Malware Analysis Report

2024-11-13 14:01

Sample ID 240407-21587ahd28
Target 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685
SHA256 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685

Threat Level: Shows suspicious behavior

The file 313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:03

Reported

2024-04-07 23:06

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\10e773bd2a37835d.bin C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_ro.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_sv.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_te.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{0CE5CC7E-EAA3-4562-A781-DCB0067BB36A}\chrome_installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Google\Temp\GUTF5D.tmp C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_bg.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_is.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_hr.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_ur.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdate.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_et.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_ko.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_pl.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_sk.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_fr.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_hu.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_ru.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_no.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMF5C.tmp\goopdateres_pt-BR.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9AAEC43D-191D-404F-B265-50CDE212CABB}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9AAEC43D-191D-404F-B265-50CDE212CABB}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL C:\Windows\ehome\ehRec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 3008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 3008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 3008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 3008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2460 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1088 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1088 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1088 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1088 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1928 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 2936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 1552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1884 wrote to memory of 892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe

"C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 1e8 -NGENProcess 1f4 -Pipe 1f8 -Comment "NGen Worker Process"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 258 -NGENProcess 250 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 264 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 204 -NGENProcess 2a4 -Pipe 2ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d8 -NGENProcess 2a8 -Pipe 2cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2a8 -NGENProcess 250 -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2f8 -NGENProcess 2c8 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 2f8 -NGENProcess 2e8 -Pipe 2fc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 340 -NGENProcess 2c8 -Pipe 33c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 340 -NGENProcess 2f8 -Pipe 2c0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 338 -NGENProcess 2c8 -Pipe 348 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 338 -NGENProcess 340 -Pipe 344 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 338 -NGENProcess 354 -Pipe 2c8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 358 -NGENProcess 364 -Pipe 334 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 368 -NGENProcess 354 -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 34c -NGENProcess 358 -Pipe 368 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 36c -NGENProcess 37c -Pipe 354 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 1bc -NGENProcess 2dc -Pipe 2f4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 2a0 -NGENProcess 340 -Pipe 378 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 21c -NGENProcess 304 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2a4 -NGENProcess 2e4 -Pipe 21c -Comment "NGen Worker Process"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp

Files

memory/2036-0-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/2036-1-0x0000000000240000-0x00000000002A7000-memory.dmp

memory/2036-6-0x0000000000240000-0x00000000002A7000-memory.dmp

\Windows\System32\alg.exe

MD5 1422c614139f6c6bc20a31896b7f353c
SHA1 2f8ef3b2b1a7c00a914397c083fcbfcdbdb43728
SHA256 7fd3cadeb6d2465f00ad96ed405c6d4c0957853d4a2687d12a59a88b3e501d1c
SHA512 15ed750254f8b8f200f6e90a8700f372f2eaf3a77cca4fb6810325b40a5bb5f85b6bd2da45a4aab8b72138592f1d9d0e1757d2f5f78c6d0a23f92f789af78bc8

memory/2520-12-0x0000000100000000-0x000000010014B000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 59b69cd07aba96c7d6992fe6eac74805
SHA1 f89c1803ecaa7d79120b3f1ee2c6ab8193e9654c
SHA256 aa8b1066edb6add4efcc315a7f80fe041f29d97fa0f02f470379ac3cf2471584
SHA512 d7d99b131f358318c7d3d3b063da16239290e9ea053d8fb6a05b04582158e8a4512d9bad0fbdba202381c69efe5769682ddbb82606577e379a2915b845078301

memory/2688-49-0x0000000140000000-0x0000000140144000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 ce5e632bb8f456d8146483ed17d96a69
SHA1 717cf437418e37a71b63fff46543673e54a68968
SHA256 a76991661992e394b805cf57054faf7d63d351919fd00e2d55b1c83fd7944f35
SHA512 1657d5374ce9f4e81569183b8adbf74deddb25f422c05e15237e99939351263fbc51558c82cd36b72a32acb4b9975f4c09b69acb086dd8662cb8d08181230516

memory/2740-87-0x0000000010000000-0x0000000010146000-memory.dmp

memory/2740-88-0x0000000000430000-0x0000000000497000-memory.dmp

memory/2740-94-0x0000000000430000-0x0000000000497000-memory.dmp

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 0ff47e7ece9046918bbdbf30ebd2704f
SHA1 b5874dcf394a050e160c36dfabe2d1e832f07b9e
SHA256 c45789e20ef7d1f6e6e7c9a12a2c3e3fa9697d288d7902f8641967eacc037238
SHA512 da8f3b4c0a917088e3ef713f018cf3d700b34be4f7b13bf972cdebf523bf3e70f50a0b2f48bec9c80c903d2d9d0b1b8d04d0cfb9d5280bc815b21516144dabdb

memory/1256-105-0x0000000010000000-0x000000001014E000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 ba6fcaa0bf057ba7b5d45ab284e5f802
SHA1 1232b07f0cb9e68ed3d3b7115667b18bfa70adaf
SHA256 4c8711c0697270f8cf5f619ca7040410325ee2027ab81a5dc38073274bf58f0a
SHA512 6a962a80cd52b81c4e28de57567b837d724717edae40b39b9b2132ced5f8d1c1dea116f197c45fedd97f45d98fca88d588482fd76bcf531efcf6f1a8379aa257

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 0438f5eba6fdc8621c5886813b616807
SHA1 263680f47f040c76b3c3494955f213ffffe08371
SHA256 cdb2feda648354aca00d540a696b5f7d2984e5062aed83288530d3686a9fe0d2
SHA512 7216627f24713947587b94a9743b0802c03c25b74f4eb3bdb65e8d732f5dfdd6025c9535ac544deea32c25f2c0153c2bb205409672ffc406df654ba647d1f1f0

memory/1884-113-0x0000000000B50000-0x0000000000BB7000-memory.dmp

memory/1884-112-0x0000000000400000-0x000000000054F000-memory.dmp

memory/1884-118-0x0000000000B50000-0x0000000000BB7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\10e773bd2a37835d.bin

