Malware Analysis Report

2024-11-15 06:06

Sample ID 240407-x63m2acc5w
Target 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7
SHA256 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7

Threat Level: Shows suspicious behavior

The file 25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:28

Reported

2024-04-07 19:31

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\de9f465f8ed1090.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_76312\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{6FB5F2B8-50C9-4E27-9F75-756369A42747}\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010f077d92189da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077bf49da2189da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f367bd82189da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026e912da2189da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a49c3fd82189da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a844eda2189da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe

"C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 8.8.8.8:53 mnjmhp.biz udp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp

Files

memory/5028-0-0x0000000010000000-0x000000001009F000-memory.dmp

memory/5028-1-0x0000000000B20000-0x0000000000B87000-memory.dmp

memory/5028-6-0x0000000000B20000-0x0000000000B87000-memory.dmp

C:\Windows\System32\alg.exe

MD5 d66540389d685e793ebae0425fd551ec
SHA1 884b08f666205b6f6355bde899b5cc58d6b0e027
SHA256 873d984bda1f4ab14384978bf5af2e9ef05ee580c787048b93ca8b7bbd67b354
SHA512 ba0f857ae17d35c9bc5248cd17871a9795f258acffa27ac8874d05592d2838b1a351f8c3b0e84e298053c7e07b51389725bb697991f691afa4fb9a53d47911bf

memory/752-11-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/752-12-0x0000000000610000-0x0000000000670000-memory.dmp

memory/752-18-0x0000000000610000-0x0000000000670000-memory.dmp

memory/2760-24-0x0000000000730000-0x0000000000790000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 ae12b9e816fab784d0e19f977204f0a9
SHA1 25b69b0efac49db2c9ba4f495ab17268f42bd24d
SHA256 b32c66a2bfd30538ee553c6d452fda63d2b59c474938824123b0ed48da4eba00
SHA512 381f0d2791f3d78f2086d7ffab34f48b5e9269c80adba119bb009379da4e99aabcc94035eaf55be67e9fccbfbc09b6cf450fef415be0e16bad5bab7fb0b73a44

memory/2760-25-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/2760-31-0x0000000000730000-0x0000000000790000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 1f2545a694b687c1e046ff821f9ababb
SHA1 4690883161303776d8656bec1dc64cc881707467
SHA256 c386735bf7fdfcbe32e0e7e4ae0d7ed02a09c598b23d8a9cfbd50db3637376d9
SHA512 bf9e74a4a8035c3fb148b0de6594307795faecf9d98d26259b1469629a5c38b5743fbec5e76eb7f76aa9451e989018dbad72e0edbd6ca394fedf275eb002d64c

memory/3200-36-0x0000000000830000-0x0000000000890000-memory.dmp

memory/3200-35-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3200-42-0x0000000000830000-0x0000000000890000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 9addf3ab268b62563401c503a2a5cdf5
SHA1 ac70aef1e266d89a9aa1ac6d4cdfd099053c009e
SHA256 ead7c72a4368c8eb748ac824d2d0d0e9668d5833b44df88cf96eb198aeb68967
SHA512 6d3f6f904366f0a453d5eeb1a6cd2480047d1e7829506aa4c2cedc06c98bdd87c5343031e5a23b37bfff8c04ed862fd41cfc6eac2600b7138611ab43c1e87632

memory/3640-46-0x0000000000C90000-0x0000000000CF0000-memory.dmp

memory/3200-48-0x0000000000830000-0x0000000000890000-memory.dmp

memory/3640-50-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3200-52-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3640-57-0x0000000000C90000-0x0000000000CF0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 22a4d987730b6cfaee0659f969894f92
SHA1 8729721cea6c892d851b41060032c74168d9578e
SHA256 2b3b0dc90e954bcf2bacfa9a519230efe20c8c132bf362380d0f89c821ed3737
SHA512 30fdca3e83da8b9590ee38063d682aa35168daebecdad76cf0f75242445cfc9166d536667cacc4ee8256a8a6d2788365d32bf20a85f98f32f785211d8c3c4746

memory/5028-62-0x0000000010000000-0x000000001009F000-memory.dmp

memory/212-64-0x0000000140000000-0x000000014022B000-memory.dmp

memory/212-61-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/212-69-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 97c19aa68fa9155e968ca1e0e17b8e8f
SHA1 a34144393522500ee20f66864156e9e7f9e08249
SHA256 e49742f21ca21f59f8c31ca531cc9c001a2498872890948865c252efb3dc6cec
SHA512 4b76769c201f600e6c549b71b253a0588099e8ad84df52c81b2f5bc1ceb16ed8f7bff197daab95a13e114658d029c79a04e5337cc537ec28dfeb2c428a6d4391

memory/5080-73-0x0000000002270000-0x00000000022D0000-memory.dmp

memory/752-75-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/5080-77-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/5080-81-0x0000000002270000-0x00000000022D0000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 5bec83e7115c6ddc809450905a63f516
SHA1 61c96e5df728cad7bdc25637c41fceb89c69f987
SHA256 a5c0b49a04b8522259779695432f1ae996d841ea6637c733c74bb463b7d8ff2b
SHA512 73bd0043a01b8224fbf8b0afb94672ae41809a605034db235230836afee3804113f16a9a706bd5378d575e0879164d53820e82d1a2ae2eb585e7ab3898a1bb2d

memory/5080-86-0x0000000002270000-0x00000000022D0000-memory.dmp

memory/2760-89-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/2804-92-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/5080-91-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/2804-88-0x0000000000D00000-0x0000000000D60000-memory.dmp

memory/2804-99-0x0000000000D00000-0x0000000000D60000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 2f1d441041f2391a44186ea8620df0f9
SHA1 3b3ca9b85cdf91e6d80311a86634447b595c6bd1
SHA256 039ecf30adf1e667741640a09d6607249e814592e306b8a32bb87c754463e17c
SHA512 65e39c9d5968f7a69967c87602cf326c00c36489a551809bd086e1a9f491027e57211cdccd4a87f73b27cdeb4d24e962aff0145e7eb51cc122263ce22e690b20

