Malware Analysis Report

2024-11-30 02:48

Sample ID 240407-wmamgaag69
Target a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f
SHA256 a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f

Threat Level: Shows suspicious behavior

The file a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:01

Reported

2024-04-07 18:04

Platform

win7-20240319-en

Max time kernel

139s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2cec6ca6cea407a.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\goopdateres_hi.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\goopdateres_zh-CN.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\psmachine.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\goopdateres_nl.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\goopdateres_ru.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\goopdateres_et.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\goopdateres_ml.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\goopdateres_tr.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\goopdateres_pt-PT.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\goopdateres_el.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUM31E9.tmp\goopdateres_bn.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F4428706-9FC9-45BF-9BFF-A4C212F871CF}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F4428706-9FC9-45BF-9BFF-A4C212F871CF}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1656 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 3028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 3028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 3028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 3028 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2156 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2272 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1604 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2768 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 984 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1504 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 1872 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2688 wrote to memory of 2792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe

"C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 25c -NGENProcess 24c -Pipe 248 -Comment "NGen Worker Process"

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 258 -NGENProcess 264 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 268 -NGENProcess 24c -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 1d8 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f0 -NGENProcess 270 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 1ac -NGENProcess 274 -Pipe 1f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 250 -NGENProcess 268 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 250 -NGENProcess 184 -Pipe 1ac -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 240 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 278 -NGENProcess 254 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 280 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 268 -NGENProcess 264 -Pipe 254 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 264 -NGENProcess 284 -Pipe 288 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 28c -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 290 -NGENProcess 28c -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 2a8 -NGENProcess 1d8 -Pipe 2a4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 284 -NGENProcess 2b0 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2f8 -NGENProcess 2fc -Pipe 304 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 324 -NGENProcess 310 -Pipe 320 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp

Files

memory/2992-0-0x0000000000240000-0x00000000002A7000-memory.dmp

memory/2992-3-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2992-7-0x0000000000240000-0x00000000002A7000-memory.dmp

\Windows\System32\alg.exe

MD5 d1337ddc4cdd03ab2e00f1ec02fa7294
SHA1 8f6a57fd27f1efb9384d57960aa9c92ff123cf05
SHA256 7e0a6870b302ab2ed5bb0c42fb8c27025a2a94d7e168fafe7d21d1f5dbbc0a9b
SHA512 f2c933002c3942f592c3189d94790ad854db195f437de168f4c36b583db1b1cdddd01c74fc654f16f6cd18267197440ed64f461013b18d039c81effb12f4cb52

memory/2568-51-0x0000000100000000-0x0000000100145000-memory.dmp

memory/2568-70-0x00000000002B0000-0x0000000000310000-memory.dmp

memory/2568-88-0x00000000002B0000-0x0000000000310000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 788ce640777ed344af2330cc66b86059
SHA1 4b48c86a5fa78001acf8d2aa29bc47051683284b
SHA256 273f7547f8836d51e02be92d10858c73d2e12e460f4401ca72587f5230ccc3b7
SHA512 49e8f9d0d4f75d9a408a9b6bdda191d38c6da7e8c59d35f20d5b5e8c9cd4b2700f13a9b3066268464566aec253c41c19add47ef0b52b82736b92d1a7b43519cf

memory/1596-94-0x0000000140000000-0x000000014013E000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 e78a193dc327eb62996ddc63b9a2bea9
SHA1 1d3f3eea3889978ba683f9962297793f14a550f2
SHA256 7c4e321b6ae1a52da1352fcf1a722b66794a0e999ac5f57d2f7b7472eceb94bb
SHA512 825a740360f3080dd0554bd7d0d70e13d0bdc369904b835b1a53b1f0bbee62c9253883ee3ba0e7df20e8a58417cf12ea22eb3333a0abb9bf0dfaf3f96115dbbe

memory/2912-97-0x0000000010000000-0x0000000010140000-memory.dmp

memory/2912-98-0x00000000002C0000-0x0000000000327000-memory.dmp

memory/2912-103-0x00000000002C0000-0x0000000000327000-memory.dmp

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 067e2bcda566a5af6fab026d69c5cb66
SHA1 7ddb8bbb2491d0ad2048b7b0ea38b1ef3a6680f3
SHA256 20bda8c53333d130efd6afbbea37f9e7036eed5158d6ddf0cb885783e5c49bd4
SHA512 fa368c11b40d9202b1b6e624fc54c2b1a9d7f65cda36aceb7ee94dae5c87108814130a81ce76d58a72fbddc00db87467216c5d12e8f25d923f1bf8bd2e6439d7

memory/1972-113-0x0000000010000000-0x0000000010148000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 68bf40d182fb7198e2cdd3276a99ad4d
SHA1 f299225468dbf34b3671c5fad59d195e116279a6
SHA256 eee9841f4e0fa6622803966238298e97a506f5086454d276b2a6b7639b0e57ee
SHA512 8db7794ec3ce92a1e3d4c717962783abd3f1b7ad3d0e969b1f97ae236414724226bb90ed72da532cdadfa56397a2d2e0feda7cd27a7934c5ee78fc628d192f9c

memory/2912-121-0x0000000010000000-0x0000000010140000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 e694a34068d1132adcbb3132b0c0ceea
SHA1 b88dedd2f6633a5d5318ad014c64a7c25ef4ec93
SHA256 4328c5e27d3e9dec77b235da08dde8548af2cbd63331e00f4506a52e7c0dc761
SHA512 167f91a84ff9803f27a96f351b3b9da280f346b442d9b574d57ce05a36256f44057c4a68b9ba0f73c14dc214ba6ccadaa8fb2f1d9b82863d6385df438af1467b

memory/2688-123-0x0000000000400000-0x0000000000549000-memory.dmp

memory/2688-124-0x00000000006C0000-0x0000000000727000-memory.dmp

memory/2688-130-0x00000000006C0000-0x0000000000727000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 42ab56b2a2f3a93f293b1a41999cc506
SHA1 e3a4c8c158081a32750a5f2b5fdbe564e64af17c
SHA256 720b954dae0c18c7dc29800c412f597f2ea87236b9862d669b399bb8d61becab
SHA512 2442355339f176808e5e81047a5865b08b99bf3675634a0ad19dcb3811fbad3d937693d3c13e4b104042ebce405ac67e20dd7e110ef617613fdf73838df8928c