MD5 47503efd1f5ad82e7036f2d1f4f09614
SHA1 a2b16bd04c4161d128b4fd5e76185970d80bc3ee
SHA256 76e0fd58cad62af4c40292cea7f469623399b32548f64d202fe0d592595ac261
SHA512 1c080990b118ee9702f4199712d3dd422fdba30e4c435c0284877537e28f3b6e1da4b23de43de68727e90b328514ae7e63b884f86d4438dbaebb274513da67b9

memory/2740-130-0x0000000010000000-0x0000000010146000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 3c4da69e28b52bbf5d634f1547b1c45f
SHA1 8f775435dddbe653a1284ca266844666bc4ac342
SHA256 297fc78ef5ec19dd456e5816c5e2ec75c8e1a04215117b6fe121b3ed620e5640
SHA512 199c62f2631b7b743d05bfc45947f81089c4ca51894ccfa2d54622c6684456bdae2edcc18f6bae9bce0b1e98d4ca37297e5eecae5cee485aaaea227481e467f0

memory/1564-131-0x0000000140000000-0x0000000140155000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 d6cac29b03f02fa65c365b31fb557124
SHA1 cc86eb5e4f93434a2b09ee5d3c9e9e5b730c6d68
SHA256 aa1eab8a0cbcafc7739496937bd41abc04a56298f89fef0f8f1cb97c8aaf93b2
SHA512 08995b2d0c208c7d2224ecf95396f38c91f8dd45d87e782cd62de6d228e55b65c537428d58b1f3a6aa85b3ecd29434496997cc07b1bc1280eba9e413257339f5

\Windows\ehome\ehrecvr.exe

MD5 ed9bf0f3cbdf09e82ee6bb2d7aec5628
SHA1 f465202b5aca6e2328200c40ec5fb1f247b94caa
SHA256 fabbf9ccf93156a7fdc72e4b755cbfda0f2f3b225428ed606421d95e485f3117
SHA512 654640b9436f32465f02cd0ba721921bd0d80e7a846c976c20d37f08c55d4dce87cc7984f37ac87f89db3b0653a2b09d874d087404016655e6e25a25f74599f2

memory/2036-140-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/860-141-0x0000000000180000-0x00000000001E0000-memory.dmp

memory/860-143-0x0000000140000000-0x000000014013C000-memory.dmp

memory/860-149-0x0000000000180000-0x00000000001E0000-memory.dmp

memory/1256-151-0x0000000010000000-0x000000001014E000-memory.dmp

C:\Windows\ehome\ehsched.exe

MD5 10c2689ec8f1c795b954c39c21847639
SHA1 bb6a906fb38b5a97ab28c28b6d29749c4cf01c23
SHA256 bcabb718ece3a67bfe002ee38dfbea888920a73ca409902869c575b5ba19d8a3
SHA512 33beb46a0b5db00d310966309e7759d8e53b6799de279dee59d6b6a7559292e122c62f6f14bdcdbeb3c82ed6e9604e26738c994bc14b5cf2f12365fe450a8326

memory/2820-157-0x0000000000BB0000-0x0000000000C10000-memory.dmp

memory/2520-156-0x0000000100000000-0x000000010014B000-memory.dmp

memory/860-158-0x0000000001980000-0x0000000001990000-memory.dmp

memory/860-160-0x0000000001990000-0x00000000019A0000-memory.dmp

memory/2820-161-0x0000000140000000-0x0000000140159000-memory.dmp

memory/2820-166-0x0000000000BB0000-0x0000000000C10000-memory.dmp

memory/2688-168-0x0000000140000000-0x0000000140144000-memory.dmp

memory/860-169-0x0000000001A30000-0x0000000001A31000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 0b3c9f1a1f5f6c0f4ed49defa01b934d
SHA1 fedea509394e3e3a0f3e3f79180676dddb3197ce
SHA256 a6a8fd76b950c11ee910f1812b9590a145c7e218c019da8362efdff7a8260139
SHA512 5e743bc68d604f54426037b5e84f88dda6d9e46b077a481055a40ce72f6200b9992347e3afb205a4799e7d69fe38d835f95b06b1172a913e8c4fb3a8e5ac86e9

memory/1020-174-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1020-173-0x00000000008A0000-0x0000000000900000-memory.dmp

memory/2036-250-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/1020-254-0x00000000008A0000-0x0000000000900000-memory.dmp

\Windows\System32\dllhost.exe

MD5 656d23f70490865aa28cb487956341b1
SHA1 7c3854f8f41a6a07b42f1f93359d0e6a795a03a6
SHA256 947eb89d2a112ded4dc6ac4a76a27ad4d9820fcb182faf1a48d99eef2cefab96
SHA512 7b8bbf9de34df61332b14402e893a7d8eb1b01c45f5948190b6903457e53edc279c919a5169b10e336f85195e1c089a2cdad84cb461711a71f814b74e309b1e5

memory/1448-258-0x0000000100000000-0x000000010013C000-memory.dmp

memory/1448-259-0x00000000008B0000-0x0000000000910000-memory.dmp

memory/1448-265-0x00000000008B0000-0x0000000000910000-memory.dmp

C:\Windows\system32\fxssvc.exe

MD5 14b2251fc203ded0631055d079e585e1
SHA1 dce363b9eb9ca070e3874923c04330b035813e75
SHA256 a91a07d29cf7645a038e283a4b1ff74fe7ca5b99defaa61fdf11e506c6966fc1
SHA512 1dc1023ad8412138cec4d624217da8dbbb1758ad1edc1dd6d60ca29ad3a9430584ea8ed842c03a4f8298de89dc9e5d872769e0ab0cd976dc796f7421709f383e

memory/996-268-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

memory/996-269-0x0000000000C20000-0x0000000000CA0000-memory.dmp

memory/1884-272-0x0000000000400000-0x000000000054F000-memory.dmp

memory/996-270-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

memory/2532-274-0x0000000000980000-0x00000000009E7000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 d418e0795e8a7d99063156b0ca0a8dd9
SHA1 2a74a58dafc95d1092d28f4a80c89ac07bdcc5b8
SHA256 9093f6c74c38b8e41f9e2f5183efee8af3f907128499ba252408bda90207afb6
SHA512 12f4ae69ad2b36dc9424b3a49c3fa308b66efd2aabc9f183ff32e49ae2d3db24bb4cb53b2ccc4340cc34a7dc9a742126bf247bda5ebfbf580cb1c8d89756af40

memory/2532-283-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2532-284-0x0000000000980000-0x00000000009E7000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 617857d9a826395f074c7036d83de866
SHA1 38eda2881f4638999deaff178b15a1ccf70eebe3
SHA256 28ed918173e1f625843acafa97c1395f3b15a66789343b98cec7a8b1716d03cc
SHA512 748e0b9449670151c22384c033d21a992b0634022d3808205e097da4798fc5eb5f7788cfe0fd446e45f1d1cae6a69bbe93f2255974ad739d7a32ade403b1ad6c

memory/860-287-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2416-289-0x0000000140000000-0x0000000140171000-memory.dmp