memory/3580-103-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/3580-115-0x00000000004F0000-0x0000000000550000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 6ce1155ab4e73d4787aab4bbe7b20146
SHA1 89cde5be0c40abbe794fedfd5e19fa576421d56a
SHA256 104ed9f908ee55449def99f17b0592a2774aef481cf0daaaf9dee86743055e6b
SHA512 55799c3975c16369a7e823de02616c541b3393727a67b3929ac06d296a5420b46eace420180835ff90d409566e7e7147f5646929dbaad418cb93052e6976d936

memory/3640-119-0x0000000140000000-0x0000000140237000-memory.dmp

memory/4792-120-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/4792-128-0x0000000000BE0000-0x0000000000C40000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 e1ff0ef834baec6880055e4a5d81715f
SHA1 b6bd814567ff9f215ca04047a8adfff4570d45de
SHA256 a36a538b8b1193572668b82c309b744b4c4b6802dc1186e72e57d4cbbbc2d891
SHA512 0aba73dbf4d3130d27036b23fc7c7220131b08d8db74966a9864554e10d09e87ed993228db2cfede9e0e6a84c716b7aa10d7c7ef390ebcf5ea5d685f330d98ec

memory/5096-134-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 d0c8795a8169017e32066b20d97597fb
SHA1 00bb25838568e557daf62c99d6d05178f2e2e003
SHA256 426f74297fcf77328cb7c6b219735b6fd3806bdc2862081da3de366e088f8e34
SHA512 19149f95ae4b840f017ea3deedeca5cfc6f16440db3cbabfb0e987c00cadd9748f5a7e8da6f7df8f4cb0a7d26b1069f771d3179d81b3b6f8051f124c8fb55afe

memory/3404-135-0x0000000140000000-0x0000000140095000-memory.dmp

memory/212-132-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3404-143-0x0000000000600000-0x0000000000660000-memory.dmp

memory/4508-148-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 eccdde9e9ad2d5c4754e8f478348295f
SHA1 374763589b7d44ec0329279e2c4c363ef557dc47
SHA256 650ce031f166b7b24558495382cbc95c4682b2bc688a151dd5581d66eda5811f
SHA512 cdac05bc61ff879c2b928f0a3db594041bfa6f944f54f525afbf608d4765421666b325946aa031c1878c8c5626e16e83b2685a0cf8953eddf7a8c9be5f4d839c

memory/2804-155-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/4508-157-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 f1e2e985f2a29a14350061a791ebe815
SHA1 2bdce09720e343116ddda43be5480667961152d9
SHA256 f23300d7680b83afa7ddf57ca779125334f11d13b0e0796852449067cc1b27a9
SHA512 88321850ba4c2569587560c4fa97b6a57911a5129c434c5fd77ab5af7a1df3e1812c6d9335ff22ad2ce652ce8548e217d0c1478f71559ba8d27937e71baa14f3

memory/2784-162-0x0000000140000000-0x0000000140096000-memory.dmp

memory/3580-169-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/2784-170-0x0000000000780000-0x00000000007E0000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 70a80d2197cb4c937ac78871f4cdcee2
SHA1 f617fd2397fc3bd5988c2b5e2db62ab7ce5c9393
SHA256 1fada90dfb4d57461af7c646d6f52779bd546f84f3913e5a37b9539a8a4e6d85
SHA512 7de911ce2dbcf8d181ae6c6254ee474e8dbabd18185896a691ba7923d066a7b57cf92940cbdf217e8a502ba3a8770fa223f294e2e4d7e4ddd1bcaf53bde07372

memory/3420-174-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3420-184-0x0000000000780000-0x00000000007E0000-memory.dmp

memory/4792-182-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/1460-187-0x0000000140000000-0x0000000140102000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 32b7ff7e53eee68f9d1b74446a388e88
SHA1 765a03600977da0276bb898ed9b49222eb28b439
SHA256 3ed4df5814cd84a008d2d80eb34f7fdeb53ee0d829b857b796bd2148e65b4fd2
SHA512 031f4a76745091c45a7a56e68c21b75eb512e591504c8f321c13ecf2877295f2cafac83bb37ee2fe9bf78e4972a4973b6e3e9ea7c315d7a569c35bdad55d1f91

C:\Windows\System32\TieringEngineService.exe

MD5 831d5f647e89a946100f288cf8471a23
SHA1 e399ee4383fb0530836d8746b9d8848b0c627bbb
SHA256 59ee8d22025b05f61ce6be3f8b1f4b720957771d29c8fd6181881237a210d29c
SHA512 d5a4a7519b7c2db46e334ef23d9fa76a946311bfcb3136408b8652e7c5af60afd18883498a326d14921b37a81640f7622e5ddafc4093ecdba6b00a393dc642c6

memory/1460-197-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/3404-200-0x0000000140000000-0x0000000140095000-memory.dmp

memory/4320-201-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/4320-210-0x0000000000850000-0x00000000008B0000-memory.dmp

memory/4508-213-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 8831dd5b31c7bd94f0af1821afb2fb20
SHA1 b3255672d4a30d2d2c74ba34af4ae56e5253cd3f
SHA256 e5ffcc4bbc7ca89d1416aad619738f3e6fb771ac9655a627dae252a3cab18588
SHA512 73b8107842ff66aa7106a40558770c6f3c035462627fc87a2bd989ef45f2d210a4cea0720aee1887370fa5cbf66afca7a1c47ac1a72719766f967978e7c841f8

memory/4596-215-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/2784-229-0x0000000140000000-0x0000000140096000-memory.dmp

memory/4596-228-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 fe958bace8c1a9cd3e0ae5dfec6c843d
SHA1 b3b73f623bc30e0cb664f458efa068a5b5f07a56
SHA256 30e7db89e1fdce24a3ea168b7d8ab90007314a41256697592bc5f0594d3c55f2
SHA512 3ef9d05fb5f1ba49031af64253bf89902a65d9f6e988f4b38695e35c6f49c44e721cb79e008b86839a669b540e160e9ae08b283c6a1a7afc97600d5a39ad1703

