Malware Analysis Report

2024-11-15 06:11

Sample ID 240407-3jfgwaaa49
Target 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1
SHA256 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1

Threat Level: Shows suspicious behavior

The file 949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy WMI provider

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:32

Reported

2024-04-07 23:34

Platform

win7-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5f0242af9a3c2c1c.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06217F96-5016-4D11-AB1F-ED9B93D0CF78}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06217F96-5016-4D11-AB1F-ED9B93D0CF78}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-304 = "Public Recorded TV" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" C:\Windows\ehome\ehRec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200005 = "Websites for United States" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{C9658EE7-8ED9-45C9-A1C5-AB8F060375FD} C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{C9658EE7-8ED9-45C9-A1C5-AB8F060375FD} C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2052 wrote to memory of 1460 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2052 wrote to memory of 1460 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2052 wrote to memory of 1460 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2052 wrote to memory of 2692 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2052 wrote to memory of 2692 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2052 wrote to memory of 2692 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2768 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2624 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2052 wrote to memory of 2644 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2052 wrote to memory of 2644 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2052 wrote to memory of 2644 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2768 wrote to memory of 868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1212 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1580 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 1004 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2208 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2768 wrote to memory of 2192 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe

"C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1dc -Pipe 1e4 -Comment "NGen Worker Process"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1658372521-4246568289-2509113762-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 250 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 258 -NGENProcess 1f0 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 254 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 264 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 260 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1dc -NGENProcess 26c -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 1dc -NGENProcess 268 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 254 -NGENProcess 26c -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1ac -NGENProcess 1d8 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 1ac -NGENProcess 1d8 -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 290 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 26c -NGENProcess 298 -Pipe 1ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 2a0 -NGENProcess 27c -Pipe 29c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 11c -Pipe 120 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 1d8 -NGENProcess 2a8 -Pipe 298 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp

Files

memory/2948-0-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2948-1-0x00000000004D0000-0x0000000000537000-memory.dmp

memory/2948-6-0x00000000004D0000-0x0000000000537000-memory.dmp

memory/2948-7-0x00000000004D0000-0x0000000000537000-memory.dmp

\Windows\System32\alg.exe

MD5 51b16036b993a366886fc76f6362a807
SHA1 0e247d355ebdb4c44bcc1dea8445afb048dbaed3
SHA256 3f4ba3b19e096ccf1e4dd1e3d6e1129bb5eba89c47d8bdb7ef9117f34b1f6f3b
SHA512 94471f9a6806c17bfca44ca880772939939174497ca5a33a4180fd9f5c80e01c3e7745f24870bd3af8a76918ccba9e488bf1cdc626b8136d5745c0a0fc887a98

memory/3048-13-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/3048-12-0x00000000008F0000-0x0000000000950000-memory.dmp

memory/3048-19-0x00000000008F0000-0x0000000000950000-memory.dmp

memory/3048-20-0x00000000008F0000-0x0000000000950000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 4231f14fcde55e2440db03593e5d7999
SHA1 1ea5a2ee25734ae9567a304dd9d561debb377cba
SHA256 0e9c2a217e5e089336edfe49638f0af53c06a103749ed5ce37217989b509c144
SHA512 ed37dfaf6210019273cc2aca611dc48659ffc5160b5a2256e343bd1a12785f6ff055499466e689aa300d5befbbd1438072907a26a6b90458c0a61c11ae9a0402

memory/2668-26-0x0000000140000000-0x000000014009D000-memory.dmp

memory/2668-27-0x0000000000A90000-0x0000000000AF0000-memory.dmp

memory/2668-34-0x0000000000A90000-0x0000000000AF0000-memory.dmp

memory/2596-38-0x0000000010000000-0x000000001009F000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 ef1b26578ba65008bf30051ac331097f
SHA1 424f2d76ee0b63eaac7cf8bd31bb4d7982ee0923
SHA256 b7db2992fbbb300e0bdc3e817ce3f54ecafedc321264732dfa4209153f469e3b
SHA512 6d810d4831a6a843a4ba6b570faf1ea87052e5ab77a8f556b6136a10560fe91fe8115ffd0d038241b2b38c39028082c54cd78400fc2fdc887513f8475b18e375

memory/2596-39-0x00000000002F0000-0x0000000000357000-memory.dmp

memory/2596-44-0x00000000002F0000-0x0000000000357000-memory.dmp

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 0c7dc86868e2a795d653c074c222dfad
SHA1 c245d286c56643ff1d4add3f7ef48dcd7ab60e61
SHA256 0f450e4ea5412cc78c4b0482571487ed1fdf0218a160281bb65fdff2cf481932
SHA512 f9619ffa251d4218b96e736207dcaf4d945cd5f36b27990ffdff3b60cd7d6817619cc985cad6303e1c6df70a8afd523b1241530ef982e1c784139ff933258d3e

memory/2548-54-0x0000000010000000-0x00000000100A7000-memory.dmp

memory/2548-55-0x0000000000310000-0x0000000000370000-memory.dmp

memory/2548-61-0x0000000000310000-0x0000000000370000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 169bb97156420cba6b85f98e45c9659c
SHA1 0c3c13d59868226b51b12c233ff9a4483b29ab85
SHA256 5fac1cb7fa1b17532829ec974215993a0ad798608c27a6a35aef1ccbf8518755
SHA512 937962ef829d5f03f284d20693f2797942d20de1d71964e48e80f089b228de4fe85c003553e64a965df39d3b55c0be59438c5e4c4fd409024eb09d25d45e2999

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 d18a736604e7acd4d03b5d3cd9ef84e0
SHA1 0a5ba61331c543e635dad743ff11ff4de0ed79d3
SHA256 614fb0aab7689ae327b4d0faa051b77af85b7435b071c0d1fd4525ca70f60773
SHA512 03dc5cac84a796a7c70db3ae789660ca6a641ec9fbd30c9d0c2b6774c25e68c57786ce348fc2b7da99ff0404a6ae729a07e51f81ea7b2ab2a746f88825a19880

memory/2948-71-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2768-72-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2768-73-0x0000000000240000-0x00000000002A7000-memory.dmp

memory/2768-78-0x0000000000240000-0x00000000002A7000-memory.dmp

memory/2596-82-0x0000000010000000-0x000000001009F000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 4b347d5f62573b93408ea5df169cdad8
SHA1 99aca886df87f400d841b871d211d243cfa1c287
SHA256 bc7591fe28058b6509c02ae1822659e03ef3e38522bf89f614f25885de1f4142
SHA512 db82b8a116102bfbb91f71899325375dd1176dc642073419f9c40cfbddeb1b65a7805a8453e18dd95fb9c128473972197ef2644fb62f7ac4a0eee47e284536a4