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 f847e14e556c7f6250f8be05ef4e3003
SHA1 b9762962d9f946ef61b0c5011375f1e2cadc6894
SHA256 2946280f4e46a035bd1ee0cc5c63dc8c3aa9e42b63f0bd6823104290f5a80a70
SHA512 01539fd3233890b564afc18099e100af2f7fc5859cdaaf5c60ef4e6f67603e326061603820b362e9f672a14a60c9ba80bd64609164d459fb0cdb134054b77b16

memory/2992-140-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1952-143-0x0000000140000000-0x000000014014F000-memory.dmp

memory/1972-141-0x0000000010000000-0x0000000010148000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 c7df407585cd2cc2d62bb07fd6ff20cd
SHA1 e8aa3cca8f7f5d63b8429ea75b79b473e6e368a8
SHA256 126ed7908e75edfc4e83d5d2f27a2b357ca5a1e251378232857ef8ad046e75ec
SHA512 046808303f5c7a1ddd54b01cec6ef45d62ad14bff767ba764a19386c40267802dbaca951e2d3af113033f3e2a0058321ed4d74e1efcd155ae6cdc82a80ac9cf0

memory/2268-150-0x0000000140000000-0x000000014013C000-memory.dmp

memory/2268-151-0x0000000000860000-0x00000000008C0000-memory.dmp

memory/2568-158-0x0000000100000000-0x0000000100145000-memory.dmp

memory/2268-157-0x0000000000860000-0x00000000008C0000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 79978e9fdb90817200c6b8c95d210e01
SHA1 9c06b0026fb2ca352986615710661f043d0643fd
SHA256 306dffaf6f77f120ba28a0018a95c361afb9e72f51cafcc597762efcedcd6d9e
SHA512 4d42d897dcdf28cd922e789bf886a0c3da341b86e1c0f3db6ee3828ef5dbc35592ce8544f60eabd325a138c2fc022c81ee74496035910aa23c6682a7f1722be0

memory/1924-164-0x0000000000820000-0x0000000000880000-memory.dmp

memory/1924-165-0x0000000140000000-0x0000000140153000-memory.dmp

memory/2268-166-0x0000000001380000-0x0000000001390000-memory.dmp

memory/1596-241-0x0000000140000000-0x000000014013E000-memory.dmp

memory/2268-239-0x0000000001390000-0x00000000013A0000-memory.dmp

memory/2992-243-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/2268-247-0x0000000001430000-0x0000000001431000-memory.dmp

memory/1656-252-0x0000000000400000-0x0000000000549000-memory.dmp

memory/1656-257-0x00000000002C0000-0x0000000000327000-memory.dmp

memory/2688-259-0x0000000000400000-0x0000000000549000-memory.dmp

memory/1656-260-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/3028-262-0x0000000000260000-0x00000000002C7000-memory.dmp

memory/3028-268-0x0000000000260000-0x00000000002C7000-memory.dmp

memory/1656-272-0x0000000000400000-0x0000000000549000-memory.dmp

memory/1656-273-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/2268-278-0x0000000140000000-0x000000014013C000-memory.dmp

memory/3028-280-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/2156-285-0x0000000000380000-0x00000000003E7000-memory.dmp

\Windows\System32\dllhost.exe

MD5 96d6f3cab05c86d986814a93809db50b
SHA1 2453a5de263e5a5ac430155f1d9438a0185778d3
SHA256 a564ece18a5ebe6384656d7baf75ae7096d0b6cf3a485d3c81ef1dae3f64c774
SHA512 37982b0f89298c8581dbb71a06e92b3a38e5d94e01395353b8c2a9b4652782768319036214449d16d592f68a8b20846d107065415a6a6a3507bbafb5db489744

memory/2156-290-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/1988-292-0x0000000100000000-0x0000000100136000-memory.dmp

memory/1988-298-0x00000000001D0000-0x0000000000230000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 86c92f10de4a04388d726c1cf9772b2f
SHA1 98281dc0ee6491bc23af28d2fa7ec18eb172129d
SHA256 2a36e7c031681f21928f685396c382b4001ba8fa3d445ec106b99b5e37cb9aae
SHA512 eea47e5bbd9e0db905808b5a1a2565aa97001684d9b5f9cf2d9337c5b9b01f4c6dd11308300be551ef3c7671971bfdd9531511f72883d7db497b2790c5d8017f

memory/2480-303-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2480-310-0x0000000000910000-0x0000000000970000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 6f48c16113bdee29a25e8a5b0512e593
SHA1 8db6f0c0ad876e3653e2fde81757b6c48db38f05
SHA256 898c3068c1aea8199885a92290170b1cd5af71151ed6ef79a110563cdd559108
SHA512 0f7b4eb1891282a6c1e49682d957ab6e15f683caa8b7caa86df069053e0588f637a259a4b8009ec48a8e50c692d6967cb219c527ae8bd3ed4ccb612059d07de2

memory/2340-317-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/3028-321-0x0000000000400000-0x0000000000549000-memory.dmp

memory/2340-323-0x00000000004A0000-0x0000000000507000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 745b738ed7dec2680a8087ff7f43deb2
SHA1 6e74e62edb77ce16c037b7f8380f1d1ae65265a6
SHA256 5688a3bb5b03cd6d72f2115c6a919141d85a75b253cf2be2e8445afa1d036f4c
SHA512 db6759ac3d48654640ce284aed251076d25dc6cc271a103304d081fa3950cee7fd91511175be3ec4ab8f2744d7d5aa3c142f8519c3a6db2a60546035108a1368

memory/2664-328-0x0000000140000000-0x000000014016B000-memory.dmp

memory/2156-334-0x0000000000400000-0x0000000000549000-memory.dmp

memory/2664-336-0x00000000008E0000-0x0000000000940000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 7585b5a99e46ad40f25af12f1a0daabe
SHA1 40d842bcc8fbd18427086c3781110a4c4a106605
SHA256 b424b621cc47f4bcf92e6e5771dbb7b72930a1635777f00b6b430d10f2e71b67
SHA512 2ddac29f91926ad219d9d1ff34aa3a170521826f77c3d0eaf9548af5af5a762a87dd124d7af63d55b85f8b064890237ef198e69c662be927770f6146d66d8e66

memory/2156-340-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/2664-344-0x0000000140000000-0x000000014016B000-memory.dmp

memory/2664-345-0x00000000008E0000-0x0000000000940000-memory.dmp

memory/2788-346-0x000000002E000000-0x000000002E156000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 e9724af980f0d6821337f9014532a700
SHA1 2d1d856372c530b14a0affc71897250946a37bf5
SHA256 8d8f8356dfd1f17cae8c4aabec916e8033e0b78e6951cc784c916de0eda205b4
SHA512 df88023c225b2a0abb96ca559648d894f6528f699e5046896a1e7f41f2933528f1bb46de00581783ec6d056b2521bebfa8309adfc4b99f30256c29b1c80644f1

memory/2060-350-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1988-356-0x0000000100000000-0x0000000100136000-memory.dmp

memory/2060-358-0x0000000000450000-0x00000000004B0000-memory.dmp

memory/2060-359-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2480-366-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2272-372-0x0000000000230000-0x0000000000297000-memory.dmp

memory/2340-376-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2272-378-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/2060-454-0x000000006F9C8000-0x000000006F9DD000-memory.dmp

memory/2156-453-0x0000000000400000-0x0000000000549000-memory.dmp

memory/2156-455-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/2788-463-0x000000002E000000-0x000000002E156000-memory.dmp

memory/1604-465-0x0000000000B00000-0x0000000000B67000-memory.dmp

memory/2272-468-0x0000000000400000-0x0000000000549000-memory.dmp

memory/2272-469-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/2060-470-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1604-471-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/1604-520-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/1604-519-0x0000000000400000-0x0000000000549000-memory.dmp

memory/2768-522-0x0000000000230000-0x0000000000297000-memory.dmp

memory/2768-528-0x00000000746B0000-0x0000000074D9E000-memory.dmp

memory/2060-552-0x000000006F9C8000-0x000000006F9DD000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\bin\java.exe