memory/4596-226-0x0000000000BB0000-0x0000000000C10000-memory.dmp

memory/1076-231-0x0000000140000000-0x0000000140147000-memory.dmp

memory/1076-239-0x0000000000B00000-0x0000000000B60000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 97cec7a80121038dd4e4d3cccc216e74
SHA1 3e1e656d33df2dc62aaed50bf47e501999717587
SHA256 106035c32900513773abd7788808a0b116c8f0952e631a35f00a7b94af163ffd
SHA512 641791968f62f8c0b769106c611efab81cd91b77ab213e76c5c5d2b26aa8e1949083a8303c2e6d0aa75c82bf4aac7ff3b7f6d9df3a615de1b74a63b4f267c695

memory/3420-242-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4304-243-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4304-252-0x0000000000760000-0x00000000007C0000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 179fe50b10f35ce654d0d1d99826fb44
SHA1 ffd355b4489105063f7624f1f3181cb4e59f928a
SHA256 6d4dfc38e17ec4a2176b7083c5bb93dabcea25c40f001d7fe36817f8ac10b50d
SHA512 9c9d56e9eb8a3610eb4e9fec6c200c41662b174de12773d9e441d5f6822679c2d24d6a99c1d047cd31939184c4eb249887fba8473e1e9ad9043986227a8046e9

memory/1460-255-0x0000000140000000-0x0000000140102000-memory.dmp

memory/4832-257-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4832-266-0x0000000000C90000-0x0000000000CF0000-memory.dmp

memory/4320-268-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/2416-269-0x0000000140000000-0x00000001400C6000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 93abed992f2d06d95b714455ad415a0e
SHA1 bf3615ff0fce828b1e71720ffb71043db2c7f596
SHA256 02b6341a9165574b37ac5e484318ab4e4e8f0f37618231f3e6911343b1a49e2d
SHA512 464dd4ea7c74178c3d2a9f3b2130bf6b616b9b2b0be3554f20908bf2bd72d2c51dc51d6aede225f3b4a536dea53d08d9a31c94715b1ead13d9108c3d11edae70

C:\Windows\System32\SearchIndexer.exe

MD5 1900b1a3fc6549effd4f37cc246ff0dd
SHA1 f38b4fd5ca923e507b68539fdcadfb3228c40335
SHA256 4f25f5da087db2019f86b81ca4701fb9d5799503bf1881f6c272e1a8da4b3e8b
SHA512 1f133d275b50a704b2f3e2854943955cad16d2f7cf89af9bb0df663c8aebb1ad2858bb94460e55590fb7b6c01f76824b56d8817ec11b8f87e8c57e0301567cd1

memory/2304-283-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2416-277-0x00000000004C0000-0x0000000000520000-memory.dmp

memory/2304-290-0x0000000000810000-0x0000000000870000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 ae4bea6d5a8aaa2876a61a5eae9514f7
SHA1 b46701cb0c38fdcc9875383ec5334a2963fc8ee9
SHA256 fbdfa56d3aae773db6a2ed9881a20b11481a94f01b5a2da215dfdf4d4f0b44f0
SHA512 bc4b65cb1cafa68859893e7d27082ecffa013c224ba03f5071fd658bcf718f4334e58d5cffe121d45be5ecc2f3c15de06513d4ace72775fda9319771be767453

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 a5fafce80522fb468faeb4fc15c88b8b
SHA1 71f662ed50d20b5da37ce57a64057109906a7bee
SHA256 7473c40222c2154462ef7037a3f88ff2225de04696dc506c1d6a069c32edf743
SHA512 f7611c6aa224ee614d6d84ddcdad53c4eda98c2e2a39353d0e0a70e06e20853689a5a448dc222e96845661f6641e5779d51f6347bf59f3bf986729b606bbd7a1

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 78f60c9df8eca16ad0ca83c5d64e53dc
SHA1 8d688750bf241008bcde40ce96fa6b13d10a3ff9
SHA256 a18355b6920db8404478a319e396b8c55f8b7697d9acbbab5fd728df7dc9a727
SHA512 2ac6a0d4258255a5a9626caf6b9fc435803f6245e035f5aa87040a900702079e3ffefb6ed0eb1bb0258ec585b2f44ad6919b926188c692b8212ff46b5695a905

C:\Program Files\7-Zip\Uninstall.exe

MD5 05a84c83327ac5bb2e4fcc90601d4b8b
SHA1 1b0cd4043920017ec13acd39ff6dd9e9026551a1
SHA256 297fca863321ae2193290d750779081a4f1c57bfd1ca330447a1a431717a4493
SHA512 1da52b285d743ecc97518bd648ebbba3d3459404b376936c0b2927d0068a6b0fb1b492bb9e2ee82db043ef3fdc4422eabaf117fca29c2a6e346f3582782da531

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 2b3a82bfbc2adb2796d8940bee0f15eb
SHA1 d394443ccd621ee0b1c1eb93a8be099432bdac5d
SHA256 1e915dd90c31f93059ba089a780fad98c50bfd5a6d7bda722d8f8be9d728a234
SHA512 b1df3928f1bd518154e824c6dfa90bd3390b4ba774d90bb0011cc61e5027be76196eb0e2c2a52080bc0d064b1e56c26b49b606e550824ca97034bf470fa7d1ee

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 ec70ad358cd4661cd82cbccb93272900
SHA1 d076761fe3d7c7da6c65b2551548175fb4a7a45a
SHA256 629cd1b982dbd3d60f0c9dbaf38b05c2740d5eda8f33f84a25ad788c6bc03144
SHA512 4eee3699806b0b35ec93c4d3b6cb269b4c4f7a9eef6ebe750bf181632c061cb972f9a0bdfd212700dd10175d29d9306aafd9077c1124272a62b5e17af966dbba