memory/1368-89-0x00000000001E0000-0x0000000000240000-memory.dmp

memory/3048-90-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/1368-91-0x0000000140000000-0x00000001400AE000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 8e864157d5d5a9cb0eae22fb908da061
SHA1 d05ad935b0b93f1ee847efa60c823034eaf52f67
SHA256 e4b8732902f6dc2e516dbf1a8f90b4c49a1bdd1459695d578d359fc0307b2b9c
SHA512 111cb4e863fe15a9919e24c20e2ee834a4251241b15b4fb5c38d2814b94e555877db0e09a8289085a77321a0096e8721f60249828544e1a6ec78e511d44e277d

memory/1368-97-0x00000000001E0000-0x0000000000240000-memory.dmp

memory/2548-103-0x0000000010000000-0x00000000100A7000-memory.dmp

\Windows\System32\dllhost.exe

MD5 efaaff8e804fbf16bc157d6be14f60c6
SHA1 558bd96db303457a445ce54db1c3d74888785be3
SHA256 9ac1cefc993e7efa958fe361ad89bdc997ea946b8ed5299599bffb63eb7221cc
SHA512 7e5d7d62729fc3c918ad25521f174402a200bd9eccdbb6330a67266c29ba279d12bb743b27eeff07b62f4427ecc4f973e76b1f0b9ea292452837379bf0e69ded

memory/792-109-0x00000000001D0000-0x0000000000230000-memory.dmp

memory/2668-110-0x0000000140000000-0x000000014009D000-memory.dmp

memory/792-112-0x0000000100000000-0x0000000100095000-memory.dmp

memory/792-117-0x00000000001D0000-0x0000000000230000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 de88c91b820a13e7553cacd8c9a65426
SHA1 f021c89828ac96c853843a8167cd1195734e42ed
SHA256 bb89fd7b7ae0d31f2d11cceda3fd2e50937a3ba3173d3c851983d56e8ab693e6
SHA512 24826bc334bfc1bd80c9b80f040bac9fab28b39a7a0362cca8b0c6f9d528b7ccd2fcae7926c8303f10a2c48840e021a0aae76e7b6afb2e25ffbda38162354efb

memory/1604-124-0x0000000140000000-0x000000014013C000-memory.dmp

memory/1604-132-0x0000000000870000-0x00000000008D0000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 1d399b748fc4be0f78ff36d60b0297fe
SHA1 20ff475a448f80a177169b40d1bb7bdb929a7a1b
SHA256 0c502a6eed3ee77f41da9bb8f6e19cc59283cfea2ffb4977ccb6e522d665896f
SHA512 e3873a7dd9e2efbee983c448d41462f60d7c8b2a0e68122c226576e3b8c141ccf1697e8300c56f08020d2407c314aff0a02069c5722d58872de22052cc59e235

memory/572-137-0x0000000140000000-0x00000001400B2000-memory.dmp

memory/2768-144-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/572-149-0x0000000000830000-0x0000000000890000-memory.dmp

memory/1368-150-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1604-152-0x0000000001430000-0x0000000001431000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 78fd477cc86c3c108ba6d3ec56e80583
SHA1 7cd4fd0a11fd81c72f2fa2a81435a308d90f2fc0
SHA256 b05d739506acef0c914c9b392a2a72982bb85fcb7f59287e4cd597375c2e9921
SHA512 d59a375111dc0cc6a0fc9e13495d3460e8065f74d0550020e8d5b376c5dd42e91b9c0243325aebf6fcbf40e1ec8ab1ba5a23234fb806669127527aebaff2ef58

memory/1060-157-0x0000000140000000-0x0000000140237000-memory.dmp

memory/792-164-0x0000000100000000-0x0000000100095000-memory.dmp

memory/1060-166-0x00000000004A0000-0x0000000000500000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 9040897dffd09c4462a2ec0e62846572
SHA1 2c9ee7c74b2ef4ca1b1e10533a84d6db7a0c34be
SHA256 050b640d3902bdcd38f86a8b6b0f78198b5d29154c0e14c902824f94a13ede7d
SHA512 0e9c37ffb88e6aa45b0fd8366e73d4e0c9610a1328d574a583336ac0a3d246614c29f8d58b236ef0a45d44855f746a68b325a72a02c7ce89326507ccce13adcb

memory/2880-171-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/912-173-0x0000000000DA0000-0x0000000000E20000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 021e24a72cdfc29c321138452d42a048
SHA1 8321c60db714bb9d7eea6f3a4f2eb78fd6d7dab3
SHA256 539bc2750ff0b38988b731729a814a7adcf1c24f9cfc93b5d04545530c91bd78
SHA512 c14d6992e92c03809aaae6efe9b12a703eb4908ead7341b4f51377f5dd22c307a40951e2f01be391c7310433252f500c864cc3ccf29cf848228df9a8ace361ed

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 02e7a0770d91577a2be5d3d5ba96f8fd
SHA1 cb565eadbef3064107814f427199c8112b09fcd6
SHA256 9d97e57b1544f7aab2249a621d78de1df0a9da8c951d348f4b97a1431d27106e
SHA512 0429c1af00a9bff75042f55032e4c0413caae04294d41a2d87df3c4110e9819f71b46c2d426f041c1f17e70541f5dcca10e56b2cce359f232cb4940e2c85960e

\Windows\System32\msdtc.exe

MD5 f8e42925fea6b9039fa299da39ccff0d
SHA1 d11c0535f746fe693aaa9e2a6834653c1fd41573
SHA256 bbc68ff53343434eddebb96d2c10a10c8bc11b766ca6063c34812841b2130b4c
SHA512 7a50e1a272d07048b0d05ccfad1494f40c35a3aebaf4ae3413277cdd5c8d3e220b4c126614439caa766d2b067cd5a0db65b6d1408318e2f3c8d5dcc178732b36

memory/2156-214-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/2156-217-0x00000000008E0000-0x0000000000940000-memory.dmp

C:\Windows\system32\msiexec.exe

MD5 3d58330c8bef2bb963a386dc5fa04803
SHA1 ac70ca53bb07ea7dafcd758d714b2042ff0a994d
SHA256 810649211c98b0aa246f123bb098a278024e65d1ed4ef22f9edb3a231a49d221
SHA512 5ffe03788a85f048c2a33dc664064d6dbbad029be29995b2fa770fed9fbaddbe8d946e9f521759ad68334eed6b9f5a7ef0803c471af59425fd71670babeec745

memory/912-233-0x000007FEF3F80000-0x000007FEF491D000-memory.dmp

memory/828-235-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/828-237-0x0000000000A00000-0x0000000000A67000-memory.dmp

memory/2704-239-0x0000000100000000-0x00000001000B2000-memory.dmp

memory/2292-240-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1588-241-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1588-243-0x00000000009F0000-0x0000000000A50000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 afc5c7d6f1124fd0fa1e5a81d693920c
SHA1 7ea3f367abe9b9b6e39d50ebe92cb9f533c7790c
SHA256 2d4f19ffe6b81f1c8b233f88663a343142ace361255bb513293c4e33686dee55
SHA512 fda75fee88b6f861d7adbf5c44f85f57b2db272d9d72d0f61db2d9d9892747d987f831ffd9b84753c65a90d89a16e2534c9d0157877311b9de4f9acc84101ec7

