Malware Analysis Report

2025-06-15 19:50

Sample ID 240406-fmy23abh83
Target fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3
SHA256 fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3

Threat Level: Shows suspicious behavior

The file fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 05:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 05:00

Reported

2024-04-06 05:02

Platform

win7-20240215-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a29dfb18bfe435d8.bin C:\Windows\System32\alg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\GroupRestart.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{F6AFA7E0-7C65-4C06-9D81-8A9FA89DB845}\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2820 wrote to memory of 2964 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe

"C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 184 -NGENProcess 1ac -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1d4 -NGENProcess 244 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 254 -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 264 -NGENProcess 244 -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 250 -NGENProcess 1e8 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 26c -NGENProcess 168 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 274 -NGENProcess 260 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 27c -NGENProcess 1ac -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 27c -NGENProcess 274 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 288 -NGENProcess 1ac -Pipe 1e0 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp

Files

memory/1512-0-0x00000000004A0000-0x0000000000507000-memory.dmp

memory/1512-1-0x0000000010000000-0x000000001023E000-memory.dmp

memory/1512-6-0x00000000004A0000-0x0000000000507000-memory.dmp

memory/1512-7-0x00000000004A0000-0x0000000000507000-memory.dmp

\Windows\System32\alg.exe

MD5 2b813085a52b96dc9d9193a1485475e5
SHA1 0d6f69ec33cfd0f025ef6ab921e5501448d6a21a
SHA256 3fe171deab290cb4b05febddfc8cbb87d0a379341fdb89d276d8e22a229b4431
SHA512 640e98db4147153f0b85276fa69d0764a11ef5fd9340df440e7fc5d22644cb0e66c22bd7992656b75c8f894fc4a20a66d8641bd0e4a953afbd1c220b956d87fd

memory/2904-14-0x0000000100000000-0x0000000100243000-memory.dmp

memory/2904-13-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/2904-21-0x00000000001A0000-0x0000000000200000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 7d27db19c2745ef7ee139f6570022ebc
SHA1 2a89788889f3b7ab24ea3802a306328c4c66cb9e
SHA256 89c724fde6e5e22d5be0c3aa6853fb13977d637cfa235ebf1637df2f82279426
SHA512 64c7ca5cd3bf0fa6d5dfca126f454f585b7611540f1cef02940ffd5c4310ed1dd50739df43272c0a3b4243962206a488a0b1aaf0d3f71d37619a993f31557e63

memory/2328-27-0x0000000140000000-0x000000014023C000-memory.dmp

memory/2328-28-0x0000000000B10000-0x0000000000B70000-memory.dmp

memory/2328-34-0x0000000000B10000-0x0000000000B70000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 85af0cde15c7ed17e1f23df5cb082861
SHA1 bf6c1ca0215d0c564b0c1e48120b75e353276604
SHA256 0bc1ef9f47700ce7b209ef7483a259e4ec254427e6046753b1adad731d2917e7
SHA512 b5ab471d07ea6c7af8180629b056cedbf381245ea4dd4039270efd8dd3b83b8cea85163218556e9c6c7028b73a60648465eb814b1466861d96dc7d22f7dfa139

memory/2264-38-0x00000000009B0000-0x0000000000A17000-memory.dmp

memory/2264-40-0x0000000010000000-0x000000001023E000-memory.dmp

memory/2264-44-0x00000000009B0000-0x0000000000A17000-memory.dmp

memory/2264-45-0x00000000009B0000-0x0000000000A17000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 d702a3f4daa8f3067c56be45c0b58350
SHA1 f1989da282426b123ce222756d4912ea81402722
SHA256 7365f98bbe1a84293dc9ef21881a1769cbdb14ec0dd316df54872efc61cc3262
SHA512 69a5f0041036cb220db81bd8ccf08e3446e6374460de310c590cdb19d1535bbdf2a0b4f359ce19278ccadf360fb6730b00a5fdfb9b5b4e7d8f0a0eac4a233e39

memory/2156-54-0x0000000010000000-0x0000000010246000-memory.dmp

memory/2156-55-0x0000000000420000-0x0000000000480000-memory.dmp

memory/2156-62-0x0000000000420000-0x0000000000480000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 98d20b6abf3b45fbe2f39ddc68148731
SHA1 e3c6c6b80b6238038586ddcd21700a8187393372
SHA256 5e629cc966dd4c71039c686e62446f4e0447400d6f3d2039539f47609bc91af1
SHA512 624ad3ca000219f449225405212ee42f7f92cc794581ec7c72c80caa1e314f46a3c3fac6790770cec2a0a8e921c72065d45700f29dc40bce7fbdc4af4963d863

memory/2264-73-0x0000000010000000-0x000000001023E000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 efad8b55fa20c21ecc68ff0c0660e2bb
SHA1 20524a32e213192cbe6b3e38f4b3461d70c279bc
SHA256 485fab5b574d70edd741818d747bc1f0f325e3166c65873b9ae8c68db9eee130
SHA512 21505d89f7a603e5b56097c4aaa5b0aa2bb42131df5222a076b7f45359ddec2a6fab943e573089a471065e580039012599b036086f8fe20aaeb8cebd0566e390

memory/1512-75-0x0000000010000000-0x000000001023E000-memory.dmp

memory/2820-77-0x00000000006D0000-0x0000000000737000-memory.dmp

memory/2820-76-0x0000000000400000-0x0000000000647000-memory.dmp

memory/2820-82-0x00000000006D0000-0x0000000000737000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 57a02430c02d0de605e4084be47d6e67
SHA1 83b4222b0a68ff3cca92634cee1bf31477f07f1c
SHA256 7f54c87556c2b3d72e7e12ca4822d95bac9e9f7aafb5fc09ccf0b0183efe0b59
SHA512 405b9128b77bc1cdf1a72350c512da6ccc0c45ab1b6fc4450cae275e0b2f9edea394f0cca4e1cd2e31960ac634483ee063b1d55ca4c0507b2e5447c6f46c0229