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 6f664698f81e607a87476ba8b3766340
SHA1 22ed4d23eefc2c5b549c856a3c490b93d5929da5
SHA256 ef32920a3bb9cf3270b974015e7ed2140fbc3700109ebd9145a882966958e098
SHA512 170f4a6e93cfba349f927d7175782238d888d25670120221d5b457bfc8d276477afde768d27bea699ea4824f36cd07929c8c0d4fd7b345c2a07c88de0d7a8c60

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 b01b9fb2afdc844553ec65edb3b4b57e
SHA1 c42b09b5560b4f8ca5b137fe124f3ec84562b17a
SHA256 b96df67e97512081e854b516933a27967496a3efe7ae9ddb22a511022d6307fd
SHA512 54843a743ed26f5fa0ba2bcc4eda079a5a3b9ce8d0621f31034846ac1f7fdf3837267b55f24b91a95de3e42e1bd8f4a08ee5613c2ea47948350ac0f2923c2416

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 10a51956497bc3ff4c9befa180553a1e
SHA1 058fdfcc140614c88da760da020f938397ae93ac
SHA256 3df899f23cd48942a2f83bc1d7e8a919e1e99a34a5ac70a7df09d591c2c7da6d
SHA512 0ae69a9dd2b42388bd8aeeee68e60df010f9abe43a6e88bb572765ae1df851d2d26a004702097f9ace2d579e87ab9050189d55018391a59cc3e44500923bc642

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 17b0fd0963686ae15c4780a3adc5931e
SHA1 9aeb1d0e4963d243ac37ec6105a626d0997be563
SHA256 c8f40bb4b0e3f9ee36fcc1781111a175fc159f9fa58d763bd109b7fbb4527f03
SHA512 cc177dd50bb7cc0e4f6b07da56316277f07f12239495baf32f87cfc76ed6108b707b08f5325d1579c46aac8994d999bb9f0a58d1fbeced8fe84287c6c6106efe

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 a3c44e41f3ae093c4f8a7ced13aa23d6
SHA1 9b6b31c6f092cf5ae5ea3ca617c95911edb8135e
SHA256 66fab23e8c1106f58b8bec5f7fc805d6c70c24a08090b8574ffc79ed3cbacfc7
SHA512 115b7882bfe6f03cdc6e220b8fd6628a5f0b85e12ed392f53deb0553646ff901defde60450468e5ce17c61727c41a1041470db6d50f8f323070d1a9f2eb012b8

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 6b24ff82ccd03ef482d0414e9b58b4c5
SHA1 6301dc754faae8cb0edcd1c84198c2306a2daf01
SHA256 fe758510c6e0055e97f5be97b253a9ffee45edcfa32ba60a99be95bf29ee246f
SHA512 3b576455ba837b97500f2c52510b6f887d3cfbe6467c9ea4a55b90817963f243646ff4f6f3f259a340f843dfc2dc6e3fa640457b04653d8d3d5d950c36aa72ea

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 0d2100043b1bc33fb3dfa1964091a1fe
SHA1 7c71afb7b07de6704f2095c9ccdc6f6a18ae89b6
SHA256 3f533100a502a9508ec44b27a0854b6936b87d81a0af611a8f963a3116239bc1
SHA512 df52a77d8edf739b652bdd32c1c740b984cb35b057d6f4eabbb33f128945abd279bac608f713e4f1d81977faa7d4e4d607a5b16d3672067c0269cf76eab16645

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 b493d00385f4f98392c743d777f57880
SHA1 44ac561d5446384b3fd41becbc08596fc6b9102b
SHA256 8e11d635dfd2aa86400670258694a93a65cfcc79f453fe3f46b4db1a8f0cfa14
SHA512 39a390c4391117571a3e7d2d38554e9bbf8911877a32e73738823c7f2a90ba817b3659e8c0d867accfeb07e2af4a3350e12ab0906e3a46249daa8933f10b2475

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 487e93b5a4deca4c938db0ba5dd850fe
SHA1 a4c660dfb75e9d85cbdc448cc8e7012cc3c68652
SHA256 81ceed3812dd7dfb7eef0c333a8430594c218a7b7d7db4625f3910dfd3a883aa
SHA512 c9f9046bc4a81e15d6b37e07aa3d7dbdee11e2b012af51ab5872b90ca12c09a2f610878fb1fbc7ad2a172bf5ed8f43fac5b98f8dee3514c32d441f0a92074c4b

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 9c2764c9599f5f35b3f1d4126b7bdd81
SHA1 33771b0f78aaf91c7c075b71c8d6c434ceb39e99
SHA256 de6575c5b7da75f1f69b988be71fba03eb49ed49298be29fa467ad417221df0a
SHA512 7dbad10a0a1eaf1ebfb90c3eb8af7316ec18d76971e917d302711673a818272008fb11596dfdc66fe1dde10f16ce388994fc5fa253d8c7a6e7be83313acea8af

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 6bea5314198b31ca26c549077be97304
SHA1 6c09330e1942596b7257272d8275d2aa8614252c
SHA256 ff4351bb3644b54e4e19cd4029cf9d26b2853b097255fca39ab62429f12feaee
SHA512 8bc77b7e96a736c89080800d574ecfbebc7b20b7aedfb701c5c8d6526aeb6d5e2d3303b70beb20f180642825beeec93e0d5c46785004ef241067750238f76d16

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 7cc5cd1669afce955431e25ff189d7f2
SHA1 1759e234010deb933defd44b43bc5813f8638a08
SHA256 950a470b384925b816d600871a659dc7242a8cf29eb1e294f1d1f32fac11970a
SHA512 f06f426898c4b15751297f0367762be2a735f3def29f715725bdd8ffcda0e28f1700e5bdb3c2d557af912a6b313c196ff903febfb4c60b1848a5df4243c4356f

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 62079e967bcb0ddbf357bb14e1beb2c7
SHA1 ecc97f239254345b61177d5894e323522a1e12f1
SHA256 fb57a7adc4c86ff47b164b9fd7ab2f48660d8dcce65377bc74ea2a2c884128ef
SHA512 6a90ddfdfb8b9f53815db3440fd503379ca83f02e569f589b0e40c28c4b75d9de462283351b41741d11d8bc237fa455cdb628a6ea091681abe35fd0d3288009f