memory/2704-249-0x0000000000590000-0x0000000000642000-memory.dmp

memory/2292-251-0x00000000005D0000-0x0000000000637000-memory.dmp

memory/1604-253-0x0000000140000000-0x000000014013C000-memory.dmp

memory/912-256-0x000007FEF3F80000-0x000007FEF491D000-memory.dmp

memory/2880-258-0x0000000000160000-0x00000000001C0000-memory.dmp

memory/2704-260-0x0000000000590000-0x00000000005F0000-memory.dmp

memory/2696-261-0x000000002E000000-0x000000002E0B5000-memory.dmp

memory/2696-262-0x0000000000550000-0x00000000005B7000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 6c8f5b16a1d4f6b46a9a8b7e27950312
SHA1 647f4ba788bb28377673428516e77a57bed1d77a
SHA256 3355949c6d81cec5634a05514f97e3e22de01068495f2f42e62c606a54d60f02
SHA512 63b589bcc10c44fe6de3ba3781e3f43b8322dcc8ce9dc11ab14a365410960387adec9750dff0648caaf94da7a661068e7a937d57409d427a33bb8ebf7216c0df

memory/572-265-0x0000000140000000-0x00000001400B2000-memory.dmp

memory/2344-268-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2344-274-0x0000000000160000-0x00000000001C0000-memory.dmp

memory/2344-276-0x0000000100000000-0x0000000100542000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 ac664682549c0e390ab11db695b7e3fa
SHA1 ea9f7e3cf3bdeec9b7e58cee0d5e4d3b955c3225
SHA256 b25b9b16ed15168780e73433820140f4227e801a540f84e199fc724c9bd5e943
SHA512 0fc819554473361623351c353b8e25c53e41e0d8ebcc097319d9033e004f36a5edccb4adffb0c95f7f25cce37573c360cf9e18d06360851bfe75dd4a8e3e1dda

memory/2500-279-0x0000000001000000-0x0000000001096000-memory.dmp

memory/1604-286-0x0000000001430000-0x0000000001431000-memory.dmp

memory/2500-288-0x0000000000240000-0x00000000002A7000-memory.dmp

\Windows\System32\Locator.exe

MD5 c5259300537c0c824b7ea84e19f3efc3
SHA1 64b71d97c75276c11a7ccd743aad6f38d3697c79
SHA256 8c0e724b00d0f9a46ca40b8579726a389dc604827af5da3b665d4ca1d99b9a73
SHA512 b9e4e66435209ae9299d567e9b02faa88ed4837b8a549a5000a0231fa5fc2cb0d9605b9ffa9ced5b96ac74df94c67558d01c8491fcd412de8570267accdfd6ee

memory/1060-293-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 2966656796b680cfa895e5ce7f8abc0a
SHA1 0a461074183ea451cdc1a8c37633e685b678ebbf
SHA256 ddae73b6dad7707a014b9f3b8808a34c21518791f51a20a4fb4116092c013b29
SHA512 bb6b9d55999e76c547eb453650e5de1c249556cb63ed5f953d7c8c095b6732bdff0719f78c3e657ff259a8e2656803177b8547cf18f6752b84f169f71de3c73c

C:\Windows\System32\vds.exe

MD5 9440b6ef108911f08fb052de4e95787e
SHA1 ca6631457dfdfb662d680f062da579f2b0524678
SHA256 e64abfd82d7c23de968ed696d536e9aab036a11f3bce01b91e8c9bead9a92493
SHA512 4a3b59dc919cadbb2d2cd758b38fd98891f34bf6da4a5e9c0d87bc1614610ff7ad4ec486cc66d902fdb823a7971e96ca65deb451980a5e11e5bf2ec100b0e1fb

C:\Windows\System32\VSSVC.exe

MD5 ffcacc71b112374e38adb6cfb4f1a44e
SHA1 cb2ce8ef78449de96b5766c52b86374adf2fdeb0
SHA256 cb06cf1ae9813ecda71d2c4b0b770e2576b26f57ac76fac716785a8123063f7d
SHA512 699a6552fd03c927dd2b55a6704b3c17a2ec24974639827c0d48dd74c584a9da1993b5494df74c4388e302bf370979525a0e8fd6597673d90177587ababcdc23

\Windows\System32\wbengine.exe

MD5 a8e9c9bd5e445fdfea5e88d5a5bba01f
SHA1 2a09707f6c55662231cad02191aeca2286ba537c
SHA256 5140dad35ab4df3a27a791379803c2391668a77ffb2ac5ff3306ce9b93f4a737
SHA512 4798bef6734040dfd7c450e508ec254367502f7e8c0dfb982fc40d973ae90521e38734251fcab6de3c5e514decea0146fde4889466b26477469784ac6d0ac96c

memory/2292-335-0x0000000073900000-0x0000000073FEE000-memory.dmp

memory/1540-337-0x0000000100000000-0x0000000100095000-memory.dmp

memory/1544-338-0x0000000100000000-0x0000000100096000-memory.dmp

memory/1544-340-0x0000000000150000-0x00000000001B0000-memory.dmp

memory/1944-342-0x0000000100000000-0x0000000100114000-memory.dmp

memory/1944-344-0x0000000000910000-0x0000000000970000-memory.dmp

memory/924-346-0x0000000100000000-0x0000000100219000-memory.dmp

memory/924-348-0x00000000008C0000-0x0000000000920000-memory.dmp

memory/1984-350-0x0000000100000000-0x0000000100202000-memory.dmp

memory/2880-352-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/912-354-0x000007FEF3F80000-0x000007FEF491D000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 e015198669059498f2ca11f554f086fa
SHA1 94fd9dbbbf229f3c3b06c578c058c5490fcb8e5a
SHA256 c3f90a9a75cc91f19881adec2d964b0d6ea852a69af64e17a0d0642e714e9855
SHA512 69330cb7728708c33417f523077534fd459685d83189a1bf426b3f59fe5e7be65ab871bb25b74f7569f98409c3766278cba8564d3ae8e05df5d3e07dc6c827b2

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 bd7679a92422b38c4515563aaa29069b
SHA1 b0c306394676167a60cb5ea5746b8928bee9078a
SHA256 a82d4798d8e1d15c6a24ccda4e222245b476d42b681b070356ae4551cc044758
SHA512 9a8129525f6bf305aac1eae0ad3cb4af4a50ab4cb404820b32d74c79fd913cfcb5b016fd12f07fad005a324685986544d0948bcee71ac2c64cb63829f30db399

C:\Windows\System32\SearchIndexer.exe

MD5 feb251a5a1ec0b6f157faa7d502f13b3
SHA1 48fe4b7c4d5d9fe562a7a590fb6ace09d1b4683b
SHA256 1e77ed05f15c467b9357e1d1e7cd2f3c56158d2f242ad1e186a79dbe0ddf5097
SHA512 aa382cff61f65c1580e1893a7036f5138c69098680a0e5215b604255f64b25cc0c0e77e119bc8bdfe6da4de3ca4e89f95286b70c98f6355830a4d4dfcf8fa91c