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 ae3d8b79a0d60efde07616c76b0b5591
SHA1 e251acd8c053b94b3ba123922a16d22456cb4cd0
SHA256 41aa5042f21d0acdc800951add6e5cc28cd4de1a553e47bbaf333051d1358782
SHA512 b620be2d14ba5ca5538e63d7eb700a0d01736777b679a1c9541bfad28fa1a0a6bfdec32431ae32014c575c0e1ccdef89e508ea7909560b8e9398f7a39927aaf1

memory/2904-94-0x0000000100000000-0x0000000100243000-memory.dmp

memory/2848-93-0x00000000004A0000-0x0000000000500000-memory.dmp

memory/2848-97-0x0000000140000000-0x000000014024D000-memory.dmp

memory/2848-102-0x00000000004A0000-0x0000000000500000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 d25b55897f8f1f1fc187647616839850
SHA1 0fcb604885146b656a765fbde1cf65521af548e1
SHA256 32c9c3d68e4390785fa8ff36399770cc36c707fc0872e878567203029c5a9e3e
SHA512 0033ab5133ad4a5418e05a537643c6a614270ff90fc309f4c8a4c15e785bf3a251fdca14ce87cd1924706c622473662e2866878bb8e98346a15b99af386e0323

memory/3056-110-0x0000000000A60000-0x0000000000AC0000-memory.dmp

memory/2328-111-0x0000000140000000-0x000000014023C000-memory.dmp

memory/3056-113-0x0000000140000000-0x000000014013C000-memory.dmp

memory/3056-118-0x0000000000A60000-0x0000000000AC0000-memory.dmp

memory/1744-125-0x0000000140000000-0x0000000140251000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 7ac612461f69049830867ad29ae92f6a
SHA1 507f05c58441168668eb1f631a041b966f16a6a8
SHA256 e893acbc438fc31ff3c18ce68e4e887c8ef16d38186bd48a3db3b6654741114d
SHA512 1ca662b5e3d8621e3f2c85ad99b56e50cd1f6d386ee2d18a9bf2a3cfb6b6068bf366db985089a52099a72ed7e18bbd288c1ea893c660ddd2db97e76cc4e8172c

memory/3056-133-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/2156-138-0x0000000010000000-0x0000000010246000-memory.dmp

memory/924-140-0x0000000000400000-0x0000000000647000-memory.dmp

memory/924-145-0x00000000007F0000-0x0000000000857000-memory.dmp

memory/2820-149-0x0000000000400000-0x0000000000647000-memory.dmp

memory/2520-151-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 fcd99b6bdbfc826b2e57a7c8717fab6d
SHA1 ef46829347d8c75d37c1cace1bf64dd8bfb3c362
SHA256 316e6d8e49b1d101fd9af2fd06c434acecabf41148584734df9ea8770e9e264f
SHA512 edc22ec8ac5ad5ee2ecc4066ed3820e7a9d400407555cbff62e0694024b0567daf5e9789343fd1a64f7e805fd5fcd0b620449e59fed69c42c3a6b3b0333c3729

memory/2520-157-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 853928770926e96ebac017575c43a613
SHA1 09bee156119f2975fb1bc5db1e2c3adc0bb1d7fa
SHA256 412bde204ab558ea483c858b2f8e0a65481c41be134b54692099ddccff24273c
SHA512 e97c8f0c08ca9b3d90511080ad373baaebd65021fc58b1c1fefc07329db8425cf5181658ac4301e59e1b0fe2a2f57859a3d5a804c4129b252c59d337cf8f61dc

memory/2848-162-0x0000000140000000-0x000000014024D000-memory.dmp

memory/1352-166-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/1352-169-0x00000000004D0000-0x0000000000537000-memory.dmp

memory/3056-174-0x0000000140000000-0x000000014013C000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 eef7d6294fffcf46d0c7196d624cc33d
SHA1 d85c8d3b0cb5a24274fcbd66ce7b7f654a12bfc6
SHA256 64aa889358b3633d64fca7d532ffe99de7031d4a4f3b26188303adb95ba41f78
SHA512 86bdca824d143909b00c05146d5045944fbf0f31ffceb7add98a2bd2f8663a4c59be8c1535e4d4c9bd26f12c9b916174d6985227c93b77638844ee141394aa30

memory/1964-177-0x0000000140000000-0x0000000140269000-memory.dmp

memory/1964-182-0x0000000000FA0000-0x0000000001000000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 5316f7352a798a98b8edb310530e90bb
SHA1 50ae0a494ed4665fdee7c2e36784efc86d0a7560
SHA256 a0b6968bc151f8a0ee88dbe896def785323741a20b68a1d43496336f33b50515
SHA512 09fb223cf8a514e33d6c27d9a2c694b18b5a6ff9a162df2d933ccad0289d745ca5c01a2db0e6224b0b0301731fd6255f5c2c4828d0dcfc7d62a17db6b41eb832

memory/1744-188-0x0000000140000000-0x0000000140251000-memory.dmp

memory/576-191-0x000000002E000000-0x000000002E254000-memory.dmp

memory/3056-193-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/1964-200-0x0000000140000000-0x0000000140269000-memory.dmp

memory/1964-201-0x0000000000FA0000-0x0000000001000000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 c82c866e31f170629d91c95e1526a0c9
SHA1 f282de47399a908c427253b7afdb6c2ac229e66d
SHA256 d1c6027480a6f8efced77573f7c49afc86525d869bce1adfd292c9a3107bf34b
SHA512 32b2ee69fcd869c24b80313263fbbef340d4b1ec840e7ecfb6ea380cfed0d9ad3cca4ff8750979468a24c7da4938bdb1b23e33317a8494c78df958972068446e

memory/924-296-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2188-297-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2188-298-0x00000000743D8000-0x00000000743ED000-memory.dmp