memory/2416-297-0x00000000009F0000-0x0000000000A50000-memory.dmp

memory/2416-301-0x0000000140000000-0x0000000140171000-memory.dmp

memory/2416-304-0x00000000009F0000-0x0000000000A50000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 a021f77e592d493cb83972bd95e1b31b
SHA1 0933086459e11664c0edf62cbb1dfbf3cb394e15
SHA256 9d277abe7f0e7fd0d30c087fffb7423553a8145920ca3e0efb54093bf85b0901
SHA512 fb78f43ca755217dde163454aee43261a77273271e4cbe8f20c912a10af8bbe03f0981fadb38aec0f7eeda13f83da9911a37f5d238c27f03163ab040ab73bfc7

memory/2820-310-0x0000000140000000-0x0000000140159000-memory.dmp

memory/2636-311-0x000000002E000000-0x000000002E15C000-memory.dmp

memory/2732-312-0x0000000000400000-0x000000000054F000-memory.dmp

memory/996-314-0x0000000000C20000-0x0000000000CA0000-memory.dmp

memory/1020-319-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2732-320-0x00000000002F0000-0x0000000000357000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 6ae22e7ea6f7e975dc072b0c221ae4a2
SHA1 abc4ce7418a7f6fb22cadfe0fc58815651716379
SHA256 ba0ebf7973400cf9f314124cc030318bba35a7db4651a95e953285f4f3b9f814
SHA512 0584bb5988be355bb0f6de14b7faeb750333f4a4992693c7f507d4fe9063293f179e2c50fbdc7aa3f88a51eb1a44de430de0abe13af7719532652eb4b21185d8

memory/996-323-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

memory/1600-325-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1448-331-0x0000000100000000-0x000000010013C000-memory.dmp

memory/996-333-0x0000000000C20000-0x0000000000CA0000-memory.dmp

memory/996-336-0x000007FEF4A60000-0x000007FEF53FD000-memory.dmp

memory/1600-338-0x0000000000820000-0x0000000000880000-memory.dmp

memory/1600-357-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2732-356-0x0000000074160000-0x000000007484E000-memory.dmp

memory/2916-359-0x0000000000380000-0x00000000003E7000-memory.dmp

memory/2532-358-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2916-360-0x0000000000400000-0x000000000054F000-memory.dmp

memory/2916-363-0x0000000074160000-0x000000007484E000-memory.dmp

memory/2732-365-0x0000000000400000-0x000000000054F000-memory.dmp

memory/1600-370-0x0000000072698000-0x00000000726AD000-memory.dmp

memory/3008-383-0x0000000000400000-0x000000000054F000-memory.dmp

memory/3008-396-0x0000000000550000-0x00000000005B7000-memory.dmp

memory/2916-403-0x0000000000400000-0x000000000054F000-memory.dmp

memory/2916-404-0x0000000074160000-0x000000007484E000-memory.dmp

memory/3008-406-0x0000000074160000-0x000000007484E000-memory.dmp

memory/2636-408-0x000000002E000000-0x000000002E15C000-memory.dmp

memory/996-423-0x0000000000C20000-0x0000000000CA0000-memory.dmp

memory/996-427-0x0000000000C20000-0x0000000000CA0000-memory.dmp

memory/3012-429-0x0000000000400000-0x000000000054F000-memory.dmp

memory/3012-442-0x00000000002E0000-0x0000000000347000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

memory/1600-461-0x0000000100000000-0x0000000100542000-memory.dmp

memory/3012-463-0x0000000074160000-0x000000007484E000-memory.dmp

memory/2460-482-0x0000000000400000-0x000000000054F000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 80ea404d033df4d830884817f65ef5f1
SHA1 167f6d30b852785777cf56bd33f31016a26d5322
SHA256 e6484a0bbba4466f810e19d8086697c6943b23f430b11f10da5fbdfee41640cf
SHA512 cf9a8308e8a827bd684fd185e1fcb78348066db4382ede702d4d01b7fe997c6c828cf0090d5b47e75002777d0b815150feccad5e7c6893df895899b2b48bf3ab

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:03

Reported

2024-04-07 23:06

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b40bb6114ab059c5.bin C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_ur.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_pl.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{E620FD1D-1243-4CA9-AB2B-6C02435E0E01}\chrome_installer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_zh-TW.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_ar.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_tr.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_fa.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_fil.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\psmachine_64.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_sk.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdate.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_pt-BR.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_da.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_vi.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_fr.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_sl.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_el.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM6FF0.tmp\goopdateres_es.dll C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009951fa234089da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000758771244089da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf7601244089da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007e4679264089da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce8b33244089da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000773f30254089da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dc8fe264089da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6db4f274089da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000110057274089da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cf0b9234089da01 C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe

"C:\Users\Admin\AppData\Local\Temp\313f13e3302b66922638dd97d0f2574d221b209ba2532a2643b2974d23068685.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
NL 142.250.179.202:443 tcp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
IE 94.245.104.56:443 tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
GB 51.140.242.104:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
GB 51.140.244.186:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 uaafd.biz udp
NL 35.204.181.10:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
ID 34.128.82.12:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
NL 34.91.32.224:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 34.29.71.138:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 34.174.206.7:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 34.94.245.237:80 tnevuluw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
ID 34.128.82.12:80 whjovd.biz tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 udp
US 34.67.9.172:80 tcp

Files

memory/4884-0-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/4884-1-0x0000000000740000-0x00000000007A7000-memory.dmp

memory/4884-6-0x0000000000740000-0x00000000007A7000-memory.dmp

memory/4884-7-0x0000000000740000-0x00000000007A7000-memory.dmp

C:\Windows\System32\alg.exe

MD5 a457ba772781e47038f79d1762b387ad
SHA1 63429e3d00ac3f7b4cf1526ea66469a220f77b38
SHA256 f42d36095b932e42b7eb0246b6c4a90d1f85d83aef40e1136a4f59c3c240e85c
SHA512 6381647ae69c5d994b5f2ee77e5fe45aae1be4058f858c1f47a697bed08e6ca0d5eb0fee5f342688531992ae2796a43d14ee2b3ffeb54f4df56bee72b7ffac61

memory/3200-13-0x0000000140000000-0x0000000140151000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 233f0d0693a7af4034a564764dd05756
SHA1 a6a2c914167d37a781755b577139bcbe1be58fca
SHA256 1453996101881d52775ed9698be333ab9ffe0014749d4ea2397ddebb2f3f4d63
SHA512 8b77f92ebb20ba7e9b65f431e3903a19362ac638841c54ef72eb597290a65804e1a2fee9cadb9097793fd73a3dbee57506adbe0ce61533bc6251957bbe41473d