MD5 7b5279957dc14b0bf3b3f3ee2a82836f
SHA1 608a16b27d3f2a9f8b2c87dc59d9830fcaae0883
SHA256 e6293403c33271f32d807879c4c2aea229bff9a62d3760922bd4a40e00521d62
SHA512 13202da173bd293f1f5c13cdb4b1f734ec82f236bde74bd27b4020f2ce7084eb84a77763af86522bf2ccaea54450d723792ca819f3ec88de0f1a22c28b39c8fb

C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe

MD5 6255afbe6e88d40d2b2c9ab9f3ad8e0f
SHA1 0785ab3e1c76487a1884d5a5c7e3955938dc1aab
SHA256 eacac1cbd27fab2a3dd845d6adf60cd00eac69e6567b662e00a5f4643167ca5b
SHA512 3cec73afb5839d05a55ba16f71af4fd73df32ade11e51dd548b80ce442653143c6d530ca1b358f0dd77ee7a6147417297e2cec985e4510c293474fbfa95aed74

C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe

MD5 13a9b972c8c604f2ded23f6a818bedb2
SHA1 07d40ab916f31dc5ae545b424cf46f38d22e962f
SHA256 cc281c501598f96b43ca21fd28bb6d78362ec91d837a95070ded877e5b3c857c
SHA512 82e8a4d7be2f7e1cf669dd4c6726fb8d410d14f2704dab1af3d0ce546e5dc889ca8541d4a7d922c4060a24f48c0b45d0b578b0e3fcccbe5d8658ce1d79c0e238

C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe

MD5 d24da4de3ed6f8999331ffd6cf1bad73
SHA1 800a85b37bee63372699c426b4e71f570108265d
SHA256 25bb2d969e246830a0c9a2c64937a58f6e4733b7c13760e90ccf1a03db89be53
SHA512 326d6efba6b3133375f1c683c6ad39bb0f56910b7662d0184e3ddf3e8f1cf7acf0429b91fe7d145cac888a479f9efc01d873eacd1d5267e64009e2068b1ef13c

C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe

MD5 5381a357255fdac1b34d571b165f2bc5
SHA1 ff99181648364780a9e35e31c298c24ec5c27d2b
SHA256 493614697a42adaf0f402f52dd61b2bdc1d293a5470961fa22fea7879491dae9
SHA512 8a7e9f3a1987c9166ebe5f8b02ddd2e3cd05d3964510ec3bdd7f6c51c3740ce018c4f9f1bbae919625abef462a846143e8a8cad9403ea36266ef02813dca4311

C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe

MD5 eaf726bb71ca8589eda727e23f4a0d2d
SHA1 e4fb771ab53fbf49ef55ceb5bd6e44ff27d87d47
SHA256 ebed7f291056ae52839b7e6817532998d13bbe0ac9e2bf0f0a97b70180016171
SHA512 7ed680f53b049554fc96ee9440f8b830f5d1858d993fa222ce58d07123f63c15e483015736497de619fd02158a7190b998804f6bc4dd4278c3eefe344885559a

C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe

MD5 255f5f09f4c98445fac10a52f3414ed3
SHA1 25b1364ef3de1a7ac8f7f242aad92992e282cdbd
SHA256 4416d065c9d660fc1a792adb39447453d73f03bda5f6f537de6fbb22c3c2da74
SHA512 577972cf2a4c246311db9b3373b2ec4c10f70f7f1db322e85516afde6ad110a3efff4e9e2405752b66aee26e405e94b3b83f3452b32e6461ab7f0eb8cff217b2

C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe

MD5 77a080d91614c63dcab0b1d871bff4ea
SHA1 2f5c2703a7745109ebc36511dfb25ec54bebbe81
SHA256 c0d746767aca4235b6e139cb2d3c561112cb879d7aa33b2098f939b06c555bf0
SHA512 1561f6200b70d862c225c8e163a8ea4f415b645ee3ef24fb6edc6b46e463baf419044677c2b80e95a1a7568c4ddc71388544875a17d361a7ff189e19649e460a

C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe

MD5 04da04488bc5eef1b20c33e9165a9c8a
SHA1 3716760898dd7c0ecd404a14bdd0cc4bea7a31e6
SHA256 cdb604ec2a46924fff9477fa602ad499f238f3ae2991b6e77a6d84f2a49e3c22
SHA512 89624649382bcde427341ea79e65c39f2811e683fef9b6210271ed4d5971c41db335413b8734713ee7a03893f733912e5ec22aefc38f5b6c68cdb8abca940931

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 33b059c415f8724eb7f01d319cb48e61
SHA1 64cd44eeec0ac307298716b29d991465c6189d42
SHA256 5b2934822e51e05340c6c9688652c93b70861130ac908254616526fa5e75fecf
SHA512 1589b10f5f18450160fe12dfbc4713bb600c9f3acb9618e519f6cf9501cb8de0a1033baf7d4a3219cf9e96b337bcd006050564adfc6efef766f5e755a16a07c6

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 89f959108089ec2a5dbb0dfbdc63ec83
SHA1 3b1eef2ab75f774bd57b8f75c3ebac1ecbad5667
SHA256 b7bfbf8dd3b666d964140db98fb40b49807405d95ed759992e1f9dcb096f69ef
SHA512 5aa7a6308da1ed699d94c707930f510d8493214a72ee97d58ddb10845f88cceaabe5cb82908459d73c0feda752078d7a01567ebf026102aeb934486bddb75ccf

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 78ca57c185918fe83b1c39ce7c9e1c5f
SHA1 7fc82a0fd9978982b12da6ed3b5c5845d514d9c1
SHA256 8403d8febdcdfc732a62c242b0eeeaf91ba995d42c9a298a791385c4bda7bb86
SHA512 4674a2302ab7bc43612e3787b093e8e17ba8201a4d418409b014dc017da71a77ad42353e9206059b9ce942c425fe67fee769a25bfec583ad4e8f714bfba1e7ee

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 f0ede86377287c4d5e6bdda3d33352bf
SHA1 8ffd4550c2a2515c0f9360794434bb4819e375f0
SHA256 7e3e9ef80504273ba9ae8448300c6664f1aa0682ec68b1813f4882f3991037ba
SHA512 cae40f7c08a3155a1aa41b28f863e812481752335526df2cca07292e534f0206dc7dbc6578c9a3b9bb4f862c2edb99c429a7a5eb82714b7f64e95e5de9d2878f

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 dbc573aef259519c905c57a33ac0f4e0
SHA1 a3cfd202c9068d04ebb3485a018feeba95110803
SHA256 0763c636cb1d273976eaba64d19755a0e1c00576d105ea05636e3be321da1f8c
SHA512 4bb2c08af5f0d75c49dfc4163cfd24df80b597a3a429d83cd71425403bd0d9a5f9f683d1460a373571c5c5931dedd9e9fca35dcc3701fb51a938c7bedfc7cc78

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 6a81baaa21acd903fef1b1ea1514c27f
SHA1 18b2a7fa70d255945dda649c2d73a60aaabd504f
SHA256 e16cc2edfe3fa84a6dc38122072b9a5972e828a932ec2b275e25ccc162e03ce3
SHA512 7638cef3ef0ca515d979637e68702dbd9ddcb7455ee8e4b227443cc0c6f5d172f77de67ad7793dca9b2c42903f82c16217475949084d6950b3eb3554cd790e56

