530854874f23c5b742d4606facca982742c92fcdbad2e20135ae6150fb55c3fb447c5c3b68d9bf

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 8eb9addb02600166b5ed0a09bcfd9b92
SHA1 42fc1f7d842f1b4e10413e2d65f50555a50b27ba
SHA256 15b1cc72468bc48e4135b64f2d911cfdba51fe417c31b25e11c051ac3045bb48
SHA512 aed0b6e1e986c48de28bf456a5de5e4ef36e74d65b48c5ff671c093c9b41207acc5c8b139283f428a68ae492dfc4e1eedf4fd04a18b17a9a3278e596468f2c79

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 5b7db5e1651718670d4c87c0d5a90d82
SHA1 eca1f1a6501f02cad6aaaf5c92dc33d06875e752
SHA256 41aaad23f17952e2c8c699e789f3492aa047cb57b338e91e99a13c904f19d0fa
SHA512 6602cdda9dd0d091376b5c2cdc910a3dbe0593ad1458d30ce209164ffbc84c4f306ed23744a43bfc29d9a574065921310b6686aa462f4feb6c67965cfc6dae17

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 161f49609e73d1ce1967c73c4eb0e30d
SHA1 4c2aeb01f66424b7f7d9424fd976de8299afd4f3
SHA256 9458e81b6b515de755fd002035abdb314a45c480ffbafb3b6f7853134a467ed2
SHA512 5d5330c01b3694ab1e863a8230840616873c7d31138c1403e2660579a1622a5f88f4a35311a7243d8795b758309b21ff0177df65d65303fdbeabc9525a6766da

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 30732e6c935872327dc8d1e01ce76ed6
SHA1 90a4c2416f405037ba86bfd629b989bb045c4e95
SHA256 678d5ef9a43e6eec4c220718bb47571941d5a59c3bf0174eb6bbc60e46543c02
SHA512 ec444f39a6a41a629da5a547a2cd7da50937e56c1a77e651833fec550e3aa7946e8afe0ec51bd2028df74858b3635a2f65181ed8540751c6417389a5c20fe369

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 d7c480c4bab2a6e88d01ebc414cab283
SHA1 297d334dcf125256851b7e35b5be6d9ae1b3336b
SHA256 223d7f02160e62fdbbf4d63e6d12fb2e173da681cc38372123c680b8b7455c9d
SHA512 1ffea55d3c58dad1aac4601d887547166d6819037c8b464225da1e1b9517aa758d1a82e3b222d4d44b9ca2973233ae5b947c7df1cb5163a7d41fc5c73f4a2825

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 ff8f05f6ceef29f06fee9f8cd016670f
SHA1 24bd6ced48c2b5778f10414393de66c1a75596db
SHA256 10526726ace745911632d6da33d59002de1770ff36e0d19edf47971d28072f14
SHA512 90ddb3e79bc82c59fe450266d094e1603fd0b3745373818cf5676bfe2724c2695ec35fe841851fd68140cc14d74bd0cafdab149a975a9f1f3e71dfa5f009424d

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 a4965f8e5b2680f1a5f0d37a1ff74bce
SHA1 41d32f39a0fdd480d8c2d48e9138ed7ada34258f
SHA256 b75a91e85687ab4a9646c15a88e503574796090c86997efa3b5215ebfdd29f90
SHA512 580af6f6063b82328cae34419128a4844669d45b8f0fb6df6be1db41d0e61cc55a9df5e53584fff13522a825910ade10cfc905cec792afe1083dcabc5b7fc4ef

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 d44f7900bdafbcc620db5a92aa3d1e9a
SHA1 07275b5d427870fd86a12c366ff76b11fc0fb24e
SHA256 1f62768c920379f1b47e2a46e33b1a6dc28d086caeabcd5b0b815f55ecd36c38
SHA512 2e17eb3cbdc5bfbeaaf23f07250c013e02ec378e52189097f76dc04f78611170c89a8826451219fcaf552f1c070833f5f5952b33d8e2aa0a361f5684a1c268d6