memory/1880-49-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/1880-50-0x0000000140000000-0x0000000140150000-memory.dmp

memory/1880-92-0x00000000004C0000-0x0000000000520000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 f092d05aefcd188cdbcf3e3d96dd9ce8
SHA1 22d499e2a5ffaddb218c6eb0632c3768a2847c7e
SHA256 4094cef54b863d9957952c1dd8d92b37d0cd10575ab68e714d0e8e2c84996eaa
SHA512 0ebfa757f4be63c665795687ab7b3a8c7dfe9a6ff6fef64528421bb645f0b775246162b76405ddc39bf546c2eb705bd6113dddc6ab7de87add3989e2b2580cc1

memory/2844-97-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3448-100-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/3448-101-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 ac1abb59767eccd5714e1f540c7ff3b3
SHA1 b35ca246ae1395d66afc135fc0a28e2050eb551d
SHA256 c02751a59790d61ee8f496ff552862ac9d4948f0f5d9a195d916923de54fd9c4
SHA512 007471f238631bda8dae404821636cf71920a302b8caf3889d0d7e7235e4a81b66a8cb758c209b730b043101345e1145afb0fe5c84fd5b5742fc9ef268eec5f4

memory/3448-107-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/2844-109-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2012-112-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/2012-113-0x0000000140000000-0x0000000140245000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe

MD5 4b9c153850a5be5306edbd4f1f829932
SHA1 ed0b6c2a62d1cc2ed20c43466185f1dc015cf4c8
SHA256 fbdecc0ba49c7583b56617ce0e8a2235444d2043b97b0e28fcdf7836a71b9278
SHA512 3669f3a84f67241d393ef36e92dcdab1087f3d6a48c83929e95cc4b914c2f6815ce4e1858bc939c08ec8193c50184cfecb8f2ecd85fe80d3a62af6616bd751a4

memory/2012-119-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 63440f2382077cb813b5d8ddf3351296
SHA1 96775103c91e866d97973d9a37314f5a515d2775
SHA256 876de2ad7aefcaab12ce53fc0db58cccca229dfe11ed3adce8c309ba7aaf8c9e
SHA512 212eb01cc82dc8bba2206490a060162da798565fe6528f2f8feb6a02bbd596ac78ce6cb519a7c1fa042cdcc328c2caafbb85ce79db2b81c7b8d4bcb3694e7bf8

memory/4884-124-0x0000000000400000-0x00000000005D4000-memory.dmp

memory/220-123-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/220-126-0x0000000140000000-0x0000000140171000-memory.dmp

memory/220-132-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/220-135-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/220-138-0x0000000140000000-0x0000000140171000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 e06eb741c436275ee888a30ddb2e9d04
SHA1 4ba1b1c181b20b4af94e55b5ad09beb649729a8e
SHA256 39272ff91944bf9b9230396646627b64880b8ac63c77922cd7602f50c77d3fe4
SHA512 0fe144cdee9abaacbd9ca8f61188b8d4e1b1b92a8a13a4d7ce0b23947905fe395198288db63dfe4e448ce24f399eaf5ab311093e8e134664a5c89e3577ac8620

memory/3200-140-0x0000000140000000-0x0000000140151000-memory.dmp

memory/2304-141-0x0000000140000000-0x0000000140160000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 9c3caadbddb47b96930485622b0bb571
SHA1 726750856ae4cd5eab988854ac32febbb694caf1
SHA256 a99a5b4be1f1cb3b074a550f84e2571ffe6692430d6003898bc98e809b90c097
SHA512 3d70e1d4a5c9abc4b7f2c49976f243b1ae00360a80bf80e917b678b3dc9258ac337f04e13a4c69a79389d97dd4333cc80848e9392dbd444c63edbfe5aa1ad84b

memory/1880-148-0x0000000140000000-0x0000000140150000-memory.dmp

memory/4644-150-0x0000000140000000-0x0000000140176000-memory.dmp

memory/4644-149-0x0000000000510000-0x0000000000570000-memory.dmp

memory/4644-157-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 09ebf2ae380795a1fae996b05fb9c2d8
SHA1 1b3242b314a50cb6f8686f68e230891c20942e8a
SHA256 e5ddcbdcbceef27bafcfcb1ced1462b3492dce9bdc0163f5982239eecd7a49f2
SHA512 d33f58e253e8d8db3e954997dc0f39e60fc24b956262647de098f325260e96cd8326b955d4a7ba42517339487ddd5acc56f5267886fb5669ca4395b2c4b10585

memory/3324-161-0x0000000140000000-0x0000000140152000-memory.dmp

memory/3324-162-0x0000000000B50000-0x0000000000BB0000-memory.dmp

memory/3324-168-0x0000000000B50000-0x0000000000BB0000-memory.dmp

memory/3448-169-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 f55631960ae57ce73ea9ef9b4b4ee5b4
SHA1 dfaf31d8fcc43d870308af3d14125d14fe296921
SHA256 367ce51c011fd0fc2f3e0995413c6cf26e66221fbac5aeb75724eb5754b7e8ab
SHA512 1fc255ecdb1567d564e0bb3554f469aa1722ba5495611e5a6134368fe8d13a1e73db6e9f58e6c3a8bc06c9ec8b7c7453fb529b33eb00de61faec4c9fab3ac62e

memory/5156-173-0x0000000000400000-0x000000000053E000-memory.dmp

memory/5156-174-0x0000000000880000-0x00000000008E7000-memory.dmp

memory/2012-253-0x0000000140000000-0x0000000140245000-memory.dmp

memory/5156-258-0x0000000000880000-0x00000000008E7000-memory.dmp

memory/4884-257-0x0000000000400000-0x00000000005D4000-memory.dmp

C:\Windows\system32\msiexec.exe

MD5 0d01bb5677237891954aea35a32fc252
SHA1 4f9f501b4cd9b8c9f105f6df6a9efccd9f1f00b4
SHA256 10c086130c43ce390bd35bf982d5acfb82a5529742c001ed4daea921596f2efd
SHA512 03b5725e17cb3be18f778195d8cafb9e3723e2aa61e87a91819e83410317084ba0824d2f53d8bcac6f5e008d768ab05fb55d431d7ca0aff31e4b4cc7a6b324c1