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 77df036b401639499db95bb9b0ab517f
SHA1 c1efb5b97ec1dce541d5ccc263d33df9d41a10bf
SHA256 43a7274ba6ef87209aeeb82a001a023e4e172dbfb8c1f1c0fef2bbda8d4712ec
SHA512 b743748dd0f42473a7a2a4c3ab9c831b912f1adc101a91ff1515c7769e9f2025087b51ff481a9042886fed01c5730ca625ab501025c568d2f9d9e28fbbe92e7c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 c18d9adadb5c3945a63f57456b150b47
SHA1 ff29f4b5510fcc8b8e86e5fa38b74cdd2de3241a
SHA256 e3bd0025ee9d918e0922ff619e7513fd9df54ccfad69c073164f6ab0a57b6dcf
SHA512 75261da4c23376d2db65dc8a70598b8e7be677d788a2cc1bfca6411d71952ee2c677104d1674487096f11852684bdb8a24937590a5e978a8fd8f68e009d973bb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 b91f7aa50621c3fb9ffa9bcedba7a660
SHA1 997caeb200043f86a48061438415159e0da269fd
SHA256 4c99a401a23e127115b0a7e9bb1d52f64a0b082f6cc8007786fd2fa9a0b37fc5
SHA512 6070f00c04ccd553aa201f32822a196d2ca41cb479d95ef0b72ae7132355935d50ac73bc82623fcac0bb2a14bc136872ddb1ddde9086e654ffacc16cb62242d4

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:01

Reported

2024-04-07 18:04

Platform

win10v2004-20240319-en

Max time kernel

149s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\98c6fc464ab059c5.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_el.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_ru.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_hi.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_no.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_is.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_pt-BR.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_sl.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_tr.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_hu.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_pl.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_zh-CN.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_kn.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Google\Temp\GUMBD35.tmp\goopdateres_ro.dll C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe

"C:\Users\Admin\AppData\Local\Temp\a00075c5c47e08ea09d550ee014e4ff872b12405cbb3e1f178bd1b7e0272704f.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3648 --field-trial-handle=2268,i,4334050275411101233,11484630688883830558,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 13.105.221.16:443 tcp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp

Files

memory/3300-0-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/3300-1-0x0000000002470000-0x00000000024D7000-memory.dmp

memory/3300-6-0x0000000002470000-0x00000000024D7000-memory.dmp

memory/3300-7-0x0000000002470000-0x00000000024D7000-memory.dmp

C:\Windows\System32\alg.exe

MD5 b3252ff97c800ce71e8fe01d74e78758
SHA1 8105f08ab02f65031ef0f1811807c9e78fbd51bd
SHA256 3a24d75ed7b4bd3866dbbb5112fdc43894ee755a26c8a1b6cc8e61bdcd206069
SHA512 4d3bc1fbc41c2df8b558e2590223090bc806c7a393656ed17e8f48bd0028bf9d77d54c4373c66cdc58e9a318c843a9427bba440eba0af69622c524d86f1d434b

memory/3188-13-0x0000000140000000-0x000000014014B000-memory.dmp

memory/3188-12-0x0000000000730000-0x0000000000790000-memory.dmp

memory/3188-20-0x0000000000730000-0x0000000000790000-memory.dmp

memory/3188-19-0x0000000000730000-0x0000000000790000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 475d3a77c3cccd30567050574dd42296
SHA1 42d6eeb6ba40094f253018a343d21ac58b3715e7
SHA256 c379748e8cd2557e032d4e14b857cd97b6edab3e95307e6f977c65d097c2b4b0
SHA512 fca5825d1f952662827aa41dc7da121f46b0787c6bfbbacc6a7fa6d39dd905ace3b84c31bc5eed7c8c419f495a8e096e6fa4ed2fa28db04da418add685f0a071

memory/3996-94-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/3996-95-0x0000000140000000-0x000000014014A000-memory.dmp

memory/3996-101-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 82c90e4e0325d8906b22a169f202fc74
SHA1 29ea1661953f47d748845686c0a9d2b362115ee0
SHA256 2e6b1891330964baba56a86792196e6cde4b2647b0a56f18746c1cf44608ffe9
SHA512 775d4d07202dc7dbfc32f975cf82468758ae01c03066a7a268d6b1b0339fa9f864ae9672d296968117ab9e74b4f64c3cab827db91fd041b6aa54db97a41d165a

memory/4976-105-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4976-106-0x0000000000E80000-0x0000000000EE0000-memory.dmp

memory/4976-112-0x0000000000E80000-0x0000000000EE0000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 2a4ba20f0a1205263b7f3ef68f7ae257
SHA1 e3e810d50ef852aa50ca8a2fe951a8b7de2dbfc2
SHA256 1642e00881029a279e2ea9960b1cebe099396a7933df0eb7dc02c97c4eabe1a1
SHA512 6c042204be860f06bdc6f4133e1a988e27f06c9b2e0e75698e2ad6d88633241b8b199d842b157758b1688657be93e47e887a50f8dce02bc25c854552bc61a447

memory/4976-115-0x0000000000E80000-0x0000000000EE0000-memory.dmp

memory/4976-118-0x0000000140000000-0x0000000140135000-memory.dmp

memory/820-119-0x0000000140000000-0x0000000140237000-memory.dmp

memory/820-120-0x0000000000510000-0x0000000000570000-memory.dmp

memory/820-127-0x0000000000510000-0x0000000000570000-memory.dmp

memory/820-126-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\elevation_service.exe

MD5 7a3d3fe55935900c76f2e880bfe718f7
SHA1 268e3b6ee5e9688eec84f8ff03aa7477f7ed8ef6
SHA256 20546308b083f52f3b9e9b31f0c5bdc88f8169f9b2b22cc1a59aa4ae85605502
SHA512 86dd0f1d9da31ae4b97ba82e2932879b22ee1896c6d6c8d9f6879cf9c80c8971436acdd27c3448612ead4a243fb8834fa5cc8c6e5387528bbe78f6c7a1d610b2

memory/3300-132-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/1600-135-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1600-131-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/1600-139-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 fb817114ed123576ab1360751d38d641
SHA1 281650baa7ee4d125f35db6bc9c29e1c86d53069
SHA256 cd36db8be0b8900f7930963aad81a7e11b4309b45bb77b6d6dfb232057f4aae1
SHA512 e5bc92581b3a62eb76021916ec990a26e2db9e3c2dd53ba7c11c33a98db7de67172c4f4f79246bc1949085c985268bcb0b6f18541eeb17748983e637ed198040

memory/3188-143-0x0000000140000000-0x000000014014B000-memory.dmp

memory/4692-144-0x0000000140000000-0x000000014016B000-memory.dmp

memory/4692-145-0x0000000001510000-0x0000000001570000-memory.dmp

memory/4692-152-0x0000000001510000-0x0000000001570000-memory.dmp

memory/4692-155-0x0000000001510000-0x0000000001570000-memory.dmp

memory/4692-158-0x0000000140000000-0x000000014016B000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 eefec543ed415ea649ead3f5a63d2d90
SHA1 99ff5428151acb4eb89fc5ac9943eba177ac222c
SHA256 5b2766580b4c7c4366c7b395df0db64d269b795213de0a0ae1e1ec3af078317e
SHA512 279f7d1bc7e011dd8169cc6394d885f6301b836cd03eeca8533cc284aa0a73976433fd8bdbded0c4b52593f6a70295a63f57187c437d1487bfd9072e30b94b75