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 b104a87e2c06f49e0fd37962c3eaeeea
SHA1 c95771c3af006c1e720fd760bbff97f413199c90
SHA256 dc7bc33b3d6f38187b9a8308c33c1b653603362b8f09456440e619913ee2c1e7
SHA512 72f7d5680534d795039e384ba5635015737295b6573f117118d2d8ddbaad4ad172f243cfa57730ad9cf4c5c8ee694a9967258686f459b216de02e63785125308

C:\Program Files\dotnet\dotnet.exe

MD5 ccc63ed6ea22de6806e260127753ce24
SHA1 2d5b025fca8f28c3d199ee0b264f51e09b5506c6
SHA256 85dbabebf455ef9d2be11566f2d1774d3bec9781b59d5cccc872d67f5bfdd510
SHA512 8a9b462ded1a854cd79fc0c2a169d74969a165c62809d692c1f53c4f42a8b729190d71bb8297dda53e428289a1191286fa766c36ea6a5ea168ecc60e7b66b500

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 cd944c9ea6d908422e35f51f5455878d
SHA1 28dffb4de1a3101597a303690caaaf6901234d4b
SHA256 a9a61bd29e0f17c2ba2d5c5662af261d5bc2ae68dde3ae95bd9b2123ab3fcc85
SHA512 034fb2d547b1a8db26bc8f3ba8c5b1397de9d6fa29d96bd7897c4f8d12cbd1fd8f6e0d6b9fda6d1bae2691a0bdf4210264861212d5539f91d151c14af0f99b23

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 a32148fc1ab85d7612fbe7574d6fd3b1
SHA1 89140e6f00d533c7dfbe10775ff85d6efa462220
SHA256 6581dcbef61a3f7e60004e41ad0a071ab900e3c1e2b47577338b2febddee1417
SHA512 3260d50e56368d51c1a082a0e032c0ba6e1b3a3d20d3f215ed6e961c613b1bb28b303a4b43ed69dcae5c8b8da816678b9bb259115635f0e28c1d585f16a361e3

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 651ee71df6cbe58fdcc25cf23f09a381
SHA1 63334a87a69d41cade2eb545762c7d563cbea724
SHA256 1c0b2de09a79e6fda477b6ce05d76107cc573ad9e0d5c58dae9a87220168f057
SHA512 d99456ebedff0be6077620d274b2823a01227139ad8330308ab700bb4a6b8ff4ffc83831c951458ef2f2bd1daae5df21dd4275bb6f1806262fef5534b4f6ef7a

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 04:58

Reported

2024-04-06 05:01

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\42746d554501ed38.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_is.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_sr.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_sk.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_en.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_fil.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_en-GB.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_sl.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdate.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_pt-PT.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_gu.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_ko.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_ru.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\psuser.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_id.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_hi.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM4200.tmp\goopdateres_hu.dll C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 2920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 3068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1644 wrote to memory of 2888 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe

"C:\Users\Admin\AppData\Local\Temp\520acfcdeb4efcd8526c6d08bca7113a9f75c4a67be81b66486b2f2e57fec233.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 24c -NGENProcess 258 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 25c -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 260 -NGENProcess 258 -Pipe 23c -Comment "NGen Worker Process"

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 248 -NGENProcess 1d0 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 25c -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 258 -NGENProcess 280 -Pipe 248 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp

Files

memory/1308-0-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/1308-1-0x0000000000240000-0x00000000002A7000-memory.dmp

memory/1308-6-0x0000000000240000-0x00000000002A7000-memory.dmp

memory/1308-7-0x0000000000240000-0x00000000002A7000-memory.dmp

\Windows\System32\alg.exe

MD5 fe9a827770762229edb3cd42f9b78d72
SHA1 8c66a49fbce6a3be013f8f4b02eddacf13ec1a77
SHA256 36b785d31a133a33da6803235d79090eb5943f8f52807e1d4bae4dc9f90f5740
SHA512 d07674e8d2914d4910fbff029e160c4cb3da6503ad43fc983a0f2466d5a8f81a88969acd2e76fc7049ca41900a36ed61a03f5a7aab6696e5647e43b6f37303bb

memory/2948-13-0x0000000000840000-0x00000000008A0000-memory.dmp

memory/2948-17-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/2948-29-0x0000000000840000-0x00000000008A0000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 4a2ecdf6f04540820add878b23b14f9f
SHA1 f4a2e5b8b89193c20997da47fa46b0c2863055af
SHA256 76f7182915fbfdb185988523cafb33099e13b1d08a36c346beed128f52ab7c97
SHA512 e35eb09d1296472b7642370c67090efdefc3957e8fbbd5c6f098cbf98dec358ef7fdf420f3c00a43a9b1f17e30ed5d46d776150dc745975785247b09a3a59c86

memory/2896-94-0x0000000140000000-0x000000014009D000-memory.dmp

memory/2896-95-0x0000000000200000-0x0000000000260000-memory.dmp

memory/2896-101-0x0000000000200000-0x0000000000260000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 6b483882d3efaaed6197639f1fc0d5fd
SHA1 5a12a294297c4468d3e7fcbcaf4b2046c70ce511
SHA256 537c34a4476f7554b9dbce90ea769382cbdd346d7a1bc725f8b301855cc30db6
SHA512 529aafb521a72146ee5406205454360bc6705c9960142f9ad2769491279036a683050e52426f5d597f97bc1b0407262a46c0822535ce04c46e41635480b3915b

memory/2724-105-0x0000000010000000-0x000000001009F000-memory.dmp

memory/2724-106-0x0000000000450000-0x00000000004B7000-memory.dmp

memory/2724-112-0x0000000000450000-0x00000000004B7000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 978dbf6f14458e0811de59593aa18a5e
SHA1 7d43f38bd2bb28076e61fc91c7712ed5fe9c2a79
SHA256 5c42f7658069f48ea754c6fe49054f64a240f31485aebb0e78e3e99c1aa58c44
SHA512 9d659f7198154b4464736cc0b2c6ea508b7b2697b9b5f8543e0f5ca98c5b7e1f1982ca75556bab17f3099ab0d9b1a4450d67eff631a6277716e856a1dca27d27

memory/596-122-0x0000000010000000-0x00000000100A7000-memory.dmp

memory/596-123-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/596-130-0x0000000000C00000-0x0000000000C60000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 8a8143fa57125e9700d009165dbc8337
SHA1 87148248cf27767f7d9a2cc208e130c840a6e22f
SHA256 7c22945dbf12ddd63eadee8cf5bf6cc310411754b014419cd5bc8c17167ec407
SHA512 3b8f93773b79aba21b8a9fa15e4f296102ffa490f494abd52b6e1c94d5d0e0777233021af9b1d48b96bab4bf142496dc772f117417f699b5a3895a77d4aa7dce

memory/2724-141-0x0000000010000000-0x000000001009F000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 1896464795dc0ff77ab5e801afbf6e68
SHA1 cc165c79038cca8144b65aedb2b23abc14582724
SHA256 005a1a88d39684c44e4029cdc047f6284d103bee2badcf9ef39fe94d491d7ddc
SHA512 1b1371a67d4673bf5c0a9feb81c5d69302f4717b8b56baac6ab67d87a15d344b92fe78347016149497193925d3527d67aeb126f363130cffb26a19b0999fbd70

memory/1308-143-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/1644-144-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1644-145-0x0000000000310000-0x0000000000377000-memory.dmp