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 0b3a7eb6c9f30115d74e509f2e72821e
SHA1 9a1e5718d56ccad808b035f7b54f4b67a3d1ee55
SHA256 5aee9b507e4d46dafcb19ef04466e04aead79b3811b78f90dd5358eb677f9499
SHA512 33846ae0ddd896d55080a13461766b7714685d25e6b9c9db4dd4ced080d61d62d7ea8fb349bb2054e957421413c137dff7edc7f96d50e3ee769c8366b554c171

C:\Windows\system32\fxssvc.exe

MD5 e8161db3e5f7cf7045c471ed87d4752d
SHA1 fffcb96be72106996e53d14d5a9cf08141d85543
SHA256 326dfe7ac99093056e632c7da0155b248fccb180032b94ad2ae7287a648f5b45
SHA512 a9e527abd07f4cbede9525fbadacb71ebf2fddb3fe5a127c7f9df4d952f27b7f759f4d31fcb666b5fe09b6d691d15e36562d5258dab5f729f98114da9ea8eb96

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:32

Reported

2024-04-07 23:35

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\482c189e2a644d7f.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124281\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe

"C:\Users\Admin\AppData\Local\Temp\949916bbbc30569165fd655ebf8e5b188ee170e6e6a3c4b5512664dfe510a4d1.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 708

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 uaafd.biz udp
NL 35.204.181.10:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
ID 34.128.82.12:80 eufxebus.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
NL 34.91.32.224:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 34.29.71.138:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 34.174.206.7:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 34.94.245.237:80 tnevuluw.biz tcp
ID 34.128.82.12:80 eufxebus.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 reczwga.biz udp
US 34.67.9.172:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.168.225.46:80 bghjpy.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 ocsvqjg.biz udp
NL 35.204.181.10:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ywffr.biz udp

Files

memory/4764-0-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4764-1-0x0000000000A90000-0x0000000000AF7000-memory.dmp

memory/4764-6-0x0000000000A90000-0x0000000000AF7000-memory.dmp

memory/4764-7-0x0000000000A90000-0x0000000000AF7000-memory.dmp

C:\Windows\System32\alg.exe

MD5 dd173ea9613145a459a9c42b88dee710
SHA1 0b50b8b0d2ea64318c3759907d3e6f079af1d895
SHA256 2bb2aa9f884babde42d69b9c4d2791564952710dd35bf0ad063da5b07a2c83fb
SHA512 1688db0800439f9ef36ae464e26399c237315a0f53f257a02e1fc14e665060072565c349693e099a9e788678b6590a380227cefe47e2931217e815b64ae9c59c

memory/3636-12-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/3636-13-0x0000000000510000-0x0000000000570000-memory.dmp

memory/3636-20-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 053fa0adaaed78f42a9551676b642f3e
SHA1 063845bda7f3f91daad0de84ac0393ba083ada97
SHA256 682bd7316e4bf77ed5bfca0c9937ae39d3798b84a753f4c87ebe1be1d593e97e
SHA512 5d1223c50f3f2c71546eafa02840dc0400059c4e19e9bb7353869c66c251b7e40401dc844347b4d31da6f846bc12f085a6230ad085ede207d7079f26102e9d08

memory/1540-26-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/1540-27-0x0000000000580000-0x00000000005E0000-memory.dmp

memory/1540-34-0x0000000000580000-0x00000000005E0000-memory.dmp

memory/1540-33-0x0000000000580000-0x00000000005E0000-memory.dmp

memory/4764-40-0x0000000000400000-0x00000000004CE000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 d9832cf086b84a507f5d0dd94bedfa23
SHA1 a485fee80ae760998ca468c86fd125d937cccd7b
SHA256 957bbafc401b49097143e0c45be7344639a093a8a8f3486a42f213de3b9a8781
SHA512 73194f9b8c112dbaba2db07cdcec71b2eb4e9db286603218bb93376f8b9f8118dadf7eac975593557c4aea0a347de05e5bfd0b9b4b4fd58f42e878cc8e6123d9

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 a35e6ce3a7fc26a5db71c9bb0c86c500
SHA1 bc740616aa86e735b69c27ea1b93f84a0cf1490f
SHA256 fa76d52c1a4b6815a091e9a9dd675335adc290f2211eef1d757ddba1d2c308c5
SHA512 dcf3964b2441c18354c43043006f8c674ea45d5498d733e19a030481f73cd714de338592c776edc2158aeb7440371fc01d174a0e415dc682f995e2e6e4dacf6e

memory/3904-44-0x0000000000C70000-0x0000000000CD0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 11df199e48dd0c428944536bb5afe520
SHA1 b7baaff1be33edd16f236c89508f1ddbeaf50fea
SHA256 c8c84434b9c7f7df318b5447089273227b5f448d04a596f55455a777c2448f10
SHA512 af5357df5c2a8fd379897ad82f5500f9be049b48c9d9a011aab96cc386e38532842047a27f9bbf03ae81b7dd43b10640f6ce442e74d120ff1ad4fddad969cdc3

memory/3968-50-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3968-47-0x0000000000DB0000-0x0000000000E10000-memory.dmp

memory/3904-46-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3968-62-0x0000000000DB0000-0x0000000000E10000-memory.dmp

memory/3904-59-0x0000000000C70000-0x0000000000CD0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 8ac6f5fbd844acff24d111d1dfcc85f5
SHA1 6753c6f875e14ca1f37050c21924ccde5d707393
SHA256 b852a59812b64ccc7d19ae3fb9f8a1fb3f69bfb901674806327173835ae8a143
SHA512 28a24433efe343b8d826831917b12e82fab877f24793567e698d44f7047428b6ebbc319e77f1723696a1bfd89610f980223c32f4e2ba0643675aa46da9808277

memory/912-66-0x0000000140000000-0x000000014022B000-memory.dmp

memory/912-67-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3968-72-0x0000000000DB0000-0x0000000000E10000-memory.dmp

memory/912-75-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/912-76-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/3968-77-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 87ec413faca91bb1e6637fc62aa6d761
SHA1 ebc19295a361f1dee18063c78546385057af861b
SHA256 a8899092167e4be9c872712f8c80b633993dcfd5b52f8da8ff0fe586e913c9a3
SHA512 cdfb7b45ae88d93a7d9bedccaa10cbddf591d6d6fb4077da80cf1569731aa5afec3e619cdad862c8a12d9a9b32749d0fe4111e80f9a62aca1602a55474aca5ea

memory/1740-81-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/1740-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/1740-88-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/3636-90-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1740-92-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/1740-95-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 be6c3536f3e7b76d976e829f0255c422
SHA1 18f1ddc1b36f8884ed5119cb590891a67787f13c
SHA256 d6d8b2bb677e352e1a73abe70f6496a9356ec746a92c96a7ce0a4f17bac4ade6
SHA512 f139b80c216764246e4e3000fa7e9399b5022f00d2922b3d9885028fbfccaf96975bb63d18b37b8449fd4223333f42bbd0cb76e0c0c27671278b5ad5e3ca22b7

memory/564-97-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/564-98-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/1540-105-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/564-106-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/3904-261-0x0000000140000000-0x0000000140237000-memory.dmp

memory/912-268-0x0000000140000000-0x000000014022B000-memory.dmp

memory/564-271-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\odt\office2016setup.exe