memory/4792-161-0x0000000140000000-0x000000014015A000-memory.dmp

memory/3996-160-0x0000000140000000-0x000000014014A000-memory.dmp

memory/4792-162-0x0000000000D60000-0x0000000000DC0000-memory.dmp

memory/4792-169-0x0000000000D60000-0x0000000000DC0000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 98721a9845f90239fc168e50bc33343b
SHA1 8079666a364f00f9617b6d18d1d970a7eb852427
SHA256 f42b23fa3bc4cd1f986742f919857f60325fc8b1053b378ecf6fd0981d6dcf46
SHA512 afd315db92b5b42026b7ee065bce011783dd09c6c4e5ae9be4d4f99075cd9560a9f30a0a3f0afb2292693dbddfc3c798126f096f90fc789ae214415679ee82f8

memory/3204-175-0x0000000140000000-0x0000000140170000-memory.dmp

memory/3204-185-0x00000000004F0000-0x0000000000550000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 0c25796d460e0f908dab705cfeea8ba1
SHA1 7cbeabed838179cec905637bf20cf5b72ea1ce98
SHA256 531f7027b8dd1fb13478d8d6ad0c89704a2e7ce0d6a54372f02b14c340fc29b2
SHA512 72c577ea8bb8aa551f0fb6432f7e8c1456fe3e6ce850b08923b5934c5f09b2ce495fd09b9c9fd76ba871d1d4204c03c2f7200df7409123ca8c446c01b589ca54

memory/820-189-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3704-191-0x0000000140000000-0x000000014014C000-memory.dmp

memory/3704-198-0x0000000000BB0000-0x0000000000C10000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 8f38d69cef070b4414b4201cae56e8a3
SHA1 b5cf28345837784fe77f22d1c557157921bf9f55
SHA256 29970835f694c22be5063c0fb814b6db0ddfc8604b3553f7d50eb28155c12fe9
SHA512 1b02bef7dc2bd88d5a5863a3a3ccd754ae24d419ab8ec2333bfdbf9b1edf6f4362d5b00f6f34fdf3b242ba2ac4599df4395f6c7e33f492e581b8ddb286d5fa6e

memory/1600-202-0x0000000140000000-0x0000000140245000-memory.dmp

memory/4568-203-0x0000000000400000-0x0000000000538000-memory.dmp

memory/4568-210-0x0000000000540000-0x00000000005A7000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 c47de95e56a5e1245eb08b4d5bf27ad8
SHA1 1720bfff336c8cd87002f91785c1bc87ec4b190f
SHA256 ec49657c3bcc1ba038a08750178c3880376b1f0c50489d305c7efba765788161
SHA512 f351e7bbf21aef6372ee12ccc272f96d3e0925bba8e8c603b94079899b9d81b63d7aa78d2e0863556556c087a8dcd4a7b887172a972eb335c4332ec65b2096f3

C:\Windows\System32\Locator.exe

MD5 0a42ace6de620ca00af120dbaf291597
SHA1 9186c76064358f30ff0157e485cf7d37f3c3948b
SHA256 77709362d83bc06750d85c85008dcbf182e9a9410e3b34500a366eeda0c1ed35
SHA512 47c3334978272089f0b84622b3e3dc618a98e3e34940b09c8ac186a4e382a57abf5ecd2e265be8dfc9482f22b5691703639df379aaeeedabad3e8171db0f140e

C:\Windows\system32\msiexec.exe

MD5 b96181790fb5a1ee819e25cca9560dfc
SHA1 36e08cfcc7c3540d4ef2ab8598277ba3f9c68a47
SHA256 4fd7f85d3e784bcb745fb554a18a76f9bc34f10b3d48ebab1284711323c834a9
SHA512 6c33dec7bd209e73b806cbe40b5d07e5453e00376fe756840bb45eda0460016351a4cf17999d71aab6b3fd1664731a3f4c009881ee1478ec40da002242efc8f6

memory/5360-292-0x0000000140000000-0x0000000140136000-memory.dmp

memory/3300-291-0x0000000000400000-0x00000000005DB000-memory.dmp

memory/5360-308-0x0000000000500000-0x0000000000560000-memory.dmp

memory/4792-418-0x0000000140000000-0x000000014015A000-memory.dmp

memory/4792-435-0x0000000000D60000-0x0000000000DC0000-memory.dmp

memory/3204-457-0x0000000140000000-0x0000000140170000-memory.dmp

memory/3704-461-0x0000000140000000-0x000000014014C000-memory.dmp

memory/4568-462-0x0000000000400000-0x0000000000538000-memory.dmp

memory/5360-463-0x0000000140000000-0x0000000140136000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 55cc2fb2f5da48f76ab749dc8f4fa047
SHA1 2d92add5aa44e76cf9f0e430a66073e32ff474c2
SHA256 3ca868da2bb51a31777a4a0bfba3d93c8701faf8628f0e9a63dfe3ae3a97b45e
SHA512 174cfd7163d105aa6d0fcbd12ec6e52c3b646de5530992861655ecc9e2197b16749d563a9f6df73c89fe07d9325462397f8bc1e291172897b9deb886649e093b

C:\Program Files\7-Zip\7zG.exe

MD5 4b14a428bf08849c641355834821dac2
SHA1 26723f60c6d7838f4a935f1479b61c5e36650a7a
SHA256 9ac9efddb6fee83250ba33fc06c6976d24f33312ce4afd6d7ba8ad5d5004e080
SHA512 b83e88a4c96691377eab11af4fb5198e4203892ebb732fe78b41f357a067fa0935a0dceecd1885aa4aa25c42eb20e243ccb24025fd1c5ea517facd356517a038

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 216993c9f618b91992004c63cedad100
SHA1 981ee15fc5169e17f69f9c583998c6e27074a512
SHA256 b4c3ad8fce3f765d98b0958f2024473b4d193d84614e9676fbb85bf55573acf4
SHA512 33670f32840db4818fe28c745dfb34e81945b9ed04018eee97344764e834184d6407748edc986e469f0feac5c812ea2a4b778e88405ea6d7b902d85ea158404f

C:\Program Files\Java\jdk-1.8\bin\kinit.exe

MD5 c5ec891602ec01f218806448f470d26c
SHA1 9a09928d533b97bd14989e06afb9926f6b80a154
SHA256 11ebccf23baeedec41cc06f8fc064582ecdffc5ae281195863660b04b3bf4362
SHA512 a75d0d24b2117f13d2acdcfbf310c6836bd2d4a7a2b3452b12b7f11917738fef392032f5cf6ef297bc45aa6849bfa310e191388f468d4340b0d63e93ff77cb08

C:\Program Files\Java\jdk-1.8\bin\keytool.exe

MD5 23e73f5d51f506d8ed32e462c15f484b
SHA1 3c2e8b3e61a1aab0b05391a26761b1f7d9c0b64b
SHA256 39e60f3130e623bee297f23520ae3753eb191323ee3e55b6d55d074b2ecb284a
SHA512 bc07ce59d9361b128aba298a8988784896fd7e91294250c514f8d41813dceeaae70d4450867ed6b7fe08400c1a3835f5d06672c3ea106bbc5c3a71772f6c7297