memory/924-299-0x0000000000400000-0x0000000000647000-memory.dmp

memory/2188-300-0x0000000000830000-0x0000000000890000-memory.dmp

memory/576-301-0x0000000000230000-0x0000000000297000-memory.dmp

memory/2520-366-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1352-375-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2284-376-0x0000000000C00000-0x0000000000C67000-memory.dmp

memory/2284-382-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/924-385-0x0000000000400000-0x0000000000647000-memory.dmp

memory/3056-389-0x0000000140000000-0x000000014013C000-memory.dmp

memory/924-388-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/3056-393-0x0000000000A60000-0x0000000000AC0000-memory.dmp

memory/2208-403-0x0000000000400000-0x0000000000647000-memory.dmp

memory/2208-404-0x0000000000360000-0x00000000003C7000-memory.dmp

memory/1512-391-0x0000000010000000-0x000000001023E000-memory.dmp

memory/576-392-0x000000002E000000-0x000000002E254000-memory.dmp

memory/2284-407-0x0000000000400000-0x0000000000647000-memory.dmp

memory/2284-408-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2188-409-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2188-410-0x00000000743D8000-0x00000000743ED000-memory.dmp

memory/2208-411-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2656-421-0x0000000000390000-0x00000000003F7000-memory.dmp

memory/2208-423-0x0000000000400000-0x0000000000647000-memory.dmp

memory/2208-424-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2656-425-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2616-433-0x0000000000650000-0x00000000006B7000-memory.dmp

memory/2656-437-0x0000000072FE0000-0x00000000736CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 05:00

Reported

2024-04-06 05:02

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\cebde4b1822cf6b9.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75875\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe

"C:\Users\Admin\AppData\Local\Temp\fca902b91106c95378c0ef09d68b2f455e2df179eb68026da650454a2758f0c3.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp

Files

memory/4028-0-0x0000000010000000-0x000000001023E000-memory.dmp

memory/4028-1-0x0000000000B60000-0x0000000000BC7000-memory.dmp

memory/4028-6-0x0000000000B60000-0x0000000000BC7000-memory.dmp

memory/4028-7-0x0000000000B60000-0x0000000000BC7000-memory.dmp

C:\Windows\System32\alg.exe

MD5 2dace7e5fbd6cdca9ca74769ff4c35bf
SHA1 df5b7fe5be9bbe49d89bd6e25eb87884b5befdd8
SHA256 8afcd0f25e91fc3a3b7c24d29e93e2e26613e4095acc9bc1c78ad6faba56e7c9
SHA512 521c62bf9635a8be40f530c1e774c46779f290f406dd0aa8334784170b65269aac22e74e2cfbd5549daa3e5e4dabb39c9efa435690bfe790d5833fd9fd8974b3

memory/3232-13-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3232-12-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/3232-19-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/3232-20-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/4736-27-0x0000000140000000-0x0000000140248000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 7f0f20a4d04fdc33024fa4e84c7bf7c5
SHA1 288eac010d490529faa825d54d559e6fa086b85c
SHA256 77089f552e976409fb2110e6fa3196f632c2bb7b7030469ef02f5b3c26a9195a
SHA512 1cd00673005b083d5dfe36c65f84c30eee1ce0ae49596c59d8e9430700ca505fd12aa2af3cfb6a73ef6fa35ab839155ab50482e9fae887f6ea37b762eaf21185

memory/4736-26-0x00000000006A0000-0x0000000000700000-memory.dmp

memory/4736-33-0x00000000006A0000-0x0000000000700000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 77b532ea86b7ac847005e2793d883f38
SHA1 058e444481f05845952d27a665c12f40b1449659
SHA256 01df75511952feb2d7429476b23d08d10fba3e8646949fded19709f615db61c9
SHA512 e6945eb9c963cd74fb24138efb589c3a1932ae99b686e743d78b7871d1858fd6e5fb88c4ea78ecbbfaf8609355ca27262b0cb774de5bcf7d4768c8d22a157853

memory/2084-37-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2084-38-0x0000000000DD0000-0x0000000000E30000-memory.dmp

memory/2084-44-0x0000000000DD0000-0x0000000000E30000-memory.dmp

memory/2084-47-0x0000000000DD0000-0x0000000000E30000-memory.dmp

memory/4092-51-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2084-52-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4092-50-0x0000000000CB0000-0x0000000000D10000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 00b7fedeebeaec327a59056568efb549
SHA1 d91819fa4e786c68785f8810f3a345539c64259c
SHA256 96ea71303847f61735e2b4943cc862e27118bebcdcac8addc572972faf3dab91
SHA512 554b60c1852642ddf44a6d46ef1dba979cbb3a3933e3de1041a5e5b4dbf0501da36b1964d7a9cd8e230c0f030c1902f100b74178bd648e1840eb45a37d83dfa4

memory/4092-59-0x0000000000CB0000-0x0000000000D10000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 b0156a4f5eac51c5a3044bbfef0e2ebb
SHA1 34ac56536e4a425949194a4da823030280da16a6
SHA256 5b11d737288f954bd3d9c1c5d83909d53872f2cac4c65ec5829060d4d80ceb03
SHA512 2e8fa35181f828ae9658f858bf918f2791c80960f4740a731cab2b844180046710f6eeec51c3c69b02a64c432c29456ed6a10d3f395762989bb40c2b2f72f905

memory/4028-64-0x0000000010000000-0x000000001023E000-memory.dmp

memory/2748-66-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2748-63-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/2748-72-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 7d2356cd6d5a78ab4a2b0b7818237a68
SHA1 34b787b0ebe6d20340bee727f89efb19cc765a3a
SHA256 9c04dc4dde7522a5b0e0c7dd9d2aa3b78130d0798a3fa51b9a3631032d605b3f
SHA512 72247a362adb39249e87e0fc338adf4bf01671897f06ba80b9571b3829ef8f03355d202d1ca2a4871a050a5e7bf53f299b6888ff57abd05b8fe2f664454cec26