C:\Windows\system32\AppVClient.exe

MD5 3297d9306de829d32175bcacc583ea79
SHA1 b7b0e2d4b2cb55f7624ddca4fe23e3035b9147e7
SHA256 acc07312bee887e23d053b934699fdd25998deb969d000659ef2049925db9169
SHA512 9ec6d0ec46ccca55e489f3766d831ca85b737fe782611c3887aa488302327bd63c17ad0d92c8b154e68693a54671f724efcf7991bd1f08b293ed769f1a5b661e

memory/2304-417-0x0000000140000000-0x0000000140160000-memory.dmp

memory/4644-418-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3324-419-0x0000000140000000-0x0000000140152000-memory.dmp

memory/5156-422-0x0000000000400000-0x000000000053E000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 91506dfb1f07d415ce621675037f55ae
SHA1 2dd2ff83e3534f4687dc8327b5ae5ce2b7f2445e
SHA256 31179eff88ad55cc8cb985bff25001f9e17d0b242083f9895cf5311b240c1575
SHA512 d0923e206db382ad94425880ad2b23388db56428c7bf0a9b9142d2c30d3f3944e84fd35aff0072c3295f5732a8cb7ff5814f56feee6b23d3feb16cff451a8f62

memory/4872-428-0x0000000140000000-0x000000014013C000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 3a4b740c07da99de90409575e329b469
SHA1 ed39f136ae95e75e1da31a1be8d41c8f91121546
SHA256 94c3357f79e3ff242d138068d81a9f4f3fe9704063f12493b1215612df363504
SHA512 5874514e3433d4faf692a5ab6efe68494236d70e23a156eddee3057b72212a601c3ce71851d51e9be6760dca70403db1992f30d7436ea43ae28729e4f6c8fbd5

memory/5812-431-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 e7a746601c5e150bc5923f957ed100e9
SHA1 662acb24411266e454028db01f3f59b8e1669413
SHA256 4aaa87ce2c77c14a69289aa036cbee8dd1b16185bb8fbfb645759883f94a702e
SHA512 4f85843ccbbe0cbded7434710e7b140b725861d34a8220fd5cc8ca50a21590e2389e67798291439196107222e3c3552a16aa69357a63aa336dbe7a48acee7f75

memory/5788-435-0x0000000140000000-0x000000014013D000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 113013187ff5f0c89d753479d77a5041
SHA1 cddfe0f0557a430e4d496a4eabb5818540eb46e0
SHA256 fc4fbb23edc128f165929b96d25c18f74c33e95304234fc69788d651265bcd31
SHA512 876759bd6319613c241bc0bc69706c1c89538e3bd4869eb0dfb697777631aced6a3cf51dcfd1fa4dc6b55b2a361f3e986c8d1da2a84aa1ff2c1ca20021218374

memory/5904-438-0x0000000140000000-0x0000000140169000-memory.dmp

memory/5904-446-0x00000000006D0000-0x0000000000730000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 beacba47c1ca1857864bb098079a4b84
SHA1 f065d250c54da2ea9a0e18f153877d1d351a8e93
SHA256 4431933256f9530d5d80d0873996b802a65633f88d60893cea6ce69f330e4180
SHA512 c69833c59c8cb87b44f507c8a4e3856fcf554501676231f50a456f5a0e29882fd408230bbe7fdf3f11f9e62e40ffab688507f5cb17d8a1410edbd1e6a74d982c

memory/3456-452-0x0000000140000000-0x00000001401A9000-memory.dmp

memory/3456-459-0x0000000000A00000-0x0000000000A60000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 59da3ab8423055715446fd61d147d8b6
SHA1 1a2a95bd488f2007b2f2ce3d37fa4697e5b691fd
SHA256 48de593b64509887cd23d0a25f58be1368ea31adaa35bab8c3920ab8124dee6b
SHA512 ea9612d9445fccfcf587cb2c2d2e12aad4985312ee2ea6ab2fe9e9c25dca65cdbed7819594613b9b418403b8b723ee9dade28b21f28a16b658556c602c3ad353

memory/2772-463-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 765c1abc4ad751e1c45d3ed1ce31a02a
SHA1 8eae18bad266d0fe9f8c19fa722b231bf9798840
SHA256 92f0e6eb9be62c5c41c760c41b354310d56c074e8947a6f50fa1a266b285be34
SHA512 c030db86227aa10e23e59bcf3753710281b6c744a820363d30bbbb960a516f8106600e6884398643d3085236987f9fd0be0f825d6a3ea7865c82d04c83d2e562

memory/4376-466-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/4376-468-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 0047ef1b927f412780b728131eccb3a3
SHA1 eb865123bb6ff3001d2c71ca4b83602481ba2774
SHA256 b2b6ef1ec0f805fdb7648d0d2749365b78cfa809ac9cea4238eb00d296768af7
SHA512 74f8a4bd91d98a6a72f9ba486ed31657a0ac3af8624cb0ab83d2145c54ddf611a1968b0e2b7f4487695886e6d0fed40d63270d8f144e78808e135e32fb76335c

memory/3648-470-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 073995124a8144763148090254d509bc
SHA1 2244ea16125e4911821d517e5ba712855405f555
SHA256 57a3ee7d506961403974db594bc5e307e3795f832039e4061f23280c0ee43dc6
SHA512 60570212403dd9cedd71838d8c675991cb0bbb3b6e34199fa2a6658ab48e5c652ff50ce4f169d74b2e03a8cbdf6200ce88b24e247bb6c05fe4e361610d8b45b6

memory/4872-473-0x0000000140000000-0x000000014013C000-memory.dmp

memory/5264-474-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 9d7c0fd1a0de360c288aff4863fd8360
SHA1 9c36d193cef416f790e884aa3f1a8bd891c4a715
SHA256 5df445ebddee11cf7cc57c06d69ea54ad2a56edb3fd9167451bf7fa93c55cb77
SHA512 f429f1d8d47ad9ab7c53c478a7711428998b55b7161bac993efa32b3b3a203e9bb13cc0cf62b18d3157271c25e2f0a2f75097bec0119994e86c459fa673a488b

memory/5812-477-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/6116-478-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 88a844155cf4be6a9b76200d3ec3504f
SHA1 ecf21f70e32e011dca4c9ea185b4198021a2f60c
SHA256 c71c847a3b8dc9e02bd515c77ad09362b56ee228741930a4fcdb1d1d34bb14b6
SHA512 2286069d45ba92967a8404607ace2d2d3458760c642cd2e32ac64735844599c9a3f00fb1faf2504b2f8053a4c84e7eb027420e11f69a3abc3b754880997fbb27

memory/5788-481-0x0000000140000000-0x000000014013D000-memory.dmp

memory/3204-484-0x0000000140000000-0x000000014016D000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 399379f73aeee91fb4f664315ea22d63
SHA1 a651a24ef038a25d130e2174522e1b972f5daf69
SHA256 eebb9750ed9488f8a44ed830f3c480d35c160bd40501bdfd8224c6dc64d5f131
SHA512 c9ce03c47e48b4f7b5f921338f784c7f4261948f68ef389766c07a3631521e175bd94beb06a85c576a396e228729bbe82bfc09f14a5a1b291d600137d1e21e34

memory/5904-486-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Program Files\7-Zip\7zG.exe