C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

MD5 aaa44f3be4d1a91e4c0a78234bddfb46
SHA1 187e52c2a4945a1066efbafa07e1307a3e361182
SHA256 1445ef76d25f6f271847eeaadfd9000164e281aea023672803260474f1af86a3
SHA512 a51404fbf165f97cc9290fe1e695964ebd87ca7fbd7231c12fe4dbe1a4806e6532f8aa7d21c5b3ef73e0e541f179ffe02826ba1814a923cab94ce0284467c918

C:\Program Files\Java\jdk-1.8\bin\jstat.exe

MD5 1312b996a64d4d9d91079d564af2c11e
SHA1 1de3bf2c2987f7484e52a8111b45f2c98e79d6bc
SHA256 219cbfb451ec01aa0d2a6dfe4b30c1b245fa6fa0a3183cccbd0f05d865607a1e
SHA512 3c062c08edd147d04a84de1242100d61f49c5f5ba83bf71b48bdf9da8d893713bdfa50164ddd1e7c85edd4689cc447fdfee2a777471ce97e84d3577e3b8679b0

C:\Program Files\Java\jdk-1.8\bin\jstack.exe

MD5 3ff2307a4994bae6d71bf268444c7e33
SHA1 0873cf4a56f4b0a01f4b8142013638b30d6036c6
SHA256 b94d4f1ce57874827fb0317f67335a69bac79131ab06c92ad64cd0bd0924492e
SHA512 357eeecdd826ede26153d8b2a0245bed00a9e73970c2402bfe6bfbe5f78a5f55955622e8743ed372e15c8d70f3e7580bde076a68626333b582fef88160a3f191

C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe

MD5 d411dcc8d490ebcc31def1ad70a78c46
SHA1 6b8916e145c76370f097967b5765dfc2decc7312
SHA256 2d0c30e4540c9e128c5e42089ea47f1d89e13736fd36dc9af2bb171d3c2cb219
SHA512 8a85c500560a19c8801d511a661630722be5a0b1c8ae2843cd189345b802a57cba1cc1e8cd44d66cc486364bbb5eec540a0a4118477b45ffee0e0ea433d887a9

C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

MD5 1aec8fe8b5d1fbd941db7c25cdd4cff8
SHA1 7b7d1b98d34a144ee8b37f8a9e4e7c585493a5cc
SHA256 0d27cbb43aa5711843da192794fdb0e71104e52e9d07e799926e893cce4485f0
SHA512 148825be6c0c3ee214e49ebdc6a68764280374b560cc519cfd3463bf37c4320876434d4f4128d270610dd852e68c90f5b0f95f8bac227a4ac0d9ff631487e984

C:\Program Files\Java\jdk-1.8\bin\jps.exe

MD5 f1b4a9e2d95c75261b2925563e00072b
SHA1 158f8c3989ce890508eb9524c38f158b09cc9577
SHA256 90d1d39763e517a515aea4266feda2ddb1b9440a0e7bf1cf1b746a432d2d2c53
SHA512 42f7587e804ca983b7f51594835355c2f0b56747beeb16416782dfc360b33f31c35adc95497db4d3194c88bca43b63da835efc7bd5cfd5763465975c711c84da

C:\Program Files\Java\jdk-1.8\bin\jmap.exe

MD5 eb92f5cd5f874da3cb9a2537ce6748c3
SHA1 88250592e5740948389f3d6c83d721bdb21261c6
SHA256 2e92ce2d87608a02d8664427b694c8a5dd9a3fe7aeef1b780814adf06e095104
SHA512 0dfe1daec34f07ab8295b86baf60b29f10e902c0156e66add491feb6c41648e90e2a445d8067d03ea012906e26fb3bd46d6aedae8bfe3a2ff920bcecc65e5f4a

C:\Program Files\Java\jdk-1.8\bin\jjs.exe

MD5 3ac9dc3f75169259510306b2f2bea91c
SHA1 52c572e4d5b62054289abc50fa94a5e1695cc033
SHA256 5af4928de5cecdb5548582d1e3c0c5c6a3bdfe522c38eee848d309a0f3b6f7bd
SHA512 a741bf8ea06bfaef381697ee1389c057e534bc4e43d61b081ccbde95d33e6945631ef6aee49bbe723d16910a8f0d26b498c1a03ce56657d7819084aeae765195

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 ddb4ef4543acaef0116267ee36c1193b
SHA1 990bf228c709e0461e2682fdfa3e1f6bebaeb642
SHA256 eeba65e78196c4c5c4aa190702ebecf3c95d5a1df37bd8c248201c2a8a778ce4
SHA512 44ad88714bbeada56a5070766f84c7a827c76dbb94fdd92776f236ab332f72333d1b69a185af0414547d8de38b8a7e749c3bd704b8d8c5ba9cc1f5dd77b23d78

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 0933d72c2ce0a01e92ec85bb373bae4a
SHA1 eae2bc3d7bae195a049656951037b1e8f03fe448
SHA256 7955934efa580c5dde41ebe1d4c2db950be972a015cb88083a39f26a047e3561
SHA512 8e75cc3a233213ac59809db7dbce78417a715463d721e5213d2998b980707654dae80e7caa599a862deacbd5343008232e6151060eaa389f92c1bda80f58195b

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 755ebe454a89a8815a2bb5497aed4692
SHA1 844eb5afc0107bd0ce10ae596e93edbb68b73d2d
SHA256 bc44e95a85c7ca4e3fc653428340dfc304a20409d18dee27d60b39aab06864ad
SHA512 6624b25078001ae31d5dc768fd73c2dca9ac364e28cf32031db22b058cdb21bc0f9cddee59893b3bc8c202e3d794d8ad1027e5e10ad2a31beddf57359270b518

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 4e94877dac1200681992c126b656f717
SHA1 059edfcafd510d5311bd0a10f2aa4a4a6e2f4264
SHA256 9e75f7c6c711efd75a0a0517983bc415dbb106f4deb81e424b6d4063628d89dd
SHA512 9c97497c23b4029404d857b1acebbf3e3e694420ea9385d37e62bdd5657c388a126b17d9c6125b20da622a43f320af87c78aae711f68e3502c6aace077bb8e47

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 8e0f16c39d4b27ad7987317317c30d4a
SHA1 c0fe780c43e352e9a75f5cbf3e1f44b1e7b4a4cc
SHA256 431568a89d8a78e6906b4ea018982785695426411a48f50a3ddbde8d1ab42b48
SHA512 c86d0f0e2c44d7ac071552ae8ad118ddc3a46f9ba2edd7e26ac21b4da7a41d4bac2acbdabb52055842680d692b5caffe11509f17af96a205f42e7c845fa49597

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 968510c99cf23b203cd9e6db6a1d4052
SHA1 e3acfbf83dc15c4927b5e2f5d5d19cad44eea754
SHA256 541533734491d44f2360c491edb9b19a025ee7fec1aa4f2c085a39a2d74a69f0
SHA512 20122694594e5085361ad119dcc02d7200860b68bc421a442e1fabdc041634c3e3aced930befb647f7a996e5a9d6741a19abf8fc56fb4e976a3f883c62d1a8a1