MD5 3b1ba317249bf2d92c09979047272baf
SHA1 e551dd17fd29718a1e8f35701794054209990bbb
SHA256 b453bd7f0546af6a8d90ebb7d068bcd7b7702a325d1bc004218b8c3cf266d57d
SHA512 3970ccd63d02d7082840f18837b6aabf97d8a0d88c88e68ee8e8fb38d4b9c3d3a8cb97d85e82532c3e7dd0bf004240b0bdbe6ba9c1d1e0ca18a5c72a7c5db482

C:\Program Files\7-Zip\7z.exe

MD5 a2e6b1a02525c24f26f5dcaede35c075
SHA1 2d9c3c0efb0c7819ce9b5e7dd9c8efac7dcbcfcd
SHA256 7f1f3baf2c1b0b4cd012d6fb0b9264b364351be728e8987478c98b29ea6eda4b
SHA512 77a0eee68fb85ef1b5c8780363fee4ff1cfd45f8ff1190e2bf1461481dfe899cedb0429dd3517fb1b553f1d399fbd90f9eca2cbb4325dcef13b036ba814a42a8

C:\Program Files\7-Zip\7zFM.exe

MD5 690d36897773d465e0194795ce60daf0
SHA1 c0234faad062b2cc1a391eac3f77c4753e3cfdf5
SHA256 9be1ca865e6fa6713530fd9f8994c8fd2533548b8efff8576d13156897ae44ce
SHA512 21e2b475f7947f755aafeec7bf15f4d64a1f8562f3df4a5d71a3265b97ccd6a3c379a8c85eeb6d804a6ef1d6c6286cd3ce1e7128f304584a599c6295ff3abca7

C:\Program Files\Java\jdk-1.8\bin\orbd.exe

MD5 258bf88c8456a755c2c5d133be5c6345
SHA1 915c05d7f01790b9f07a4652869f2bc61165cca5
SHA256 f45e801f1101f6efaa0867bd5454a7e87542e4910e5a05f0c158352f003260f4
SHA512 743a42289f4506c8987dbf8875e2df759b700807e189266bf23557968c4cfa26238b4eb540b5701131d57a35c5c9be50758dd652d48da61c97f9ad9e18d637cd

C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe

MD5 b31e6389787bcf7e3742a35ff23b093d
SHA1 f07236e61ad16e43f09a488083c0b3c1e008bc33
SHA256 078e79f59e70eeaa08f071440cec5d2aad7c165158b47c450dc478a32442faef
SHA512 4dec2471afeafc999526814b0766e8ba957c816f5286e323c4139a3fde22d08c8cae13fee8c707db1ce404ebed17f165b3a5e54fad4340e3c37930bd367cbac8

C:\Program Files\Java\jdk-1.8\bin\ktab.exe

MD5 dda143751313b473132f7945d2113075
SHA1 5efd4392345e2263224c4c93d338a955983a10ab
SHA256 e65f1aab029af49f920456b73d89627bdf0ce364af8a8de19b977d3fd96f57ec
SHA512 bf679166fc5b178e998bf70e00841d05301620abc18f0624cf044815043ea4f5f5263445921f40aa5e5d77e0f46e6dccf4f1479eef738ddf6e4df17d11c0f316

C:\Program Files\Java\jdk-1.8\bin\klist.exe

MD5 3ed068abe812979628c0eda8891e0d41
SHA1 434d1ccdf429f30fd343421520fc8d2a0bb9d01b
SHA256 23b30caf3b4adbf18869c7ddd9a1382ee2a437a569a67322e48c419597bf92d7
SHA512 76eaea8d973183c225707de1c383b84eca27cf43a991e2ac61a99f893a0018eae7ab42c4b9336c062990197fedfcc0f0b39cd68252d05966c8aba6f64a04d220

C:\Program Files\Java\jdk-1.8\bin\kinit.exe

MD5 24bf8ad0a47b5dd86a6b607d21e243e9
SHA1 0da5915351985a29e3113249c109cd480b4bff5d
SHA256 2fcc3ba6119d58e83dd4f19de0f92973afb753db55f717a724dd5c876402000e
SHA512 f2df39b95415b2bd46aee11853922b7c6c7350685916062c67e9286e27eb0f081a68bb6b3c665e67d922fc56454da93223372cb13a75cab6b368bfb89623b64d

C:\Program Files\Java\jdk-1.8\bin\keytool.exe

MD5 83de327ae6530b10ff840ee95653dd58
SHA1 33c277459c86f5a8d16233792275f0352962068c
SHA256 8678961352e190a6869d1e6a02aed6d06636cf2c559093dd7870a73f8f471068
SHA512 11e1f0e1140c2f37325b18e60e9a7b7d4501dea4718621b4613f262c2cd0ea53419386f6fb06017a5531af5f62fb550aaadb924ba08260e8cff2fcdc0d86f6ba

C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

MD5 463e38ec6ee2515e9b918fa4fdde72f9
SHA1 7fa2b9e9cd59725f2fafe57229661317067140bd
SHA256 ad944d8cf85a5e07b6b42f9ce5253b5880f887bf2f819a7bd47048edf5aa7e36
SHA512 5ce2304934758bb8b0b51ef0e63fceeb9b846d7eb3afabcd92b7bb6ec965dab1745c1f2f5afdea681a9d7255b95d4f36a9c4dae9fede00387ec15bfa2965aaaf

C:\Program Files\Java\jdk-1.8\bin\jstat.exe

MD5 4348bc50f3a7093ce2d3d842b0ab01ad
SHA1 8afda1f707deeeda8e2e96e6b2037d7292755ea5
SHA256 944521561a887e3a8a6201857d9140ba4c550d9a6904d53adaf1a57a0d459687
SHA512 447ab660e914950c3f01e5148382ca88940947df0cfacef46e7facc2446623b6a144e1392d76469b7e8a3a745da08fd2cbb5524a2dc6d06fb72a05cca6b0219a

C:\Program Files\Java\jdk-1.8\bin\jstack.exe

MD5 5c460e4dbaf3e2b5a4bcbabc6d74aedf
SHA1 8bb86257bbe4a94c68da7f09cfd9db35c11049d7
SHA256 0e13540f71393a3f56daf72bf7c75c57fdb05f3f41197972d2a55c8128dd4482
SHA512 1c10ed986489242e282097b39689ec75f86f07d7edc5b38caff9fb743014c4ad805c0f8bce78b7e70ca76b4450a25d4e7f8435e1cdecf5fcdfbd7d9d275dbb0d