memory/4272-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/3232-77-0x0000000140000000-0x0000000140249000-memory.dmp

memory/4272-79-0x0000000140000000-0x0000000140269000-memory.dmp

memory/4272-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/4272-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/4272-90-0x0000000140000000-0x0000000140269000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 56f5fb68dd33bfda63d522e217e68eb0
SHA1 4f121cfe94c5590c31f7d1cf18d63f900fb832b7
SHA256 02a46389b2de70001f145aac3be851bcc54b85fa046393423cab1d4ac794455b
SHA512 d1f7b2c51003995514c9bcc3db42ad651ee4ea0e98f887a5cb67f6078017f861b0d8af627bded7ded85fb70ad15c2112e557ff8295cb99187385d9bfc371124c

memory/4736-92-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3212-93-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/3212-94-0x0000000140000000-0x0000000140258000-memory.dmp

memory/3212-102-0x0000000000690000-0x00000000006F0000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 e8fdaa67798d2624ac3a310ccdc39f11
SHA1 9b95266a4542c9caa5189114150aea95c706e59f
SHA256 220b1c95abe185700e1ca325685ca6954ac50e6c4be7e1927cec03e492a455ed
SHA512 3d89730338495918b5e0bc4001ad609a89e9ad94d2408f8abfddeadea0211e13d93b150b08310bb9dc9ffca4c00b2afa202739970323154259dfc9e3facf25ed

memory/2176-107-0x0000000140000000-0x000000014026E000-memory.dmp

memory/2176-117-0x00000000008E0000-0x0000000000940000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 8b68da89b65dfed199a2e6076a3cf3f8
SHA1 9cb190c9e739eec41a5bd48a45ec0c53edeb0367
SHA256 23001e6eb594259d64996ab1608f5326674e98569a9277c959c1ac1ab339c384
SHA512 538e86d469ba1e7283db33fe5979c76ee256598f1d59b7050bd5df636af5e0f4f6f10ec86ec2e4de35fd08471357a825c88166e97de9fe755197e6268ce9193b

memory/4092-122-0x0000000140000000-0x0000000140237000-memory.dmp

memory/5108-124-0x0000000140000000-0x000000014024A000-memory.dmp

memory/5108-130-0x0000000000BB0000-0x0000000000C10000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 a5e012c17a6d8b242e529c5152dfe256
SHA1 61c045cc2a6005466b0f47bdd0e3523d593e3778
SHA256 9dc836a6400d7072f197d4a180e4430bc75d4540116f905b398b6d8bc9c998d3
SHA512 ea934f9f4ecea0a30799b4d044f3ce2f09c952e9140d5325ae951459f67b333f1f00664c16158c1fb0a1163fa1e1814735439c4e81a75f963a75088aedb06f6e

memory/2748-134-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4580-136-0x0000000000400000-0x0000000000636000-memory.dmp

memory/4580-142-0x0000000000700000-0x0000000000767000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 39851f4ffdbe7418842bc5fb1cba4910
SHA1 4baf4693852a0cbfd8fdbc0a3d1aa9a2c2d86af3
SHA256 4482228c09e02c4c5df45ae4c1b6547421f2a455e0dbabecaf0622b3fba11adb
SHA512 eb38e0198bccbf83fc510cfc1b891f0117c4d1c13986ec4fe000e7eb65e718a2b46cd7cbdc0194b392493c66abf750ea049206a4d40b0e26cdc849c48d25cfc3

memory/4464-147-0x0000000140000000-0x0000000140234000-memory.dmp

memory/4464-154-0x00000000006F0000-0x0000000000750000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 e7d9a504f4819085d9d7fd232e0d97ba
SHA1 c118c9e60b3d89b277f3c16d03f99f46da39c25e
SHA256 886dc72aa07ec52245f233bcaef773813d712c63af31893030bd2d1a857d1b34
SHA512 46a9452525ebef3868839026a2d25350be6ae60254de5866ea729d85ce460cae038a80f262d5aba51d56887713da3091340b6d53911487c985dd0d844416907e

memory/3212-158-0x0000000140000000-0x0000000140258000-memory.dmp

memory/4388-160-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4388-166-0x0000000000660000-0x00000000006C0000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 83bcb76d584548b015c54964d4b4fe0b
SHA1 b2bf528c14e474263aced6cf8bd052e8a29fce4a
SHA256 6c6eba7b632262884a326e16a6f740f6283e036335dbb87311f93bbad5a4a355
SHA512 2fdf0f25880b34626bae21e2371af7fa2453dec77b03cae9e0f90e3d9d446ad1b04d3faca9b9fa8f6b5f41a4f84a4b8141e02579cf13c97e27420203b460d9af

memory/3340-175-0x0000000140000000-0x0000000140235000-memory.dmp

memory/2176-172-0x0000000140000000-0x000000014026E000-memory.dmp

memory/3340-182-0x00000000007B0000-0x0000000000810000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 fbc1ffc4eae5935344f09240ca0db673
SHA1 c01936c27a8e47f56c22f027b3d730f64181eb56
SHA256 0f2af8adae5c6b3acd934c3aeb6701366190d6563222a045df4bdc540e5a661b
SHA512 6c9fa9ed6ebca3da41626b5bc8412d163e73850cda6f2fbadf45520800a82836ce6129df5384cb9ac3ef5a0c501ee1df96c6f7e6e060e4ffd948c5e76dc0c694

memory/5108-185-0x0000000140000000-0x000000014024A000-memory.dmp

memory/4472-187-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4472-194-0x00000000006D0000-0x0000000000730000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 39c2b26e6f3c36f58c760790578a7cc1
SHA1 236c5977534fe41f29442cd4a59a31b36545d760
SHA256 62c9dc887436bece42f420a472ad4bb0bb5ad1dc7c9032f4129b786410520696
SHA512 f21bd6d424f25bbce48d580defe7c1f0e5548a98e9c814744d482c981de4a3cbc13399b7fe88ebbe87f762f56b47413a469441203aa81221c1e3c9a4567d7964