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 9ae56213d9eb6acf9f509d9f032e8436
SHA1 53a0e060dd82bf30db76367c482209b5c12b2177
SHA256 a82e1df122282bd14fc594bedc2b7cbb9d5b0f1e91a8fa44448a81296d228409
SHA512 9066cef91bdc036bd2a3799112ce43a09ae8ecf94e312cd183091c666614ff1814e76d9d3ed094fe0f34a08086a5b8b097299f174f5e3730b4bf4f5f44aa5b5d

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 69f93d45d5c40b8bea07ca33ab327a4f
SHA1 8a953cd3696a72495f1276b570c57c281f7a012d
SHA256 b1a1de5154f6e6a7b96e30633dd108efc5375b4d6022b5f48ed5153f54f2d1be
SHA512 165d8ef0eadfd20a0adfd7a3add76054f7cd9aec09e1d0c5be71f82677ac56761b3f708998e2a5e95d3e0332f7ef5e6e26099c0fa8406a8143dea27ddc90cdaf

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 288c82d90066a7b36395597d833515fd
SHA1 ee4023304296d5ba007d601e70d06149b51c5bbc
SHA256 036015154bd74716f3fddb2d06d67c8eea3056722a6037f00348a539f4d1614e
SHA512 e5499fbd7a2e3bad9323cc515067a5776c32345327607fe3b57f6a0b8dce1398d96c815fcb9a8eb27497fab84443739189e0999f8f814b2c1d4925ccf780e072

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 a1cb090c5437067c540bdca9eb1bf674
SHA1 8915556058f02f0900bf531cb28577d40b8fa341
SHA256 be21335e0ef2eb7e2dbfc5696a965b2fab05573d4818e6198297b0ace1d7052e
SHA512 fde8e0ce27495e3679891ab6201dfcacb94f37ec43c8e978893dff16fe3f4cb8cc63a70b238cfa44740ba25525868d9952edcb0c8233e4876c874555b142c9fb

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 22c4c250a6dca46946b997a6945a6924
SHA1 a1dad94fe3108f0373825718eaf56b7a7ba6b94d
SHA256 c2bf489d163cd8e931509a069da028f3d2cda1cb2e04dbdc13fd19e975dd27d0
SHA512 581caf59dd414e07388d4df6098c83040783c9cef4aabc3afe8f6983c5f337d40d777575b69f7fa077a5938559675152a273c5d3311e379d322bbb64de08fe4e

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 cc8c5b119c741a8fd9df4f528edc85aa
SHA1 e0f773856e8f8430498be1aac957943e0b7bbf8e
SHA256 11313d3614775143b3be9ae44d7d69504c526f9277a3a9eab96f0de059276c38
SHA512 91e70cb4e0c584954a7865bf39ecb1172bab1076ddf6100b3494dbed0e5cad6f7ef3e2a9cefec8d534a9c37c0ca007cc2f696d261f3125b3b800fd45d4d6e219

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 cad9909e72aaf86631b0afc65bd2b82b
SHA1 3e8653b2a15ec07dc28163e6ef4700999695d284
SHA256 8f841ff35362abad0698d1885b41815886c4d33bd52a80960f879a2b6a1b8f9c
SHA512 e5ae72ba093d4b4c30c43076482b61a2ed9e3d30abcf785b0b85878a42b1e84ebedcd3bbcfa5d79919ad9b67d97cf2fc96800c2e15c0b7edd36997919a0b6888

C:\Program Files\dotnet\dotnet.exe

MD5 45f203bed549a3fb1ef89ce63ccc9dae
SHA1 d855fcbeffbd5a83631afd523995379771166e01
SHA256 f5fcdec5e9804827dc84451ddd5c58308aaccd9fdb35d19c1c50a0db879b9331
SHA512 3678599e255279fafb17a7abaf9b10a5447dbf6dae1b32685443821385597eed7832e649a3f2a801413d2f804b0cb42f40306505e2c30722f500f9afd53990db

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 185175b9f2fd26cedaf040f0672a241e
SHA1 f5a8bca671cd5303d076410079b65eec68b74d7f
SHA256 b125f4698124b03cf7b281cfe8b13f87557979e2878d91c41ba7eef444264405
SHA512 219fc169ab35efbffb1f138cbe660d26cd803e308808a94be6337623ee8f0934d0c592c54efc551f5ae8cdbca1eb9d6a28beba77ba1ee7118574015014bfcf35

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 a971b47a54a339be248abb05640dfe3b
SHA1 95e6d06053283965af6fab416e233ee39dba53d2
SHA256 d40cf9c632acc51e28087140ac72f4373197f3112b1017bee8b21314fd1e60a2
SHA512 6b82c67e42990897a9fdce67e664f218eb424aeedcc622872d0b765311418f2caca0f1ff528a214a6d21ebb895aaabde119ee49b66d2f69bfa9fe9dff40f3303

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 02b9e831119542d1bfbb05808ac5b670
SHA1 8497c34ea5fe102b12a51deb0ab2fe4bc14e059c
SHA256 c8a1381cff49b272958354dad2ef02c44470246412b46ed3ac56017529e5644c
SHA512 9285eef17c4843c7292b108e39ba994373a0241edd61191c8896dca56ad5001deec767958456ff0de9b2a8ade07e601190a21d905d5d71e892aa335edf037754

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 ff37a99f17e70b4da6fbb76017e66775
SHA1 f8c869ff9ff59ae34d593d8f3fe5b615af862279
SHA256 04d99d87d6f193be6f5174c5b144eed655fe309f8ec7c4e1ec9dfebd39ba1c9b
SHA512 9e9ea666dd177e9460578c88e92e0abe6f34fba6e8b99522c8147e2b49cc85bb7c92a7aa0c82d08e5e343f5012bd13e49de9be1e713dafe72bad4e9ee8284fd4