C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe

MD5 b148de7a8ae17e18092f8ede2f0c88dd
SHA1 67ce0df943a006c05a4e71c3d5847d7ed42a438b
SHA256 806d75fd8a132040fdbc7a6a61226246bb98f125b0a5bcc7fdf6fc4e41cda7a2
SHA512 a97f5e4e308e5abfed8921ddc512af231b35d5d8439594b848d1ac051a38f2a2da93b03681789c32b1c0fd103acecd6616b0beef45734a24ef65f1b40ac7598c

C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

MD5 f1ee47f2a45525d6a93b724b507377d7
SHA1 a54ec4149dd6e3bb8642a6b50db10f1b3fc82321
SHA256 34a29e508bfe8f5188675a6a375806f654afe2fb4e0c6e797a5eef9bb292f61a
SHA512 4661fb51f14728c5bef0bdf18c0c5ebbeb222b6deeda456e7cbc2b92be62787207d1b6aff60069c37ceeb543d137f6ce1845e964d80af5ef09278801c515503c

C:\Program Files\Java\jdk-1.8\bin\jps.exe

MD5 7c76da3b5c862376e1893510680ef5e1
SHA1 e4a1c90b387c450b5428ecedb489d9e5818cf266
SHA256 c03dfb8865bccaa0b8c5a0abcb75b0dad4173e5e666ff551a4780bfd0ef6b984
SHA512 8162b3e207f91276dd8939704ce40fcbcaa4729f2a7f0a18f4e803168f967c6a6b14b097a094b2e887de76893ab354a0712e58e3e644d00035f446539ae4016f

C:\Program Files\Java\jdk-1.8\bin\jmap.exe

MD5 146e1228cb4de2e384329e2e54f8de90
SHA1 5ec14156e47fcf104755ed9279b68d2270ed8307
SHA256 86ac9991d5d094c9c2c49de22adf82a628b1e203fa9dd69e8ae939d2a9050e6e
SHA512 e3052be14a61ec1a4f0d98b62f0754d8151a7aebb746c01307be36aad36b405ac97b61ae0bfdca1db6db2954342ae9c9a3826445c1c54ae224723876e7f347de

C:\Program Files\Java\jdk-1.8\bin\jjs.exe

MD5 935b0d18fc277d6a0ae77a9fdbabaad3
SHA1 3564637bfa2988d4a63f7238ef42d7db674e9481
SHA256 727908f77a4583a54278fa7f5a80087d17b96f3404b842c185dbc530edcf4423
SHA512 fe1122cd0451fcd55eba5a5fcf1cfea08c926222084825c3c899a11fb3d3d0300d7f12f898c93d13f31a058770b79c1297aad722e4989456409f70216f6a6e4b

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 7e456faf80dfc29586d8d264ae4a67e5
SHA1 b203897e2ad4a9822ff492e7dcb63b989b89240c
SHA256 8e71b067a62dedf49153dd20fd3c9a90b08490b098354c8b3e8ab6a234b05778
SHA512 9e8030b3a8e9001a22341eba9e2f92a49133626276edb04fb0d5b762fdb86e017c8cbb8795d7b277bb718412fdf37d72e95f50e022f8d482dca53f4c429b8707

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 b0cf13e5e76244f0e52695b1e732e279
SHA1 75ce7b6db9ffcd2d5439d1418cde9fc0edfce745
SHA256 2f29899998483a50c91ae141bc98456463bafe46f3bad77cbf494282b8a1ba66
SHA512 4a5301695bbd8d3b376f3f35af14af7051d0ffce496c1f3cc34081486849c6cf8ac5fa49573c348f165d85e1f66e034b53f7c976961d5f95d9c2cc0820f489e7

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 4d40638fe47b171956f83754857e1ab1
SHA1 2017a910f5c0b9378f408dd0561c486ce66e0598
SHA256 61cfc083d6bed27ff9ff6726570f6d010eef6abc97f69cd175d42838c8f69759
SHA512 c62cea8a8bd621dd72857b9a3020476b9a33ac08d969357faed37f026d77f3e7a81d08b703d2df3301379bac7e4a6943cec42cbd6589dbfb71d0c45e6fbc7bdf

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 04633d2f25f5961cd8b5bf1c8a3cee4e
SHA1 d2f1ae14003ebea2bedb7b612094ed23ae1b76ca
SHA256 4e71716b1e6e10882fb7b2eb9563dab7868f39519219dc467afda496a0f7a55a
SHA512 c0d021314cd643772ce6d0f7e8c775c4fa67b73ce891340ff56fae46a94d458aa6ff7304c15df248c6c717d519d70486408263920cf699c55175bbfa424607a9

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 a3e2e5d72584793c86532429439bcf44
SHA1 bc052f8d7d55f84250b747f13d0e260b4efe021d
SHA256 e5c55757919d686cf204d71a1e5cb77ec2f533b822f2e0d0c9cee8ee20e37f90
SHA512 6440b4944b50be6744d68ac2b03136605392fb2efca0dd5f202fb5a9a3fd49f1abe18468195f2c98cdca19483c66784b5dd4f4cce176e804da4daf23a32ecc84

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 f262fe614fcbfff4a94afacae0ade5a8
SHA1 e76c220744efaea21ceef697c2c242bae95656d3
SHA256 f5a858cbae7dce8bd300d01ca7a46b28f769348824d8e77eb57a9048e41a87bb
SHA512 28b83ad843cac8988121b0859b52abb7d112659aab34d5a9ad968a0c8103f9e8a89a8bd5c88dfee1a1d56682cb90de1abaf823749f15832fe14722d684ac5d1b

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 4fc73e06df12278b4c93dca854188214
SHA1 715ad7136de58ef3863aa2b32532f0d1cc1a64d1
SHA256 6225860d0eb543943bc9c79008e216a2dc2ffdaee64a39b29eddf29d39c883ee
SHA512 1d53fc1789a1a7033624ea21b7b93cff2281b7265ed3c3c80ac8bac763d42d19a83a7949a24764e9860f8d573f608e982d99971e7d3a8751b7413b46dcfe9781

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 fdc9163db851666afe5f57955d569de4
SHA1 6c8d7731b70f37fafa56def39008abbc0d8e0a59
SHA256 bed87f1b834855d0a9cd199b25e0e083eb7250a4d2a41c131d0f3f588e2fdee9
SHA512 f1821d04feb9077c828ef4f0c7690ab5f15f60a47475e4d5b7672e0c9529eba22f3dfc72bb1f58049c02d14fe2dab57594de37a295bdbdfcb92c4402f5670f45