memory/4580-198-0x0000000000400000-0x0000000000636000-memory.dmp

memory/776-200-0x0000000140000000-0x00000001402A1000-memory.dmp

memory/776-208-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 16cf2178504a4dc8628df0c5fd2e4fe0
SHA1 bd6058290aa8de3ff6dbba352e3ed2f96d0911ac
SHA256 92f2f869f33473187de18ac727634b2561fb838336161c23d9bcebf7a9b42f33
SHA512 6000129e90e3a285a619ffaae5c44047de81c2f60d8d8b8d4d70d9402b1b708b6404269c23708c31b1dda6651e40307953b408ca87cd088875fd1d7b21b2f93d

memory/4464-212-0x0000000140000000-0x0000000140234000-memory.dmp

memory/4176-215-0x0000000140000000-0x0000000140281000-memory.dmp

memory/4176-222-0x0000000000830000-0x0000000000890000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 fa219275f6bf9491c4f08f2422283b25
SHA1 7954403d6989047c6f36c72cc46f499e72a28a99
SHA256 bc0b5167383ecb4383f21881e8a671b7acabf9929a0b5e945f4dcb056cdccc60
SHA512 74a49387a6d13ade9124db2bbdd66ab006962c7361e49a0c795638b8ab9efadb90c1260aae30f9ad69cdf26723467b8258f6c294cdc532722a16fb753cfcfea7

memory/4388-226-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4440-229-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/4388-234-0x0000000000660000-0x00000000006C0000-memory.dmp

memory/4440-236-0x0000000000B80000-0x0000000000BE0000-memory.dmp

memory/4440-240-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/4440-241-0x0000000000B80000-0x0000000000BE0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 ed5e34b64e110d7892e9fb49a3e13cb6
SHA1 bf1c3bb996b25553c92230a0a80472079b29fd67
SHA256 4f18ecf54c6726e688a46d8e7706d2168a51434e440b1514bd527429519ab7c5
SHA512 b9890d34e92b3be3d43e8fc8f2c2fa012daf781ab7f47e6520707cd22a96150798246d0c45b01320c79d59012445483bc7935e77ebaa50c81f4fd3b35cd44f95

memory/3340-243-0x0000000140000000-0x0000000140235000-memory.dmp

memory/2168-246-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2168-254-0x0000000000C10000-0x0000000000C70000-memory.dmp

memory/4028-261-0x0000000010000000-0x000000001023E000-memory.dmp

C:\Windows\system32\SgrmBroker.exe

MD5 2aff001f064427cd8e8a10e9f7ee7025
SHA1 f1cf19a7a24c72cddc7a98e11bafdb9a532b3b9e
SHA256 0196ca48b319877c7120bbd8eece54a934c5bc9d9e304b99600ee398dff3a6a6
SHA512 0a2405d816c2e11ff017fb4fb0513db5dc5da4415e7ff6fc6db94943a2118423193ff1f79d986bde48daf27c077d90bc2162d024a04c7c8a78124156c23b2b12

C:\Windows\system32\msiexec.exe

MD5 0c1b61995da987338a43a2eb38e68267
SHA1 d7ffa2fd4d414e145273d9c1b2dfc7bcc4c1d3cd
SHA256 c6ae0486b900f0fcccd4e15cbcb3feba9f2f8a611f6a4fdfcb2d3e76d8605c29
SHA512 9c580de54952d5dc2fad1c3f42ec6cc78359e7618868786198f25db31c629cf72dace70eccbd06c06674f6f047e378074a2414c45dd1800b119b4f9bad000e88

C:\Windows\system32\AppVClient.exe

MD5 ba0248ac78737426b8a8a83739aee59d
SHA1 d6f8b389e8f23b24cb9918415f1b07951f6bff3b
SHA256 8dde2100fbd4ef82040469d5037c0b33f3d0eee3d7d8701ca37b6f61e7676d5e
SHA512 7df740cff5cea9865cd778a9b13b64d631674b3e5ecddf748f77d0f77b42bf255bd0e00bb0d67ed81d1917c7c24baa49bc7596e33d088ff653a9053385a6cfd6

memory/4472-397-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4388-424-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4388-425-0x0000000000660000-0x00000000006C0000-memory.dmp

memory/776-426-0x0000000140000000-0x00000001402A1000-memory.dmp

memory/4176-427-0x0000000140000000-0x0000000140281000-memory.dmp

memory/2168-430-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Program Files\7-Zip\7zFM.exe

MD5 c15fc03a50b90f66df0fe8b0eced45ff
SHA1 429e3108288fe5b0a26b41552a142b624ca8fcbd
SHA256 0b6da5b016fbe6c257ea67f1a497983001eee3027e051b43e0d6a1adade26c3b
SHA512 a77abfcd2532acc8b8898d3915ed3a09326c2be3f55e9f851d0c9f1cc103cc9f3cd1a485b6932cb575e057cd1aaf04f5eafd7c3f3ed55f22f78e77f856d40eb5

C:\Program Files\7-Zip\7zG.exe

MD5 f4b85a140104ff5ebd0dfc70bf85564c
SHA1 14348e5ee7fc1ea1d13be45596ae43f6c403afcb
SHA256 6415d2fcdbb53b758d0c3c335e0138d8cfed35ddeef3c372b99bbc7293259ca1
SHA512 d67be937ecbc8ac82ebf0b3f6f321efd30dcf7ffde465dbdf967d602118462778a305ae475173022a25f4ea24bc972fc41c4b9602b7c564b6ca5e0c613c5cae8