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 bcb8016c112491d18c02cf32c2deac64
SHA1 45d42e0f7aa51ec2009526b845cd1534d5ee0317
SHA256 5cfc3bca927c72c373854996bdbf60b64b720f79b0c07918177d4eafef1884a1
SHA512 5457df8bf7f8c77f22807a06001652fc41c39a0389e529bd7c1854cea58c8f49ecd8e2e58bddcb2f3b1d842e36225afaa75d04764bca8808bd2a68959376e41c

C:\Program Files\7-Zip\7zG.exe

MD5 135fa6e2f7b685d4f206b9d131728f8c
SHA1 74dea7189a9939dbad1636b9cc272d526538c094
SHA256 cf6c47dc4dc546d74d8dec17af032221f8eccd3159d5f95f87f0a5a525a55fff
SHA512 57035cd54f635e29564dceba6a07c1270279b34441d86b3bc7dd63371a7e47546fc5deb958f63f44921b99cc40b4cedb2812ad830a6000a3969beff842a9882b

C:\Program Files\7-Zip\7zFM.exe

MD5 f8ad7e8ae842066d3020d739b2ca9024
SHA1 7ea64786fe437022219e265d7f3d74d81fad5e0c
SHA256 7c888feb82e9ae94d29a32d15f3bf514621145dca0ca191fd99a725253d99e2e
SHA512 16ad2599664dd9a52e8e6fbf9400d4b93c4d6e5641ee26d6d89f4ea6a4610319e2aa0dab886a989a5de8f9adb8688a9cdce864723160548c4fa505d48cbbcc59

C:\Program Files\7-Zip\7z.exe

MD5 5377916236c6f9fb881f8bdbf829b6a1
SHA1 c17ca4145705293d9e8e33230cba552c7f590e1d
SHA256 cc0c466a5e644de0a4dd5634d88226daafdd5691256f5769583715f652d43b90
SHA512 4a84db1231925754b330eb05f771986e2f836e131ec0e5d83fb59ad7c8683ec3de95658ecc28b76233a9b0d21da1dcd30b7e641162be740b150d797a79f1397d

C:\odt\office2016setup.exe

MD5 d0e9a2b234498c5110571e4c93bb1fc5
SHA1 eea3378aae2148bf0d03ab3b1dbcf4822fcfc1f8
SHA256 dc43335ff82b3ca3651f9c3914da0105f9f2bfaa46d2bac8322bcd04c85df80a
SHA512 c91ca15c54a64cbe69fdfad537e98b139fee5927dc4f4cb0574860fcae8167667561acf09cfa1409f35cc200483d0fd7e51c1e4e61714a29cf71dcf100f31028

C:\Windows\system32\SgrmBroker.exe

MD5 1fc0b15d568ca0e800343209310b0e06
SHA1 c762f242bdfeb22ebcca893339187a2c4d59e9a6
SHA256 03b2e59c1b77a1aaa16b816a9bfa8fa68527f9468f346276e434930abdf65ce6
SHA512 3fd04377aef8493e8c12da4d61b88777d135d83ab0b442c2d8899c849d6ed1067147034b04aaa9926189856d5dd57e58cfa7c4909fe7e72e10e967c0bfe969e7

memory/5028-470-0x0000000010000000-0x000000001009F000-memory.dmp

C:\Windows\system32\msiexec.exe

MD5 db1ae297e6a0206e495aa71cafbbc9e4
SHA1 fb4e62e6bba1eb592aae30419cac593925a1b022
SHA256 5d4c6222201371a534fb283a70e44699439dae2fc39a5cfdaf096fd3626c306d
SHA512 d33136c91dfebdb35db784103b214eee2d78e4c7f484108769085c50115a83ca70c1bbff0264f8a53659c84bdcf3372dc90e2c0f45d6e0fb7dca42b221fbdb67

memory/1076-527-0x0000000140000000-0x0000000140147000-memory.dmp

memory/1728-533-0x0000018BC0000000-0x0000018BC0010000-memory.dmp

memory/1728-534-0x0000018BC0010000-0x0000018BC0020000-memory.dmp

memory/1728-541-0x0000018BC0000000-0x0000018BC0010000-memory.dmp

memory/4304-540-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1728-552-0x0000018BC0000000-0x0000018BC0010000-memory.dmp

memory/4832-556-0x0000000140000000-0x0000000140216000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:28

Reported

2024-04-07 19:31

Platform

win7-20240221-en

Max time kernel

167s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\dad6511c4501ed38.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri3_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 816acb9f0100000000000000040000001890320100000000e2e045280100000000000000040000000100000000000000e0967d7f02000000000000004a000000350039006100350032003800380031002d0061003900380039002d0034003700390064002d0061006600340036002d00660032003700350063003600330037003000360036003300000000000000000077da4c9402000000000000004a000000360066003300320037003700360030002d0038006300350063002d0034003100370063002d0039006200360031002d003800330036006100390038003200380037006500300063000000000000000000ada4eeeb0400000000000000080000000000000000000000ada4eeeb040000000000000008000000000000000000000058192cc10100000000000000040000007800000000000000847bccf10100000000000000040000006027000000000000 C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2480 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2096 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1176 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 904 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 904 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 904 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 904 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 2760 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 3068 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe

"C:\Users\Admin\AppData\Local\Temp\25ea98f997f904ec57d2a910f0193a531b50f37eb056e5eb007b5473c72478b7.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1d4 -NGENProcess 250 -Pipe 244 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 248 -NGENProcess 258 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 23c -NGENProcess 234 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 248 -NGENProcess 268 -Pipe 1d4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 24c -NGENProcess 26c -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 270 -NGENProcess 268 -Pipe 1f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 278 -NGENProcess 23c -Pipe 274 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 254 -Pipe 234 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 27c -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 280 -NGENProcess 254 -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 284 -NGENProcess 24c -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 284 -NGENProcess 280 -Pipe 278 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 260 -NGENProcess 24c -Pipe 23c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 290 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 24c -Pipe 28c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 294 -NGENProcess 288 -Pipe 26c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 294 -NGENProcess 298 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 280 -NGENProcess 288 -Pipe 290 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 2a4 -NGENProcess 2a0 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 294 -NGENProcess 2a8 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2ac -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 1b8 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 240 -NGENProcess 248 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp

Files

memory/2904-0-0x0000000010000000-0x000000001009F000-memory.dmp

memory/2904-1-0x00000000003B0000-0x0000000000417000-memory.dmp

memory/2904-6-0x00000000003B0000-0x0000000000417000-memory.dmp

\Windows\System32\alg.exe

MD5 fd61964a758a249cb05a3e33dd766478
SHA1 38f69938ae89dc270cf9e377bfd465c639a67c33
SHA256 f118e8d500c9c2879b8f2006eed1bb55b3ede7a673c98f858cee056fa5b25d4f
SHA512 701c0107ddcef5fe7c660f880332f9d7e0177cbf2c47f2bb683c332ade5ab738835d166e1acb66f5edae2c2d657ab1819eed479053faec57bf19938954792fa7

memory/2736-12-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/2736-13-0x0000000000840000-0x00000000008A0000-memory.dmp

memory/2736-20-0x0000000000840000-0x00000000008A0000-memory.dmp

memory/2736-19-0x0000000000840000-0x00000000008A0000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 63834e18c875146928bfc86ac3206369
SHA1 7c56da1a9c53d13cf5174674b2b56c1df1343f63
SHA256 c4791a174cfcdac3a7b1f6aacec5b03c754b4573863c5b07c6d4d430e6fd1b4b
SHA512 d6fe5582ac41ffffaad3eafc0e62d7ef5ee2841c160b1d0e11354eaa8dc41f47e9ec8bdad6160e7aa636a099bdf979b74d9eedba08d03ca6a26b115913014025

memory/2072-26-0x0000000140000000-0x000000014009D000-memory.dmp

memory/2072-27-0x0000000000830000-0x0000000000890000-memory.dmp

memory/2904-36-0x0000000010000000-0x000000001009F000-memory.dmp

memory/2072-38-0x0000000000830000-0x0000000000890000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 975000daacb3770721819657fb56748d
SHA1 f355e8c9b77075a0debd56046c6640dc278c496a
SHA256 98224ec2b5c831d96e96eb06c6abfb29b5a8bd59fa83da9fd9a3bff331dd2b48
SHA512 0915676f98b67e7efcfb5eb4ed1517df8f173fb0ccf9f2cffee49c0dd7f4d5bf1e7325099d474b0cb6f68eeefcf748e2931002d72674463ed849840ffc315dc1

memory/3068-41-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/3068-42-0x0000000000AB0000-0x0000000000B17000-memory.dmp

memory/3068-47-0x0000000000AB0000-0x0000000000B17000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 dce71130823509535fb172c8716741d1
SHA1 185f63c1dd71943b333307479209c1d79a5f59bf
SHA256 7cf2cbe3c28b2f74138dffd40fdc1d9d08c4f5ae08e3de5b289d9209c36c06a1
SHA512 8d7190409189196e1ef315b948d83f7c808e26c20a4bdcffb5b72381a592778f1ebe4cdfe79a2a15bc26b2822d0ee20d4578a7cc862311fceeec2484672ec4cf

memory/2664-55-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/2664-56-0x00000000001E0000-0x0000000000240000-memory.dmp

memory/2664-62-0x00000000001E0000-0x0000000000240000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 a1b63aa95dd958008e015f3f9bd91121
SHA1 41739c8df4cd823689b940f162880a31d2707f28
SHA256 2d03552070cd61b01bfd960a8a82e780a489bb10354bc17c2cf4fbfc6c739e32
SHA512 799cde20076a63bb5bda6f4136bd3a7228a89f404fb2fe8739bc7b52fe25c3cf24b7eb74bbcc4ad743123ecc4fc611863207e01615850c1d8f8c18b9a79bc10a

memory/1832-71-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1832-70-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1832-78-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 a90b0837b3bf629e3dbde1bb082fc45d
SHA1 636624ab6221a860c99eaa5a004ace3a454ae384
SHA256 09dc5941125830cf05c86cf67ac55d5f391547aab5d8990355867a9d32aac266
SHA512 3bc8bc8a4974c1ce9b862b8356da08a4b5771c6864e3d738e2de591b1920fce9a0b97c648d1b27e0f062eac2b5c6d5ccf77974700fee389f51243e0a0c838612

memory/2736-82-0x0000000100000000-0x00000001000A4000-memory.dmp

memory/2332-83-0x0000000000AA0000-0x0000000000B07000-memory.dmp

memory/2332-87-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2332-90-0x0000000000AA0000-0x0000000000B07000-memory.dmp

memory/2072-92-0x0000000140000000-0x000000014009D000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 ea98f544f96ba5c43ea88ca9a949b8b7
SHA1 613aec83766981e996198627040af7d9302018ff
SHA256 23310ab4fae5396dcb8919a0793f017fbc647f65b3c1c5bb7511387087ec7736
SHA512 f9b979a6af5ecf2a6388ad44eff41602994a4d3d2533a5e01e68a14ef2f8def922b8cc81723b823947e2e6658ba2c976a713072ac3cd2183d6fca117a7248f3a

memory/1876-96-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/1876-95-0x0000000000A30000-0x0000000000A90000-memory.dmp

memory/3068-102-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1876-104-0x0000000000A30000-0x0000000000A90000-memory.dmp

memory/1876-107-0x0000000000A30000-0x0000000000A90000-memory.dmp

memory/1876-110-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 b8dad6b9ac95001ff082040d79f56480
SHA1 313fed93e5aec60a0f03295242bdf0295ad4fe6d
SHA256 b8edd01d57b811664b306629b5cec704e0f52024fbcebdb1428b7f102a90e583
SHA512 bc882dc2f10997351589da41b9f8844d889f29abcf4d6e568234f903a1af7a523347eff61a70091b06486a899f78ac401b90d6ae87103d4172f1b8b864fa20d5