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 36ce2af6595f1fedf02539110369b3d8
SHA1 b5470f50268e9ab877c3b08cdcbac56f8581a3eb
SHA256 6a4838ce11815c8b15f612955bbe4ba9a22dd33666dfa9c70c9d6b4656c057c4
SHA512 081c25a83a05d3d15a0a36891dc80f4ca0f6aba0fb3f4579d996229ac5f779dd44a57831796bb22e9561f48ebed6fa3c0a2e29d65c8e349a42da0344df438ffb

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 3d2a2c3f9cb3a8266869eeec8fb8e06e
SHA1 3fe98d4aea6257b32f7d2966b86590bdfa550725
SHA256 78aff5395022edcf5943b17ce6603ed8bcf5fe0d57e2a26dbac2f3f9b872c236
SHA512 027ebfeedf49bfd7407e92faf6fb9e7345601176bbaa91b0877801a8aa9c028a749b1d33476d56672ddf656cd27be0ff19421377ea688091d09723456b322e95

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 f056e71dd834a11de4390ab1c496abd0
SHA1 72f69229bb05edc948ab1ea763ccd1030aa42b40
SHA256 ce76d793ad135bd27f4d35bf7649915e9828c9778f054d366fc3164f94a7a469
SHA512 38576b5eaeccd45aa8e45097f20168bf569bd0c8308a059795f078f1bbbc9573ac930e3d6a35c0857060fdc73d951584e89e7b17ce46bf54d62ee0cd87ea8aec

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 e81d96947f3501ed18bfaa421a8ac83f
SHA1 db5fd3c4e9504c3ca59c0f39039acedf77a5d079
SHA256 fc5f71e6f3e730e0981010a8d1d041d60d3eb14a4c2f486dfaba54627131ee02
SHA512 3a53672f4d2cbdff2d88af63258af9394d0df7d336c22c311498e3033744e8549b528a5aba3cc5ad40ff9a061c3739d93b8795b1c6d7134adade7ff86df779d0

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 3f9e1f022d9aa7d3e26b468eab81edaf
SHA1 fe74bb7266d777259c0d77d55dc9a9a127c0ba21
SHA256 78116f7e02ffcb3708ab8f8a262d9469611515d025c02f3f08d6371687efa2ec
SHA512 a23806bf1ebc30fd1dd810411476e9144fc94d0ba07ffbb5208716b6a9b5b96ec594c5bf96ac9f63b0e492b463d73ebdf56adf1dca16d37b9da0774f69935dac

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 e091ca4d34265075391834bfa9d61369
SHA1 ff517b62f3dc1487a3bca7efef93016b4148ba89
SHA256 40fcd504bcfdfa9b91fac44e9a5912b5c6d7a2ccd78f557f2c4aa03f3d1173ef
SHA512 152875666f199ea4c28ef6f4c7891e0059b3aac2ff9759ed85a99d955838ce5354fff83cc8cc0d8d1eecf276052d101357638ce5e70265a8ef95d5ed23a239ed

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 7bec20d0154435ba6bfe99a572d1cf38
SHA1 3563cc02b1ee516b767347bb425b905e13132851
SHA256 fdc4f8fb10790181861053f6aa6cc628ed4db523550153d6cd70ba2c38ffc4ba
SHA512 540629c7950616a0750bded32eee8e0cc37f65a292c85541e371f09f39c1d72fe9356d6c8084fa8b7d7d82c07255fe5d2e24f362701a299e50af2ee9c35d6e01

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 3dba4e7b038b72c1340973c09800b0c7
SHA1 3523c80723c993ab31699ca0e936a3fe65a96d44
SHA256 95a019629c397c310ac823c42b145175cf491ce0ff5496d2a351f03d8e57135f
SHA512 0d5a1c4965f940d1190796859dc6e004c76056d4c399e512189ebad717b61f23477ccdaa7c267f05350d89b610162148c426fb6ee3ed816d78fb282f51d81560

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 4871a3af45ba8f97b75c77d49726f974
SHA1 5667928744925c3efd8e7d4a15a3bd889237c5d8
SHA256 134af4083f95ffbfd7e3c736df959dbb95905975fdbc07e70ce5ed729a6cac77
SHA512 88563aed3ea167bf63450b7e4dbf1bede788d05b01b207764ee50a3ded43961c8d19f60097080ce6153d1ca830ffb2563f334e49b7319a7d53a29cdedc6e09af

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 7eb955a66c92a706982bd69c41e4afa3
SHA1 402be9902295d4a613ffbc6ce0f399dcad0e48a0
SHA256 1377e5f01ebd203345bb84c6a115dce5163e5927e02ab310cb37ff511d68dbe2
SHA512 adf86785f3189c17cf6032d247d0f45937eeeca269bc83340057a289bf3f27ad2f2f12cdfb68931ea21d7c44933893d62a78743b1f75d62ad9946ff9d2fd6d2b

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 4dc197765d64b1df1176fb6505c8c288
SHA1 30e70283df39de838f2804075b28cbba01130687
SHA256 1b09eb3441546f0d0832ce4795f78cb4ed34c6cb66d0afa47a9b08cc9d0cdcaa
SHA512 1777f6ba1f385b26f173a3f937e0b08b258351204229e9519aa962edca8392b0215214994acb537e553ae78e844fa724db8bf10eca251eb187e5a2e935c56f1f

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 3cc91c1306efff5ceb938eb80b8e24d4
SHA1 c0b941d7df156d61b8c31d4fdfc193ea1c2157a8
SHA256 2404ab7cae4c554315b7369a9926a8aa694fd757ad6f869af6a49b44d6ba7896
SHA512 d6f0db5a3d80c8a33c1ec7cd9bd272ab58a7fe42ea4f59b99ccb2f2f0b5722ab5ae6daae05188501da887d47381e31309e3416218fd3d86240b94aee78aaef26

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 cfce6da751658910c1836ac5e42b2a02
SHA1 2785ac3011873fb7aafef2fc44ff99626eb7276a
SHA256 ee39bd9ccb6259a95f1b66deb97ed7c541554915178000562ee043e260ee4f84
SHA512 64eae4293056f0cb2e60015cea751b0c080fe834bd2193645816ac4b0a69c2594af05b11ba56daa8875203492e4611ff89e8c65c871ccf669633be7d02af8b1b

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 1d18275011393251a4aad8ce981e37e0
SHA1 d59c8de43dd77726602bb5884e0a390ff64b878f
SHA256 a48fdf2e691adefc43441074ce8b1b77a505ce4209ea6120c21712d8d18eba29
SHA512 cc99485e9ccb34f66953dab887c6366b33427eea8c657e3f6c55eb37be8508503b235b01fb92603331e1fcba5c1f2f6318895e48689a431b5532fa030826c23c

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 a6a1813b347caef94096a146c2c29807
SHA1 0204410c586668bbffc9ca7012062f4f9d91da77
SHA256 af22d657c2393cd44fac8e7f147749dd75ae4b821c78fbcd5acb62a9388b4632
SHA512 e39a0a267553ad359d7c23337cc1582dd7b9f3c9383261768ba810269baec296bad9051dbd81aa6d6aafeff087e0984ef138b0d336e6ed45a058ee15a1f4305d