MD5 8bc17dffeaf2f585c6ca480f1eb3e00d
SHA1 d6ba93c6fd1a8a4600e4e0a8761ae2e738448032
SHA256 dd80f12764444b3847cb39ffa96f9dafcfd8a51b37f2d15985681a50d7cdb96f
SHA512 bed4a2a7b3e912400e8b47f756ad1a10c0639a1ea4fc8d607c9d904ac6c76777815c231cda9e5b37221e99cd499cb03c7d4ea09510fbc5754752738de9d91663

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 a91e251313332811d22f4742aa951051
SHA1 98f3cf9600ebe579c9cfb2957d8a8619488f4797
SHA256 984c2c58b9a6d29fa235f7abfefee1fe1981e47e2fe80bb31170d2052091a139
SHA512 bb3e85a610523d5b7064018cbe2879d07eece0666dda89f2c7722c1cbb1973bc84ef4410f765dbfa5c55402887423cd7122aaba3d6fe6e84946953fb7c73e491

C:\Program Files\7-Zip\Uninstall.exe

MD5 27867837188ebf2bc9fab80ac1fc767d
SHA1 17e02113b88e4441850428af8ab6d696af2cc34b
SHA256 428bd367ef1e4050163c505669291fee286fb55973553e2fa0f471a58f6a8ba6
SHA512 164db73f2f47ea03bf423795ea9180d55508021b3f970fb2c7222f8e66932e17895858ee4900030600f712d9bb7a53b98084f6551bb74bb43c68d6478faa4c7f

memory/3548-490-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Program Files\7-Zip\7zFM.exe

MD5 e7c464bfa66d7b7f2af5b850835652c6
SHA1 df28afa43abbab397d32bd7c1c59f7cbe7d093d5
SHA256 9e9e9d55bc61a1d60e71f784fbc0417aa4b0526fbef279932705b949890f513b
SHA512 c827fdf72c983c9b443be1b0fb0cdd746c32bd52a796e5a2146a2730234977f5f34799edebbd05508466942a22c4bde97b570ff3b779af394425b7b09d4f58f0

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 81504dd1063dcfef0db4e932f46c148e
SHA1 20370838acf979c322881c762d80a378893428b0
SHA256 c56d822b23c29c904497089a6f5a75a76a4ed3e6ca78b8b3a3a034598f0931a6
SHA512 816379176687b71932bb52e12e1576d7eb87c25f72361344f752b905a07d5a08414f98305ee646af879d98bc44a843d9113d9f32e487e7facadeba2efa5e7b32

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 415246f6f776afe4de4441d5c5351ab3
SHA1 4b683dbb807cb31af6241154e4354d743ac705c0
SHA256 7f50c4f4672c9d8fea6e410e14ac5f966e593ea2adc751e7c1d8fe93e823052a
SHA512 3eb5509ca7d0b107fab8ecbb139f04faf62d22407ebe05c743f75b01392dfddb2a2d8ec84b793236dd55ac03d84822431937b95199a715c87ad4b4995cf76ff8

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 e3958cb890869756d87096aab387a77d
SHA1 17e9e27ef006266e4805b31fe0050fcd96dcc265
SHA256 df471bb8e60863c50f9d1efcd21f69fdc58eb4f68e5d28e892026e69e7e0c9be
SHA512 90e0cc01bcf66e1edc7ba4299d6a1d0af656beaf8c7899e960c0d54cf9099725c8ce52615cc8b1c30661f55213bbdde82cb4569280a624cfe23112f89b791e13

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 edb55726c32ac4b23af6003d0703682e
SHA1 a502ea6c341b3350ef84ecd95d95cd9b46673b91
SHA256 5ce4c849700561c8f2fa6b4f75a37d7465de8ba09b0a28e14e7d1c39df040dad
SHA512 8c6a3bb9648e91ec13c8e84a3d35869709e1e5fea5608766c241bac7f8924ee2cd9372735a5d58b378e9c77d1eed9bb059d5392560be0b5295b865145009bb57

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 e6f414a1dbb122d6960eea4bc28d44fe
SHA1 7d218613fd0c8ee91873b9cdf63c292fb9badd04
SHA256 4c4156787e3df60ea1489581240b96c3c2b33ade70d1d815b04282f33fd0f820
SHA512 5c8d3393aa0d13f961637465500bbc5ef9c717a2972913a361af7ab66e3c274454728aa25a665605d5dd12777fb5ec26844aad90eaac8779b3d341b09513c29d

C:\Program Files\dotnet\dotnet.exe

MD5 29a2923e25810fa199127e802260f83d
SHA1 b6104f1104b7efb7f59c26cb9458b3f59de68d84
SHA256 e8f435e9dd1d7ecb936567897d57154329808520ebee725ca9a5d5e8c1881689
SHA512 792ace0d5ba7bdac84c1ba3586682e3ae03f01430e1be6d051f8357e1e5dfe7fe39c7b8923cf97874ff72517bc17a3c9a7b23d364ad43f82473f322d22151a91

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 6f081e1afad58a6a3ec2134153982839
SHA1 08a0d0a8d9833180c165536bf8ac2c352d921bf3
SHA256 0aff09dcd061db42f21dec65c8cb77fb616420bca47f01d1b0baa4bf50613035
SHA512 361b5a53e9284d95a863fa7c48763a824c28e65a7a06ab15ba23f648f9ca8c7b834c04f0d80bf423f9489d6844fd5a3eac83c6c3a55cc27a386979a77e2e357b

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 0d8471f17a7a56c690b33946b5a7d5e2
SHA1 2791d76bfda22253fbdcfd54e0bd41ef4bcfd3c3
SHA256 d34f4d0ba1f13673dbd02a9ebb211e2f22b7475241c8dc3fb4bdec8fcf49c7d5
SHA512 bded9b72386735691edfd5c0f535040c6caa69d39843e8719d51ffcb56b2d35c27e77226670c8840228a09fe3857f2f89254bd8dd49be663d4cab96b1de0a409

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 18224aedca14d500a1a32f7c496dedc2
SHA1 b9da474c408ca16cefe91f327b85a31a1eb23fa2
SHA256 e995f835017d2f703be6ac835f2e80cb78c43ea279e175af14887a5d2897ad04
SHA512 53f7585cdcace6545b395d2d55d57d228665708bb9876befe4139c19b8610d850f451f3aed39d262f07d390ba3bbd738b7ad9d72c20f9be5df26c995ce5a0627