C:\Program Files\7-Zip\7z.exe

MD5 b94dc43991f3f7a157b7e6ed153acb29
SHA1 440c7b258fd85926fa30a0701e18b3d1e361f593
SHA256 4ecee7dd1be3b64ef475eae98f639cb5db9d72883ce8d027daf8d9ee62d604c7
SHA512 ea5114295627ba4bc1ca6b86c28c439ea435fb4107adfd34546c7ac531ff638470936e9758b43cbb20800c4806884fbe2908eebbdbe0ee7531641c3e3af11bed

C:\odt\office2016setup.exe

MD5 7b50c20874e8ee83d94da81cc299f0f3
SHA1 1397ac2af47db94ee8ae110d50f3f23826aae278
SHA256 cba7a301fce956869a9d25cc74e1879a5d85dbb548904145d6e7fd3113aa7de9
SHA512 34c58cedbd71e69983a41999be1526518715a39e6e3e14d400c8afc580f38fbc67e8d115a2f964b82230b943ce1ded327626e0fb224b9ca1bf507ecaf1d93ad4

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 4f03dc109298a4c34bdb975dda778b8e
SHA1 0930309f730a70fed899d51c58c63b72126208a7
SHA256 9402fc35f9c4057e6825bf3b08a78cde5627d3a9baf7b536bc6cd176435bf3c4
SHA512 1b2359cbc588b7f65389905469c15d01c6dac11d82e43da1bb70e51c1239705e57ce93622e39477588982f67c7f185d62b66cb4bfd3b4a7ef2e512ab09a70d00

C:\Program Files\7-Zip\Uninstall.exe

MD5 6781b20c4f624b16788fc2ac79203c7a
SHA1 d421618b6c75b5c39bdd59c13ce93186b00ed542
SHA256 cabdcdbacf7721a7f5a97b09548418552e9f8d21ad641a16196e568dd1ee28ba
SHA512 75e3ab830b89ba4f438276b9935bf858e00c61f5e6a4cf75c6936b20b0d66200e4e3be0e93a363e346a482ccfa581d1220dd08bdc51e73a4cd324f1fd37463d9

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 505c82845237ab5e9b21ccbc1bb9e57e
SHA1 9840f89cfddb364d9668e908ec3dfe8f71c2afe5
SHA256 ab1f4545e81d7272512e72b035b2823f34524d082d6d1192295ca835e2f7e2fa
SHA512 9619dc48e0aaa988dfb1880a907e9b795de086b2edd3c37a6fdfce65c518b290d9298da26d874d23604660034c3683cd39d6cb5d5d0e9fea989719e3203f1a58

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 5adca024bbc601ae0cdd68a4b14011bf
SHA1 16861669b33312a41dc2047ced38ebdc642b89ac
SHA256 c8a309b83a70a76c9ca08f040812ceee4e2040b8c5100982e4c96139fe668534
SHA512 c63909e8b080f27e49b72970820c2007432b280022d7baf99c5f3c62f04118d98f6f34fb6656e2da2f20f9c4375f472436e0718f148e72258ce0ea215b48e066

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 d0d5ee62020239dafd4f6e0a5da17e90
SHA1 c3adca763578803195a5f5fd33018a25d1df9fe7
SHA256 8a704db51f637df2a6884ffc4c1958ca27cbcd3563f7dcc45eaffe6d7bff286a
SHA512 18da694c26fd3b09c8d80850a8778913ae1b8ad382fd2e9966539972e637eb1a43833a10e091ee658fb4ab3e3a9192c69930a1f8ef0a56e401a44f6b739fcdfb

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 cae64f3045b7317bc4172a0a21fc4c50
SHA1 3460f088888d9f4e749a43acf01b70d540c63abd
SHA256 56989d514cad3806e7cd8d1c39e34ee2564c5311caf8e160ade327323aacd946
SHA512 2a64c5e47b5addefc8f91042428987d7bce2d83f04ea9878ecd7f9ad296ca486551fa9822ee5e884a97ccf2f242312ecb4b83591828f959e299efbcb1e327227

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 87be14d7ab5653d6684bfa1f5f9d1e47
SHA1 f4196ec040b4b984d83dee60cdedf691c6592beb
SHA256 dfb71d613b1634357b0b2032002e3fc6e6394a161965d4b7e8e05f1376882b3f
SHA512 86fb57c2d68d79ebf42c202f654075df77afac2c9caac854f0693d29bfaa1ff5ef5b3ac164a47036a1efc694440958ecd90695513f17bb20ba726dd44057d4ae

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 258a731c35778b5e8fc985aea7c030f8
SHA1 9922724d72bfed171fc0a49feec842f50e94bac6
SHA256 f915b6a112025d8464c1a0c3828fff82ec21c3285935f6977c47508f4d4b1deb
SHA512 6e3c69fe8dbc869b65f486aeb31b8b5a80c1756600ce2ba3bac00e7143eab6219fc1a3fc413497dd8c75c6aaa3cb513ca7718455a5a2c0feb74b834324af993c

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 7d2d74dcc350ba45bc71bda094ce29ee
SHA1 153e7155090829f03aafd76c4e21a216aeddfeed
SHA256 a21afabe754b2deadebc734e3ce7fe00257ba59a465eb9f072b9c94c90e56cf0
SHA512 c3811cefecb051d0ecb6a65ede9be3687f25559e7ce61920d61d89dbe86ebc2d759b3fbabf5fec8438a216e8d7e431d93721a442baa59ba1a1828171b1c9bf2c

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 0c59201b3ef8b4dc56c44c89bd9cfe4b
SHA1 cc7702364cc816a2a6a295272bca75228b3c3843
SHA256 6ce9c062b35874d20395202c9dcac16919c5cd3f0759c5a180cb9b24a144cf12
SHA512 e2d281efcd3746470cd53d762bf96d9256365c5676ee108c8d835742c3855bc166b80cf95d17d0391ffddc675495116f0c213e85cd48c61d040a11a219b3b4d5