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 5b016b04bdf498dd5cfa997cb815ec62
SHA1 9c93aa3fb2fa112826c1aedaeca9875d918d9b53
SHA256 4d0c7f793ada9061605c93b9526156f2477e99e4135bca862546e19b7702a3e5
SHA512 868b177d5bb65a7db69b15ec905e71d5007be4202c3d93cb4dc2d76c87713706dc35dc98dc15c4c00b5d3b0ca4f5e21bfb6723794e927c776e4fe6b9534bbd47

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 aee69d0090df92ae94be56c357260671
SHA1 1beb1a909408bf7367dabbd263e34e667c84f8bf
SHA256 fe3b7d8dbd4db900f023e68d1d88be2dec412731802d9c95a099a0a0ebd39987
SHA512 6529373f38e318e5d081a3c311b52f25882b1f5bfb1b675d0709abaafe9af5798ea2f5a7fa2c9cfeaa91945111f24d661e60a5fa9577e21db58e58d8af47f334

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 6c33e0b31f4e2cec44bf0eca72ca171a
SHA1 25590daf44b316d1936b87fcd566f0cbc769ee4d
SHA256 85684531667ec7f229a031ef41eb20617d05e077cad45baf8367a0a7ae292b0b
SHA512 07af02c873255f8de0daef1aa963385ecc64190ee0929c69261c5ef7855c4548e2dc1144827bafd5bad30cb9bcc4adc0d59ee9a32b2921a72997348bc1440b02

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 45298307b979cc48398aa84e9d964b95
SHA1 37a1559bf079d6009ef7b0cd85f9bdf6cac80bab
SHA256 e0410fa71361453b61d6dd6dd3d7ab4b0219153760c2e3c9012ab9006beeae73
SHA512 c8883f794beee24d22cc6ea6c3ff2a24921b32a964d5da0bc41098e6596a9d020cd337e873516dd6d0fce754e5126fe7cbecac72ad72ee589443cf828113f9ce

C:\Program Files\dotnet\dotnet.exe

MD5 b990090da441cdd43dd0959d4fa0ed13
SHA1 af84773d4b8e25889318aa758349142ee3fce035
SHA256 1060ae3abab8a7dcea4f10a0487ab17ccda16f659e158f646c43cdf9ba6c5515
SHA512 167054e0ef7750c17ffac78e9015197f4e0177646b8b19634cfcdb0770bcaf36ec70d7c3c5b0eaa7ad4d78a3f04541a3de44be1b911fe6ad6b7941c0700880ae

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 1d6d50b4125fd6c68cb52eafae249532
SHA1 cc5fb8fd86b0d4c659f8f0eb230902962626b2a4
SHA256 ca892979b32b4327be5110c5e42502a1eb94b543c6b8357428e70b144b73d754
SHA512 2b3169a975fcca1c7c70f41aaaf96b997823b58d6b044ffd2c378a4a7b806739e0c34e36af4c5c50924b2ebbecde03f67835e666f62c1d4eb7437013e9c975d4

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 8d8b386c6464e6597588d133547a9114
SHA1 4ffc43f5d2514f3ad2c6638459cec40fe67339a8
SHA256 7b53a514434332bc0a9d0c2702789b5e596cb32c2f5cea5165c5a0e14a9e9b6b
SHA512 bd2977fc6645346e4ff6b2446c939eac2a26a08534de3f384cf2af12281efcf5d9660419190f755370a4bebfc16feaa12f5172ea98638a53413cc16a8ee5f194

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 8db10c0742f34e54b974513f6cb36ab7
SHA1 7d62131ef51d92a621e95956dde78b1a014b931e
SHA256 9998d1fb821b5ac1d1cd4ed2904c0afd4852f8a820f7700242ee4ebf7b43368a
SHA512 4dd451fe3b9ecbbab6d6e988b0c1e0624746e80e526e271bc222d91df45c7695a2b60ef909683eba222662c9e5a1c1afbe262369523d29ec44738a3b06abe001

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 6d3d42ea213e336801925d6b2563bcfa
SHA1 97b7f43b3c943b1e4c77ca457168cfdae6657612
SHA256 1ec5943d353463cf041dc9cf761a0d06af052a56ad8e5dd1833120dee1a2c56c
SHA512 ce23ed074ac46a55e365c7ab84342e20ef1951e616722179e8eb7e925c26c54d8da31e878c8feeabe44cafe32296d4aaf46d2b3ba1f10efe31436f578417caf4

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 35329e7a8c309dabd168dc1fa7f5bbe5
SHA1 7ea66e0ff8c8c5036d2841df15db9afc3928404a
SHA256 5ddcadf0788a53d7bfd567ded773c6726dde558182464cd5fca110b1a46cc127
SHA512 89b9f59b91b3b4da4f8fa4fd551112007752e4528a8da007da31eff25111112109df11f751adb33357582e26967cdacbec238a74e4776a290384cac61b126533

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 584815d538d2244fd0958b58c72cf2f1
SHA1 54bb602420c7118c9c156ecdfac56f4b21d1e519
SHA256 354e83c736932d88302ee4adaf099fa873fe274cd492a9bfd50f9f5c5593315b
SHA512 f7ef972a984a8f1bdf59bdac372b6dbc1e652feb841d1a55dbc756754fce58059d1c02fcc2dfd9a0857170c0ed2f41ecba099047e1ab1c82cee5f15775b950d7

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 4b1430e3f5c09967ca5b0cef3c58b711
SHA1 43e17903c009ec1af62edff7e8aee616fb494b2d
SHA256 1f6ca7de409a36bdd0c39f3dce224d2ed41e269d647db3ca638f5c3767c3616a
SHA512 8dc41b46a371a1e4eec23ce812f46046647c6a7f0d5b35853cfe7e41406c12a95a59bf788b8c846a3d78435136d8e28ccbaf466bfbb30e392a14ae5c00055595

C:\Program Files\7-Zip\Uninstall.exe

MD5 df91020bee45c3519f398dea2676a2a5
SHA1 110657e275655b14676fed46b125a5486720d141
SHA256 025992f2120e4f8e95920c1fcd98bd7c4c4d8ddce45735854472c6988ae54826
SHA512 86104d2ccc60fd6cc3909d7b8385604a5c849581397b198c51e54dee0d4c889ba56f2767e1043010c74a8a9afbfdba391fbde346646e6c3a3eaee344433d0be8

C:\Program Files\7-Zip\7zG.exe

MD5 81c76508a6b3d60f96e5667dca7727c8
SHA1 a71c54da345b4ae999452df1cd7fd3ff40af8c52
SHA256 1d2d025384e3a91c7db98ed9ee0c1f93195164d3b2c4757006d821078c14801e
SHA512 737c0c64615e4ed57950acb99ef4f509c3d6e25861d144d353f51e8406e525142d59f33db06cf199a228e48dd389f79fd19d47a15d24345fcca7f0a43381348f