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 8cfa7c69eab86b7b8eaa97a6ac8580cc
SHA1 6395957d5010461ab015bf4b8df2d18ef2349ac6
SHA256 55477162caa0f796fcb514c034d7263ed513e4f07f2a823f7aae9a0319f20386
SHA512 946f855a6e09268484345b8cc3067f7e7a74e9f4963d6ecd182199b724b4ccff2889d28b8e79c95504489123f86d246eea3be80ca1811f0331dc0392013c0f38

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 3f9013709ef67d3dcaca5a11edc3219b
SHA1 9984db9e461d434505c8420421e6f43747a232b7
SHA256 3e812b3b9a3273b09d1d4ff36e9c3ef8ca1d587648dec2a19ee26ee0ee0475f1
SHA512 769ebc688ea9a07079ac8da48934d5b51095eb258792b60b061348015f8a881dc8037d3235c5f163745429b3400f67e2921e3efe80936a08abcc582cfbe9208b

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 e7d1a471b8ae5c46bfab61f9d20a5372
SHA1 48aa3dd8b2ec3fae1a14b3b318c4f5b9e6583058
SHA256 bd8e89b236279230653527a26dedf5ba66e1eec698ac7ac2a40448ee4324d3d1
SHA512 a0cd0fe28218350bad9453d84a8221af7e2fc3df0c305253bca6e27f729f403056381c369b7978643a5efb695aed2f8fa7dbcb6782ca61e6e4a3544be2521a6e

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 cf4ec2c1e72760783b13a1d78ad3c19e
SHA1 6b0203b10c8de70c4e6a154cd5b68e3629351717
SHA256 114f3ee23b37cead194a1a1a5d3e32dfb3de7bf6d97392f36dab32c86653e1ba
SHA512 c498b73d4af81f9d0387385da1aa5dcdacb2acf8b6a4e22698464c7d57ceecc0ac2013ef68113453e25a9589e8a671b32ba9357b9d8bf420c001db135350bde8

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 b124dd5efbbdc7f5fc9846e1994f5194
SHA1 090004ab26decf6b4db1a6f703ac72f877c23240
SHA256 45045f944fa0e0df2b820e0319a87e580ecdbdf26d4d34d0dce71835aa38fdcd
SHA512 30091f2a5e0f947ce2fe6db4752992bb0a72d3d2730a584c301a1ad8738326d669ad52e988893a885b32497d282d8ebd91fde8ddb0013632695bb1ca59d9a08b

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 fdd43c27943261616dc11c522e91228e
SHA1 b574a12656d875964a5585d71669449849c6b84a
SHA256 0eee1fa3644a5223b743ed7280392639e77df98101edda582f24f92825496e0d
SHA512 1586aef2b7aca03d9626ede48e59c83cdc1740e99270725a8f75d53ac7af05f0fb7782045b7b5dc31c0b7694f9c5c69e6671870b6a6eea36deb5b7dfb65792e8

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 4e96ccf181a95224825836b685e591ff
SHA1 7b7118cf4cae28ac5c03ca1d4ef3ef13d78ff3c2
SHA256 fe72b39a0d782ad4809fda377eafe66cf8fc5d7391457f47e4e77d4f26e0cbcc
SHA512 1e553c2a36f28ab67395b646ce6407a40d7f8e890f1ee2b656cd7c506122b9a502b80c872aeaf90eff0623af8a51ace5f1548f561afdad88c1d30f6b5e195695

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 69ce8ca47c0a49276fc984e3693a5bd4
SHA1 cafa31c21033ab6798c8cf76a78ee9486eaaf7e4
SHA256 adf88dea1edc751385604abfe4937dacae17eecc01b4daf793f384c13d989f27
SHA512 d8f7e359621f3ead7a0bb0091c2357afc64abaf3ed5128996101d390aba091e12bcbbc6fe3a6e24f84d208c3cc8dcd87b3fe0ad1b8556b0b4e30d34bc910866d

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 85b4581285d0339fd496fac01b2b43e2
SHA1 22c4fce0dba079fefdb7dc09d2acb069b010a5b2
SHA256 75827b3b11dfe56d690ee878e8f8245b0a3e4b34624568924778fac23e0157b1
SHA512 1b197cc20af4667168b6c7573bcb58d155c2e164f7f8844613221e3868114188a3f0600a5e8f3df0bf072a476fc084a6d4d5fe0cb862cdb99f2e3c94e64d424a

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 64e0a5d303591d5cfe50b0fc583c27ef
SHA1 f6b8e3ea3f04c507e5296c37bb1d222d2a7d425d
SHA256 b0f88e4245ac92feca50409ddf75f65d975e031890847a8bfd0dde83ad4cabf4
SHA512 65a165084de9b5bbda4a1d77fc46313f57a549fae8dea02a2e9396ce93986a660bf481be5ad482bc9a02eb160afff4ae5f0bf2b6f79772d2e1f24b711160e5bb

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 2210408fb2339ee069227e96bf7dcc7c
SHA1 a85d91bc1b70c098825f28d1ccbc88c100803839
SHA256 e00227e3d80e5739a153fc86cd9fec501b807ed317861110bd9f673b03c5f04e
SHA512 31d151bd8c7b122394cee91522775803eb9000b9d80980d2c66b57c934d96be61931a0dc37f99c2106a8d27d9f6bc3789cc0e09d46f9932c9fa93505a44f5729

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 e6bb3db08f59160334bf01091b173215
SHA1 2760e0e08c0554a6bb61e6d954c5c922eed3bd75
SHA256 eb0c8dbfa5f7e5609020025c6024404c4e49c9ddbf8898ec5e5c2af5d062d2fa
SHA512 f7dc7e76184972c3bcb83b7929a15437d98978b7948cea683af139300c39c1c7dc21f20a3cb21e100e6cac986dfd025e7fd87651142d237886ca8bedd522308f

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 2b9420155a70eda50f4ed73d5b9ae6a4
SHA1 611fe6bdfb9193a982e3910f3fc5f1f017c32233
SHA256 fc1a15c3da42f5207285a1f40531bd4bdddae1aacab37b0cd8c68d1b27c4064e
SHA512 cc269446d98a8349ad290c8bdc04ffc03c9a0239a60f28ebba62bdda22571e7b9c601f27b5559eea810261d75b1e189d57f9fd70a254ed9411c472c5b8b53b37