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 d67772f4a493a354795b6d1c87121d6c
SHA1 b6a39c684afacdc72044de36a9741d07c366f6ee
SHA256 f20546c9ef216bde8bf15bf4422b8aa71e2a691a2c47f72b5302cb5acff7b98a
SHA512 6521eb1562aba49c057766b865e10fe449fae18a5e5eac444df45bf707cb0fafb03e03d0df1646751fed56726ff56a093ef48a9ce3746f9efe9ee028eba304b5

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 93bb99974eb7703863b3f5ac596fc265
SHA1 c858f98b062576a5804354fe01c4e75fdcb08cbf
SHA256 03dbb2f9d7f30d065976cecac111bb90039871e938c99ea4b503cf079e231637
SHA512 847371a0da06913e9639c6f6bdde192bc8e2690916d9af5a1e6314d4493678c23cb365dbc3558a8cedcd8307b8bf96d8c4ddd1b0b5466dba40ede8650baf1154

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 3249fa9b5eb4ea6f9e0a87540b21747c
SHA1 9408bc613cd58316a67329a319603739a6301236
SHA256 6e6f5fa51c97faa5a5a7ae0c9c50ef9ec09f9d85934f39a33ccac4b0d9f96c55
SHA512 43e4904684c1cebff7b2326749a5156d3d7d4b228a042f7c4183c7d657b4c9b453be69d34fbb1d0fba31e71032c26d56c62244a0cb2b39ea2af24dae358e176f

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 dd58c51e24197086b0ccceadff290eb0
SHA1 494a0142c6c1ff108292ff6354b5de08363cf41f
SHA256 b4abb3e2ac3ccea153d9d40d86aad4444c7a13716758adb6083165dca577a365
SHA512 d24f5cbb9257e03f9f131aae1f7fbdc4a665f09884021f6644dba9d3e9fcb83e25fb9b9d78038dda1573c324236d88c1f2d5ad092acae0d79cc8e50d82eda73c

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 03fc57f2332de7ffcc8abfffc3235e1b
SHA1 aec363f0926de165878128bbfa1cf69babdd2089
SHA256 b6927d6217db440030f9735b60f81df0e3e405dc2746779ac3e219f2e52d093f
SHA512 7ea7d1ba8896fc476a1617a594ae7f408497bec4ab3d9919fea8bef3c48377043fc59e4d4e4432301936b0b302659f711ab5b1ee149ba2f52039e992f88836c4

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 7dbe1a1b29789b34d56741efc5e5e85a
SHA1 e99dfae316483611f92807630797091b827384de
SHA256 a0848e43acce6bab00e1962c9ba917f2796897b248cdc99d56b60880477715cb
SHA512 8e79fcf3169d2813cf7a4c236ec392f1edaab2489562ccdc0d0e801126cc66b92801cdffd9d52375c4c51e39f11e39e72257015acdf12d881d776aa9420a028d

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 ef3295099a51a651e85fba6aae4b7ea3
SHA1 5d878c7a8dd1272e9465b76841529708ae16ffbe
SHA256 6b5fd8cc12fce35b730e3f378daf990a26a7214b91f27bc8c4b581d8cdc03a37
SHA512 3e086c20fddcce5b94eb12014e0225bf1f1c51f5aceb9e9bd33186247e7cca55ebfabdcb0f06100e22b7ba7029ea6aff02ae2f2d5aee94d033532fba722c07db

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 e87a9f36f912f648034db2f474ef4366
SHA1 d52d8c55a6e80d694ad13cbc484c37016f372131
SHA256 fd6f099d919f92ec07c8f486f7b363912a165ebc64353011524380814b2d2bdd
SHA512 e278e30736f2628843e03caa384213394e1d9688c69bbe00fcbbc94617a22288d61c855b15bd9d14b022c3ccb675d40efe67b9632488682d9b3291b7f2778cda

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 1b12e7a2b49efd77089da97eb3618b57
SHA1 ed4a11340fc68a8b562a51bda779d390d65c3b8d
SHA256 3f465277eeb22836df3a5f24c85f51b512451cc5de21ae693873bbcd2d6006a2
SHA512 156df39b1d8258e3e5f16a9013b8e01b6106cbe2ef4dc004e36d373f0795e051dbc8589b57ca8a53d5476a659bcd138ff9fe628decf8fa1d13c0863453112fe5

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 0aa1694aaa634e3b298fa89287a45f6e
SHA1 af5c795e101811d603081bcc5436bef1a05fe6fa
SHA256 612eab4e14d92457f3bae845e6b0e48f5d38d3d590a1b101955ef56ac1ac41d3
SHA512 f2f7be96385d912ffaaeb83c7f70395062e30e9cfc8122ca5441468e9424741bf0cc87629caf323dd9f8bdd6d57601a0335e37abc7af12284c409811736cc8c0

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 98f9b8837ab9b039ea3a17a316221230
SHA1 020d058cf92c63ef93879a38a151dbb6fe7c5d3c
SHA256 dd76025ffb2c1dca8f5992d735b9f4d34f06509aea5f12837525ae3e117ee9b9
SHA512 8484eec46abe07e66cde33c1d6b65cb6fef3023fcd590bd043cea4661c2184deadcc6121b600ea4c21c1cfc3b84c41649dde770b194f8c3ce52472eaf2095af1

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 7bcc52af647e8add3c2dc0eb697b9222
SHA1 a9530dc08d7414bda5fa99acd47bc2b96fb70347
SHA256 91ccbd820551ba26cc41db694d6acf6abee1e122f0e3503d16d245a8ade1e93e
SHA512 fd0a7dca0d06c97997c567a30828cddff0a87f503d40d91e9ba90046387a4636fca481924d8aa197667766783ea17d27f5f015116b395c62cb8ab99d97abdeef

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 d516e36843c77744be007dd45d1981a1
SHA1 fbfeaa3b4db8b98762d3c904d20870c8e2d7b502
SHA256 cf9ed495b7be6d4362ed2cfd898af7644e338ba8d2c2669f47de153d4461ea1b
SHA512 0255b62f449f8d141eb878dbbe4ec84f4f79673d5cae2d2389ae2ae4c2d471aec1a86789182470b5baba67c15ab2d430e7a60148a85be224ef69ebb449694106

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 40d1eaa94e86357e84ec2587a576774a
SHA1 51cd5ed1d76ec682a31d1bc588f42fcb3f8774b9
SHA256 a4e94d62fce81b2e8d2f083e92c43ddbfbe42beb03692280276f5324b339a94a
SHA512 0e06ba04a6ce1894edc0916355717ab517feb651fa4eb9a70c3edc498d057efb0c64ef95f2eb94bc385aa9bdfaf678b65c7539473640caee56f6110286d018c4

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 efd07206747ed43f8aa1f51a78486ba9
SHA1 f048a7b2b479727162f47bda602b17c029805acf
SHA256 da14d493ee5410addb3f970b883a6b2f40895e81bf9f8e09cc7cdf951c85da54
SHA512 b0a20e22120ad8295ffee45ed1f63f8c5b1a8deff1a0e8530f9dd029e772a16e6210760bf9bc4b39cfea3fd67c6d6a3993fdcd2cf552bfa66ae41b5b3f0a27b2