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 728b3464056044ca7635086f60c60589
SHA1 65d6ed4a9c23084f0dc4d98214dd6bfe539b052d
SHA256 e15d217b929308037c52ea21f4da537a8c0e6dd9d43a22ade639f5a1794af657
SHA512 bb5ddec345580b45f991cd535241870d4692dd968914a5fe031a0cd88108baf03371f28610c770587e5a9db8924ae69502cddddb92b0866dccfc354e2d948cd4

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 8e427aa7648df607e74ffebb3989f88d
SHA1 c1dcc4d4cc169846370c6bcb91d4a171a75539ac
SHA256 bd366a73ac2d513f490378a7d27c76669a9abc5b81dcd5a6609b2b354c23b7af
SHA512 7907a3ef58f6b1727075c9a01d642cbb94b09d51f08956c25762f61925f14e44966d54e027c2e2b9cdd1696c667869f01173f3ddedbf322ed9e621821c2db3b4

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 94d485538d5f454512620dea0b473e94
SHA1 eda590c3f1b770e08cd16d3be5c310f77ed98044
SHA256 cd3c74bfedddc89a03a547a9dd04fe861c3501b90887970722baed1cbdcb1fe0
SHA512 33a398ddce93c8f71b1e0ebd8efc4cbf3c1bdbc66ba85b21ab177832c60aa6e1e0695ae97192a5135f9da7208e1005deb3b4d1655c6555f2ebbb617620b2aa2e

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 a45d01856a262a5a30196e15d271e7e4
SHA1 33d6a39cd41817c0633a57ca1e6a47c19cbef943
SHA256 06138fd3d63162a889b771b4694e05c0aea17029b7e30ddd726e839d2e7a08d4
SHA512 fa722a8eb6548e32b0cb5f21e2456a6be08c38deb10afeb9f2a0d90c48a05034091f1e18f3b3977e18d8835d33ba91443c85261c176fee6b500881cb6942d884

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 2e7c583f19996691b8b583e564d9c6a2
SHA1 3f47d877cbe9822ceb1c54b7f2433c5184a099be
SHA256 07a5b26d19986a73920fef3267735546a721f3cc577b65091d81c69d1446e323
SHA512 da9e2950a4e1ea4c6dc73035ed79ad8738ad006d9e7a2c8a5a474b401f930df2a943e5fdd823cf298aef4aadf5cb3a451e721537aca6601fa655356080fc9275

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 f98e43665756b3432641268b09d87031
SHA1 0c24fd81a75a96286611cb75763ffe10ba03c7a7
SHA256 7339888019fc64847ba230b167b52870a3a567030913c55a52378be20f4081e7
SHA512 0f59604f48a249ba0e88226e50634eda12e0b645b0b77c9cda308c01501f8038f3d5eb27d202db88504cdd1c90d6321e53c312f733c14be0837ed18ee8e0400a

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 31b83918fe0cd3b9fd1bf0fa98eb9a05
SHA1 9d168d7d24e7aeef2f2d7e119f3b1c539abf35d2
SHA256 55e647bdc71dcd1bc730204d38cc89e74d1e3b3d7c09ad63d19e7de11dcf4ef9
SHA512 15c6a36bde40b016a311f9258358bd40abae56b4583169c48d2c8b8cba67e6a2d446b86f2e3cf9697317b9d604f6aa9d4fd0dc8b36ba9c46ade73d6f3b33b625

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 53a69d7e702193264c11aae05fd313b4
SHA1 e216f11c410dabcf23e519aa7f9e0eae3148728c
SHA256 e63ee404b81d14302c9e9141d565ad8cd9c72e818ecd4236b0b7fb05c5346809
SHA512 f1a77937430d1364c61ddc33e343a0d64c944e2bf1130c09a1fb2321a87144c6aff50c5f83c40b6b4eb2c2c55227f85373f9db37d06463aa4a0d693dbb464433

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 adf027ef6010f6dc4f240b1e82f887f4
SHA1 e12f73edc088b8690f2ea2ff823916341e259a6c
SHA256 f92534f148d8eb0fa9dfb7f5ac221afb57236e1a6a1636e33ae9d8f3815fac02
SHA512 8a9a3be8b644a77c7cc3a55e4cdb69c072e13703160475f6825b86eaf35991476518b4faad8273439318499f41fc6de116c7bfb0365bb41b76d200031f6899db

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 191093800a53e9b9c099e502eb2a03f2
SHA1 4dbdf7c5cf8013906209a77ef256c5a4c7c65b2e
SHA256 e6cc3a24ecdd15defd3d689cafb9ad7f37a142d3d201ca9eaef898d96ae7507f
SHA512 b7c7c9e11092749a5ab30b3a0385fbee390626646c1ae5cb5ac9f730902c002a66f051a6c528fe324e8a8e5a4f4ab04a0cfce0e0edc1d5fa928355123d03565f

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 f268d72041f875c27f7c94750aca1490
SHA1 58cedaa3153c9dd70f4fff6054985ae1e9b38f90
SHA256 1d181a1465396a17cccd2097ba446cd0b6e7b7e673fe81952b71eb6ed99cdc0d
SHA512 3291bec5cf5dc5e810bc3030e5d96e5e867e5fff38b936e1e4492b1ca2296a331bd5ec583c839bed93d0099415e77fb5a7fbd3ba31d2b0064fc7895abc3b94ed

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 123872e66a15e5110ac9d371817088f3
SHA1 f593154db01fa3b2e2fe4b08068143e00bbb4c31
SHA256 281f5cf06523a9ad5888755a6e35df9b6567658c871792018418ddd5e8f26ab1
SHA512 f1d1778e2ef13e020b59e94f56e713787b02afd869f0dcf411d554b7191f609c07f7c81ff26404661b4bcbc87524e0ca2c0e8d7b9cb7d42d52a68a10cea3ad2a