memory/1644-151-0x0000000000310000-0x0000000000377000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 a30873eaff0fd7ed9d7bcc24c2f0f856
SHA1 3427e19fb2bb620b1ae3b44b09d27f9fa5474e63
SHA256 c6df266f197b34b3df7adfde12848f1dff188ece106099e1e2d1bfad29f42c78
SHA512 e4c735f2ad7591c8c71601c9377191c39b4452d30c8734538dae4d242407b4a92f579a33306e52efc1e8482a13d76c079b77c121c1d218a65827142bcaecacfe

memory/596-161-0x0000000010000000-0x00000000100A7000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 1f2353793a4150c18662250c93356952
SHA1 0ba133351a031d5a7c239ba3260471c92d4341c7
SHA256 023839ef116a5b957d0c1838be26aff5ea39ab893edfc6af7e27a12abd71c4fc
SHA512 9be68940c15b9e731f46f388c01cb176b3b2506d0015eb5d7bb496b6a0b7325b01706527d7458e3e9e3112410774d70383f17290ed042d538506f355eb050f2f

memory/820-163-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/2948-164-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/820-167-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/820-172-0x0000000000440000-0x00000000004A0000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 2ab88eae2c80df542a7d86587ffd902b
SHA1 d2222ede2781dcade86946ba4c757c16ae32b39a
SHA256 45be59e3423c89d58ff10b5500c6769faee4053d92e0b8467d5e61a9f3958f12
SHA512 e1e95d6972ea7bb36ede3d7877de6f73357b0774a23c65fe84a3662f9c6bed45180bf0206d66b6e1ca1cf59f0a72564450ccabd27d5c8863b2a34e7701f8063c

memory/3056-182-0x0000000000820000-0x0000000000880000-memory.dmp

memory/2896-181-0x0000000140000000-0x000000014009D000-memory.dmp

memory/3056-183-0x0000000140000000-0x000000014013C000-memory.dmp

memory/3056-189-0x0000000000820000-0x0000000000880000-memory.dmp

memory/3056-190-0x0000000000820000-0x0000000000880000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 cdccc0c01076277aa45a302ebdfd4a83
SHA1 f669cb064aac2615567ab7ea73aa079123c51432
SHA256 4accf740555536b10f2f8425e2fdbb241d09bb833323ef3d4d4cad7b590a88cc
SHA512 d9e631b6f35147b1eeb068c2ad7d9b5e950354ca7102afaaba657de4a04a9a308df6a4e97650e1dca377d0ea1b430a13ecafbff58cf7fb2d032d1f4db2228009

memory/1472-195-0x0000000140000000-0x00000001400B2000-memory.dmp

memory/1308-273-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/1472-279-0x0000000000820000-0x0000000000880000-memory.dmp

memory/3056-281-0x0000000001430000-0x0000000001431000-memory.dmp

memory/1644-283-0x0000000000400000-0x00000000004A8000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 282fe11fa77fe76e635a12cdf4790d0f
SHA1 1042b8b672afce073d7e3e0f7c2761ec44e0033a
SHA256 e093620acb26b5c89ae2e28482274ce08856f57d0cf21d22f9286c5c6292908b
SHA512 b05d1e53c21bb6f763dacc6313e66c3a59a6dd507c0c08507c80250d2ffe50fc72d9b16db8ecf842cc067b385b28eec862f15e11aa4d4020e6c5b8eacb7f7ac7

memory/3048-286-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2564-290-0x000007FEF44A0000-0x000007FEF4E3D000-memory.dmp

memory/2564-291-0x0000000000D80000-0x0000000000E00000-memory.dmp

memory/2564-292-0x000007FEF44A0000-0x000007FEF4E3D000-memory.dmp

memory/820-295-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2920-297-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2920-302-0x0000000000230000-0x0000000000297000-memory.dmp

memory/3056-305-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2920-306-0x0000000074040000-0x000000007472E000-memory.dmp