memory/1588-112-0x000000002E000000-0x000000002E0B5000-memory.dmp

memory/2664-120-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1588-121-0x0000000000310000-0x0000000000377000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 034c46e8b28c083856862312c686cab9
SHA1 f0d7ee6308b0231f55e68bf80a846e77f705a17f
SHA256 d5146ca466597f3e3252fc600466ecfe2080eb429b82f75b4989d2c54eac62e0
SHA512 4a386ff248ab7e3fa05d581f75046c3ff5afa1a298a2eb29c09b22c89cdfba8cc3287f2d9622f51c4e620adb20a2ba2d447c8524dcb7722c3d1a65477c105613

memory/2248-129-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1832-134-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2248-136-0x0000000000830000-0x0000000000890000-memory.dmp

memory/2248-137-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2332-140-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2248-141-0x0000000074A38000-0x0000000074A4D000-memory.dmp

memory/2480-147-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2480-156-0x00000000004B0000-0x0000000000517000-memory.dmp

memory/2480-162-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/2108-180-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1588-182-0x000000002E000000-0x000000002E0B5000-memory.dmp

memory/2480-183-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2480-184-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/2108-186-0x0000000000A70000-0x0000000000AD7000-memory.dmp

memory/2108-197-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/2248-208-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1776-211-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1776-236-0x0000000000A40000-0x0000000000AA7000-memory.dmp

memory/2108-241-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2108-242-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/1776-261-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/2248-262-0x0000000074A38000-0x0000000074A4D000-memory.dmp

memory/1776-297-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/1776-298-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2096-302-0x0000000000570000-0x00000000005D7000-memory.dmp

memory/2096-311-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/324-315-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/324-323-0x00000000005C0000-0x0000000000627000-memory.dmp

memory/2096-324-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/2096-325-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/324-327-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/320-335-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/324-343-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/324-342-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/320-347-0x0000000000240000-0x00000000002A7000-memory.dmp

memory/320-356-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/1176-367-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/1176-378-0x00000000005E0000-0x0000000000647000-memory.dmp

memory/320-381-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/320-382-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/1176-384-0x0000000073390000-0x0000000073A7E000-memory.dmp

memory/904-397-0x0000000000400000-0x00000000004A8000-memory.dmp

memory/904-402-0x00000000004B0000-0x0000000000517000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 030b8432027b2370b383fcc26663ac27
SHA1 ad6f7ea72df7bbe2a2ea952d1718c40d7810e79d
SHA256 6958d368e82b911fc9a472a06d7cdc64835e8825930afc8293ebd2052425fdcb
SHA512 66c12760ef4ebcdd5045cafaea8a7aa15213ba41fda068103bfbb8bfaa2a13b214cebf79a7235ee15b9c59dff09852c1083b6cabff5044c651f1d1febbb15b71

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 443503439d4ee819ce740671cb519097
SHA1 17d055a1b6ee99a209eb8fe72f7d18738a7be9fc
SHA256 bc519bda87abad6d6bfaa1e76db7fcf6bdcc78ffd50699da63d6f4924bfa144d
SHA512 5e9f1f8db5c2c597d9a016baa0dd97aafe933354ff4097a5f295973c4bcb13cfe360df6a2f01e0fd9962d3d84f226bf9acba2c19c374b6379eb0fed6cd9f095c

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 72f6609361071ab999cd2a34b2f0f06a
SHA1 7eef2c43900e4ea5b6b0c8836d27ad2af6542471
SHA256 4c2b92249d6207a4b36c54f2f5698099b78043151f214c947f2e7fb2deb66f0e
SHA512 e2daf1f5c217f5d8d27e5d38e99fb4f09e973ac6eb953c6e9ac531bb51cd19f8641649ada132384c3f78d892dbdb74363382ea270ca54cccec0be5bf1cee3a78

C:\Windows\System32\dllhost.exe

MD5 f2edea24a45532561c69dd0452b108db
SHA1 0818fd42f4d2d115fbe5680118e561fcf9b9e93c
SHA256 ff66969c1f9b3389dfead477f44e4e6b66bbcaa5e69be3f81b9ee05649de670b
SHA512 da61126052f50719a2d111c70a56a830e7b96a6e14bf350d180facfdeb285cabb3658d8dbaf90feab5ca0aa204114bb28badbdda37a1e5a5ed72c5027b5fd039

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 425f196e4b670a1197c1a35150597bbe
SHA1 382516d21e2620687b8e2bcfa2e005fc5ddbb9d1
SHA256 0303e122a81e57c5c08b7b8d7c31ae244f3d4bd5da343f79c84031ed1211185c
SHA512 e3cbee3c94fc6af1acdb91b1f5ea0be42c919cbc9555f3d0c8f29e5f6bb1a6000769ad8b89c52cdcfcc04222d303ab8f6635bde999ca64088b483a3eb04cb06e

\Windows\ehome\ehrecvr.exe

MD5 301b56dbb8760e15763fb05526358a37
SHA1 3d9dc0a256187ebf7426c4693cfc06b28f805fd5
SHA256 b48d145f8ea7c0171e7ef8d493ebf772f672b1210041ed41fa65141efad84bb7
SHA512 651f005275aab93115649d12d89d0d89acf22574d8993bba59c06d2a27c892c6b3f28e7053f9e93240f50ddbd53f263d1b3dbbdf5c9e4246442a6d9dffdfcbf0

C:\Windows\ehome\ehsched.exe

MD5 5adc76928e50735dd9a43f1f912653d3
SHA1 f24707bc7c4ba2f04fc6f498cdf15e2eebec4f5f
SHA256 c2ddd3e62c6cc53bb548b2078015fafc778b2e553f93e16272a3b6132036b63d
SHA512 5d81c3464d73e7c87b011777c294baed920c393c53c2b15b5c0efd8e6b899f4d28a626592c5804494cb67b1eb5aba685b0000ef157726defa3f19d5c11a159c9