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 2f4a93e16cc7f935f1f5d8c18f4d1439
SHA1 2dcb63fedef00762913a44c2680685cb7c21d96d
SHA256 8869cc8aec440e59f2d3bb88d08bb1a3d4158ea002aa236c605d04005488a562
SHA512 bd02377f0ab419f0f1ae8bc4b7b77e94bfc201d46e3adbd19d15a56bfe2c29f5bea143c3e9cc4530a54c4cd7eba96b73d1ee8e27ab14bdc9153788f2c40a27b2

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 23acfb349a275106d05b5e1654843240
SHA1 bbe2b6a11bac488029f768c1b4b356aad24f4aaa
SHA256 3945503a22b194cd6b8d5de220dda86be9423b6f7c251f0304a5a545eb05ffe0
SHA512 a2525a867773bde3cc58121f310bffc963f35dc4dbfc0105f4742dfeb8e3357a474cdbdc7a1fcbc1c4041046aa0565233be0a478c2814dd84cce2bd675c5c91b

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 f9047fe54d118f80138f07b33f9c1d7a
SHA1 5a56b77536b5de936684b006e1b020947bfdd0fd
SHA256 2d703e9b83eacf7158f14beba302df14f76d6a6738270b6dab08af02892cded7
SHA512 9990212e22f057345cfe66677a88492ebfdce4374724208dc4b0022c8a06a2a62326b6dde30d7952dbf3320a8db95d09242cc067272f96d31e2ea8d87cfeda8f

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 5620dbec079edaa049762b2b20ff824b
SHA1 b08f1d46cc0dcd4090cebb2b048aedd2f257aba9
SHA256 e0a2eb8d3d9f7d832e320ac147a5c7a76e7b8d505494d18e42373a79deab7230
SHA512 868f7e1bd95e4b812971597bb774ec5077019f6babf1ef95a0d384980d9122764948d854538d23c623b561d9e7f14f818c1c6a166c387374c5094e6029ac3f6c

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 fd21be46388daaad223aa2ad2fd481ae
SHA1 68fbcf89ebc3726004fa0aaf283b450dee7d507f
SHA256 3bd87b4ef80dbda42ee4d226838e1d0f356a611f1b5fe743e38e1bc015395474
SHA512 5946f6096a786f20e16108439d21601263bda7843bad79e9e547c8eec369ba70a0c51540b8e993806b47fe3ad37befec9d03e4bdddf7e1172d98581cab431d02

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 c5a6e07c01bc836e5cab7cbd0cba821e
SHA1 3ec9fa3a737cc86760ae7cb423e6d3172d9e19d7
SHA256 0394f98477527d3a04b56a0b81e678a45d2cfd5e5911266c6f47c1dcdd2f5294
SHA512 0ef01b70476636a2d49ab2574e1b54650d68eb851f2d8909b3a99f2bc30d3e9c7e388c577abcf811c7580df9a890c3200efc33639760ec413fb8e33687bff187

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 f4ec06ce2b153db2d9092b4c3c344bae
SHA1 de68983a70cfd0d9e81daeb7d3185a28782752ac
SHA256 20c1486122c3f1b3e158552ae9582180888cb2734c42c63ae71fa547e8c18d12
SHA512 1be674ea9bae284097e74486f68cc7e2fb333c0f60ad0fda63b947c936f94aa81f3749221b2e8a03d9abec940962cf5133b56219f4f1679710b964600505e571

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 b8b734b4e6bd24e03a239829d71ecffd
SHA1 281296b36ba156cb449d9edd333aeadb5ea736d1
SHA256 ec3ee9f94c5cf9d9df770fbf3db03b6d5d34b3abd1ccd6334fa09b3e911c60f4
SHA512 57ad4735891a170984cf13efc5fc30cf940a6e2ad0c86198b7a1d646698f20b7ce0fb85e0796e598cf57db12dcfa6ba311c1843ed99903f068472776a4917b1b

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 7053bce0b6d5d2f84cf1fd87e05a34cc
SHA1 6fecdb56e514ee9a36f0dc4b2f58c70004d53e0a
SHA256 850d3b437648e332a5f18689845205b3f953d7cad0e693430d26897b3f0a68b4
SHA512 8929695751ac48de7a41a58fa213e5b15479f6b5e4c758f6340477deb83d213b3439b252634ad1783cbfc3977f72d2528fb867d06dea1415e013bd69dc3a538e

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 0e798ff9afc3a8503a29413f04b08719
SHA1 4adf1e15c7ec89a4924e7875879c3856add470c1
SHA256 b7bebcf9d580f71d3a5fe00e52098a5b57ef047b0239b7325c050044007bbe37
SHA512 abcf2a96f53b976e5ca97d91e2acf67a5319bd66428246cb02c22b548152ce77d94f83195f6144962e4b1dabb4302d0fe143f366c89c6f25f8e264138b47cff9

C:\Program Files\dotnet\dotnet.exe

MD5 7f87a0c58e96d3ec9e58ad0512be8522
SHA1 c75bba578195a09c8065355abb7922bb05612059
SHA256 11064b40c34d859efaa73e8261da6603285db6b42053224fe70fd2909e1c9dd1
SHA512 be630d39c3569ef17a369c8afd48dad9a2110816c3f30c5320161bccf04d2d6699b551de306fb5361fd87c558402469e4112a3e9fed04e569d3bba3df6d7e94c

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 7805290f300a83fcea05cd58f25e8cde
SHA1 cd8fd8800b557776c20992c9e1192e6d3eec9a22
SHA256 cab94104d616a2727ad0d5f67d8d9f4c591b287af824d2f9422e2e011355df71
SHA512 3cac2143f6cdbee93711d27ca5286b4a9836b18d3559feaf48733f84d290ac76610bbc85470da5b2a3549b77b87a40e93458ee04208bc62bebcf65a0b7baaca8