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 bc585e2871689a5cffca85d5e042c117
SHA1 0a1ca43657fd2898f8b27c2cbb3045b2725e63f4
SHA256 f5e631869daaa1fb4cb6fbb8fed3ff1d83153e85c6c178d32b3f373c608fdc5c
SHA512 14faf78b936f3e795c629549229009af2729b96d1c46cfddc07c801a3c66a8ca2faec52e898821081fe35a9486b44f711c59d5b562cb03b28b47d7250e6b5f5c

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 569e2797e2fb0d18a19213fc3240d6ed
SHA1 c85a0772813806416f02c85532f9b60e0782bde5
SHA256 e8799d6a08244a124ef13b63a93979c5aff592e53ccd8de73c266a02298b7ab4
SHA512 396ed7c458cae3a6ca01c53dcb4aff6492b7b929c777b0c730c85f20dd1054dc8f5120384885687c107329b79da56e22b3e1700b1de4735ae8830b9b7f15b49a

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 c432c553a6c42d27cbbc868dcb01b63f
SHA1 5ce5f2ba31c24255b6636ca4aa148cab97848897
SHA256 a8d6ccf45f887880de6f98531bb485ac468b6a21cfc4fd23f026f8c689a74329
SHA512 a622dad8ff6862dea484da5d313f1f02a40ee34b3b9a78dfc5d7fc4c9a6834dc074ce1a2439c4fa4487535f082fdf3fbc12f56ee3a255ef4e142d45a8aee372a

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 6698802d83747d890f2a5f94d3d43cb0
SHA1 527bb6a22f419a781b73d647df1215bba8def959
SHA256 c64d120be0be9d98a769cf612d2dd67e3b5c4a281fa00a0c304b818344073760
SHA512 abfeed6a08a3c8eb06a1cca7bb08556a4f59659e445c841dbdafe1669c819f9a3fd921453a2b1674c09ec31fe0e8638dbf50a41ff734293367d6731a5e54e646

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 fe3cb372592e8b593aecf4df6e164eff
SHA1 589eaacab52973619bec3dabcb9dfde4f1951c60
SHA256 f3008a09896156acce761204d0a106d36f1f6437781a395f0f787d1943623889
SHA512 65724ce249978bbc78bd7182bd2600778c3a5eb5e5940068ae22c7db8b1848c86f524d0f52c3c99f6ef1f84a9986078601d4a7fe5b4a4d78a048d66a05c732b2

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 9e4af3877e2f7241a26eca990afd80ff
SHA1 285757988f1a2cb560183554b4aeb260696a2cf7
SHA256 1569b5aee170e58432e2c552672ce42f6a896f406acdb3e108ede3cfdf41fd95
SHA512 47db42cdab5cf06b4216415718a86d6defa76ddf542e0ea1876b7a1694ae25bc0a911a50d1aaa0bb9625288c403d2a363bd54c255e7b45c62a80e824be73efc6

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 19195121e38381cb104430ca6dbad7fe
SHA1 11c5e872f7fa6207187c4a8a7d87902512f5161f
SHA256 c66a270633167fe8262e2e4a63fd1931ff6663219062cec4e4fbecfd88d23c95
SHA512 2c448e8e5bd529b8c8fbef514bede4c75d128ad77c88d6c50ac6048ae629bb7667edb433bd2f2492f4243aeb6ba91bac1cb3e0111f50ca4433a2583c6e923cdf

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 8a63d7e21b026950e497b862edb40300
SHA1 92ecef7d07d3b3fb1a2f38f135d2151d0d1e3a89
SHA256 7b2d8f7bff3d090765fd19c98842a395ed7b87199963c08044cf6ca21ec24ca1
SHA512 5ca7dc941e1bb20ab5ac485f4b9a1ff99c81449a35e501921eb76c6c4a4457a0e54fb5485d0d7bcd771c1fad0d4c69ea3392e78e1d7a61bfc76ce83d2fff455d

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 676e48dbcc4730c2deb1fb46a27d5839
SHA1 ab79da955aec3fecbca7cd2b0b1bdf571ca61878
SHA256 bb21437afd659f86c70f52b1896587ace08fce3fffc6c1c0556829134f1b1dae
SHA512 1cfa3307927eed962fd943064f5125ab0685a61d8d4443c7036d5b307d96744a0c0996d62c7e76cbc6f004e02b397689a232ed23b0cb1d5eac44a6e43f61f466

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 b1d1ee49c2e5f38fc828525a11f29acb
SHA1 74c8407ee252ade921ec9b571a04c1a6bedb74b1
SHA256 a486638b0d46708a22c7951f66a92cb72259c643c0535cff0ab01616b371fb8b
SHA512 b41b4fdd5db58d6e84444746545f6000e91ca90bb8c5cc8fae6495ff75329c91c82f20d0356b91a4238de580066bb2e66df8ab92307b1bcdbb642bdd7a12fe3b

C:\Program Files\7-Zip\7z.exe

MD5 c501789d857063cfbd8ce11459f3b2cd
SHA1 fa2336445ebf48dfa0d91fde0adf2bae58352893
SHA256 3b30b8743dfc3aa483dfa4aae1e3018457432bad46a930bb61649c20c4833f25
SHA512 bb783d947e57799d865beb4d54adb1b2cc62468c5d54ca444ddb49424ce65bd50151a3cac4fbf24a3ce929ee822b94db5b21038030801dee90b19c2768dc2587

memory/5812-561-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3456-562-0x0000000140000000-0x00000001401A9000-memory.dmp

memory/460-567-0x0000028DD7F80000-0x0000028DD7F90000-memory.dmp

memory/460-566-0x0000028DD7F70000-0x0000028DD7F80000-memory.dmp

memory/460-571-0x0000028DD7F70000-0x0000028DD7F80000-memory.dmp

memory/2772-572-0x0000000140000000-0x0000000140189000-memory.dmp

memory/460-573-0x0000028DD7F90000-0x0000028DD7F91000-memory.dmp

memory/460-585-0x0000028DD7FB0000-0x0000028DD7FC0000-memory.dmp

memory/460-586-0x0000028DD7FB0000-0x0000028DD7FC0000-memory.dmp

memory/5264-587-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/460-584-0x0000028DD7F70000-0x0000028DD7F80000-memory.dmp

memory/460-588-0x0000028DD7F70000-0x0000028DD7F80000-memory.dmp

memory/3648-583-0x0000000140000000-0x0000000140147000-memory.dmp

memory/460-591-0x0000028DD7F70000-0x0000028DD7F80000-memory.dmp

memory/6116-590-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3204-592-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3548-599-0x0000000140000000-0x0000000140179000-memory.dmp