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 984d2b8b07a15281f061c5c59e877328
SHA1 69eb73c854a7bacf66ce53ea8f5c4b5e59c64e54
SHA256 ab9da5f35eb633655636bafa020631d1536568c0d2684b5e8430f9437ce1078e
SHA512 13291383f056ebe1c91c620fb7ca543e3e30d3fa80735e093ac2e9f0347a91f3cb9006caeadfbab845f2263b21295b87b182c7a9fd54990295ddaf57662097db

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 97fbde5ef52548ab23163e364bbfe0e1
SHA1 3a7a2b2e058c1f586c9019d1f659f8822991411b
SHA256 06b346b2ffe8b81e9dd1efa22a81ab3c9d87bbdb4fcc11dda3edc3e46f41acdc
SHA512 f0b2e72bae571c3c2a0abc5a10eb5b1fdc8422d571fca1893e29470345f4e7cbd25329d9d5c98b01f998040474ac1b128ac75b717ec504d46551f28b1ce12ff4

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 5ba3e3f9d39e377be1f47caf4e31bccc
SHA1 d278d68f8f7d4f82200be5fa97e93dcc404352f8
SHA256 44cb3c12e7cc4b5bbf5dd733aa62e93b9e072fc98a606ef88abf931a2892fa68
SHA512 1bc78998b955dde8a77a4b66c6106d88c216463d598b71cefc1493009865473b272198ac9d091221d236583e46ee5a681b677f4e44b6b55a67f31f190e1bcfe4

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 7408c8371983e1ed7c0e703a027b2aec
SHA1 2be51045f3c3801699b78b9205cc052ad55f1fe2
SHA256 7f6f77582ba9f8ade92b34288044b6349fc1124f04355ffbd044d88df9c8c2c7
SHA512 f92b4554341a8f9c7c48f9ce401b388a6797b97a2c75b83669a3bf67642afb2f94dd2a8ade1fc7a28d9a81346c281f03f89289428b36a383ab753e05898ebef5

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 74ff8e48fd9330cd3d9a5782648ad754
SHA1 170e75af1ac7739625b974ac3a761203571195b0
SHA256 2505e213fd326ad5e8b5467e164bfea12111221fa6e7b1fc6dcc8c16c04b974e
SHA512 6aeddb8ab756be09932374deef32c4cedd3c0ef301d6718af8c7f6b7a4082ec9ddf55e59c2c496d115356826c6ac11385139cd09375e0d47866f45a1252f0e4f

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 b2085070619470d6da5a4157d8920dec
SHA1 ffff28a0d81debd19d85fff8a4e347c6c24b4325
SHA256 dde3a27702f3d20e8cd1b6b1d62da1b78818faae6b888a4d4409f8a23eb62ee5
SHA512 34d984cd40df027b69aa96368313a7dea1a306c4ba0c1708804a7ba43faba65e75771fb5b28f7ca5ea2cd2a133408807b06165229f5975a764f392e5ba4d2910

C:\Program Files\dotnet\dotnet.exe

MD5 c3d598c2f6bbb05dfa3eb115af375819
SHA1 2712d753a0a51e4aa0ca48aeff1932a6d57a3d2a
SHA256 ea2433e750cb5b0ab5e14ada46fbcb6642c4d1882bcd94bae782047c1b73cd1e
SHA512 704a2a0ae753e31cf454a5b4bd0af863029de4f0a1961e79bfe220af93ed608d63c953efd9d1ea74a5ae109eeeca5e48ea9526e21c60c34a332192e44f3b3c40

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 cb896108b233791c3e6d589ebd16381c
SHA1 ca97c769a089b8a923ee34e5e1ece7148ffd92ac
SHA256 f766602b71142065d5447eb54fbd13891da68079b407cb2034386b36b70164f1
SHA512 e87175bc3bb0fe750d8e3ce5355c432a942e3d9da5ce245b4a34450e36e2e9165c6bc4aefd1e0d31791215b2414fc3f54793daea1d1d91178ba23f88585329a2

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 f1ae21fc1fc339891f92bf9be9ec5a3f
SHA1 7e492cc5db592a5cdc6d12c59511496141a896f2
SHA256 a5adf667964bc8cca1f35883197d82ee6c2e8cfd2c0669ae72875681d5616994
SHA512 12188743c7a404f858d51fca0ed63679e27ee82fa9a1533df9fad55ddb3556531466bb1691820cf6ce9c65243647b469f52b5a77792ddea5fdb03a1f466d982c

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 cc3f345d2984dab16ba8bea0e85ef73a
SHA1 32bc676f1bc96f7af8ebf940e9a95281b53187d4
SHA256 0e01d4864c0fac961aaddd4adf46c12517aa693506d4d53e95d0291209cd3b6e
SHA512 ab116e07a1bd390f9836f49a94faefdc5dc7fa0febb37d71ff2b5387af04f4153d5d03b358057089e3221f2b9d246eb3b5660e0a8b8a7cb85c6a3564cb2ec80f

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 df23dfabb5de279582ba6ac73173bc42
SHA1 eea174aba9c5fae4d9bb18f0d7bc557607139839
SHA256 b22c3d2031b147bceb019dd45c5e2acc8421c6b5e1d09933b565c15d606fb30b
SHA512 3aae6cf1db4b425d2b419fadb5081556bca78427ed77772d3e0296ae14d6b9fc342ee13b6befc46e79447660727df6fd0ec79a71ae74415ed30b6b58d0c40617

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 672e67268473a4151375c019b7124ad5
SHA1 bcf76221588127fa0f30056995391000f430722f
SHA256 65b66bd95ef9a27b357d93505e8b337a0143eb1f61ab87ef964f3659731bd17a
SHA512 7699c2bcfe6bd8f0028caa30fc833e2e7733038a059b6f1f0c7d6649717b0ea6ca1d211a3cb4e61d0bb62cfb738c502ef21ef838f3fd7c81acad79846faac8e8

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 691a20070070ee12cf38502b629bc3a7
SHA1 3262744f9788befed8e946361ff4c90f41a38b7e
SHA256 dd3fb7756f62677923c59d0a4bdfc915748e06a6a58913ddc5290b4e8e6ac7ee
SHA512 290895cf18bb42f07f5ea4163bcd71d5c92484b19016995ed4b54560c47fe994edfc469bf2678103b56ecabc5b99053bc6f4beca26ae2614a4b7f0a0e2dadca2

C:\Program Files\7-Zip\Uninstall.exe

MD5 493121e3114559b4cfb7da0f2535c169
SHA1 3da12d8d94ebbe779c2046f4782e68768bc69829
SHA256 f62644d3deff7b2e8561e0f12db2e621509fcb8054da7a3511a6512f62ab163d
SHA512 7216b9939a35b2d92845395f8b4a3b62684072393456efd059758480c8321e136257c9b2086fe2dcd1fdd681ca126903ab55325cd0b5da7bd4a7f8ca13542194

C:\Program Files\7-Zip\7zFM.exe

MD5 50ac564e49462dad95d72f5408dda544
SHA1 d9de6e5cc02d69b6696879426ff9e506a228da3c
SHA256 79d3f86f62197d89dc616a9831b512bfe0b302aff4f02bf69ba56c88cead754c
SHA512 814fe0c053cc281074743ccb705e5633a0c2930aec4270144656d7c287121bb6b92e6850646daf30549456172c1eed8416be7efe416a0cce1172c8301bb6b2e4