memory/2564-307-0x0000000000D80000-0x0000000000E00000-memory.dmp

memory/1472-310-0x0000000140000000-0x00000001400B2000-memory.dmp

memory/3056-318-0x0000000001430000-0x0000000001431000-memory.dmp

memory/1984-320-0x00000000005E0000-0x0000000000647000-memory.dmp

memory/2564-324-0x000007FEF44A0000-0x000007FEF4E3D000-memory.dmp

memory/2920-325-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2920-326-0x0000000000230000-0x0000000000297000-memory.dmp

memory/2920-327-0x0000000074040000-0x000000007472E000-memory.dmp

memory/3048-328-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1984-329-0x0000000074040000-0x000000007472E000-memory.dmp

memory/736-338-0x0000000000520000-0x0000000000587000-memory.dmp

memory/1984-341-0x0000000074040000-0x000000007472E000-memory.dmp

memory/1984-342-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/736-343-0x0000000074040000-0x000000007472E000-memory.dmp

memory/3068-353-0x00000000002F0000-0x0000000000357000-memory.dmp

memory/3068-355-0x0000000074040000-0x000000007472E000-memory.dmp

memory/2032-365-0x0000000000A80000-0x0000000000AE7000-memory.dmp

memory/736-367-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1472-370-0x0000000000820000-0x0000000000880000-memory.dmp

memory/1472-371-0x0000000140000000-0x00000001400B2000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 27c95818648fb0cdcd6f32c0a8877716
SHA1 e6728a45c156e7ae47390713e8fa75bf45e3fcea
SHA256 8c56270919b2f7949c2cdeecb1f1068d79159e7ea77d5908396141582e1dead8
SHA512 91baf4d4a17a0c13489404a54f5d10fd16f60ec99fe80cce6448dd94ecdc9698b1a9e1ebfb88cef1416ebfa52d5efd6c1f785faccd9df2872dbd8420491f217b

memory/1480-380-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/1480-382-0x0000000000A90000-0x0000000000AF7000-memory.dmp

memory/736-384-0x0000000074040000-0x000000007472E000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 319f7e43a9ae3b3735204065dcbd79f9
SHA1 9f63cf2c99ba51ac2cf09d3ab4d9d319c0c8184a
SHA256 1fbedeb538c9129707b83fb006d1b1752ec32f3e1b9cea2da5ddde0e9c22e9a9
SHA512 b2df7d79fa5d2d84905a919190c3b77cd108ce30e4fe8ca341e000d335f98dd941ee21050e1c09cef44f30b0cf5199ce88d5a54d0820bce674d06f8d20472098

memory/3068-388-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2148-390-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/2148-395-0x0000000000FE0000-0x0000000001040000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 265dc44f0d794400e5f67c9ca17c9360
SHA1 3785eaad7fb95c3c5897daae86f84024ef30896b
SHA256 38223a7141e5dcde3081c8d6df5d0ffa69553519373c370ea4a1550a5b39b4c2
SHA512 00b045d7eec1a8556eb2fe3039bdb247c9c6fea00320e3d50e05c23c5af41301a37d6fa63eaec1fb5aff9225145a559baf430e00ec04a96db61b002be6f47921

memory/3068-401-0x0000000074040000-0x000000007472E000-memory.dmp

memory/1748-403-0x000000002E000000-0x000000002E0B5000-memory.dmp

memory/1748-408-0x0000000000230000-0x0000000000297000-memory.dmp

memory/2148-412-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/2148-413-0x0000000000FE0000-0x0000000001040000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 6abc21e2915ce98788f18bb74f0291fc
SHA1 3290650e08d516c6e16425defed28938979deefe
SHA256 0c9aa17d8847e8c5a9a118aa09c3f3eb6fcd89586d7d76e5e8f7558873308c5b
SHA512 74c3bf1b8791be443ced3cd56f691224a65d5f5816022ac037005099381b0029f81284d1aa88131a21927d919e7174ba5ed712178b8bb8333614c344c6d78921