Malware Analysis Report

2024-11-13 13:58

Sample ID 240407-ypz19add66
Target fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c
SHA256 fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c

Threat Level: Shows suspicious behavior

The file fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:58

Reported

2024-04-07 20:01

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\7dc007518642d83.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120515\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf8c2f452689da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000460a6f462689da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096131a3d2689da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d99fe53c2689da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fc9cd3c2689da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f8c103d2689da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe

"C:\Users\Admin\AppData\Local\Temp\fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 172.217.23.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.13.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 20.13.160.165.in-addr.arpa udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 104.155.138.21:80 gnqgo.biz tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 104.155.138.21:80 jwkoeoqns.biz tcp

Files

memory/4124-0-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/4124-1-0x0000000002260000-0x00000000022C7000-memory.dmp

memory/4124-6-0x0000000002260000-0x00000000022C7000-memory.dmp

C:\Windows\System32\alg.exe

MD5 f27f97bceab89bd9ba0380952b13bb10
SHA1 a53ca52f381b339035fe1b1c22d719008868d430
SHA256 0d1c29c179112d67c647dfe65ffd100c5e95218d6368812e38842633a6b07f25
SHA512 49a30441c574c1df8a49417eace375ad71e5bee8a51120b349b0404adb295a53fabce99b21973f7368c76c3fc93a6227d2df40a481ac363a680c7f9794b4deaa

memory/4372-10-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/4372-11-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/4372-18-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/4124-23-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 0fb0e6c0e6663cc2781f2bd26c0753d2
SHA1 4febe2f816cd2259cd21254e879f132d18f9799b
SHA256 c2567909b691d83888eb0248c1b276843165962a95635db599c260dd6c8f704a
SHA512 1a7112511c11b9e6a734a093d30ec8752ee0eec2f047a586163b78c3b450d9d6dc7bdb8ddf18b55bbd5d75d18db21b62ded25fb4a267a6bccbd1d16c3113118a

memory/2660-27-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2660-26-0x0000000000D70000-0x0000000000DD0000-memory.dmp

memory/2660-33-0x0000000000D70000-0x0000000000DD0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

MD5 5e5d1030593cb94f2b569bc4397539f4
SHA1 2605864358b27f8b6e35bd0260e5030f13c55f4e
SHA256 589e8181577e9fb7c7f1062b1a48cf0a692ffd360e1dae7b2d2722ad75b31490
SHA512 750e742b5f6536ad00251c3b2f3a9defc0433310eb0742e798d383b04c433660090bc66f0f278ba62af6b977ff5bf3ce71674b9d2eb218d74378f209a7dd1afd

memory/4456-37-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/4456-38-0x0000000140000000-0x0000000140245000-memory.dmp

memory/4456-45-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 a3847cf1b9fca63fb0cd0b56c7902b53
SHA1 5af980b8e49da2f81614d9fa72aa637509bf9403
SHA256 bfabcf189972d988b4a7983fa74adb7ea6d91a1717a5cbfa7af896a16967f183
SHA512 6d2644a86860213ed3a829d526c913e48873f8510c3820a148f8f7b4e4e5fc9f5d2bbcf37150673fc55cb92abddbed8a9e493c1a5009033afe3d049a9a84f212

memory/1612-49-0x0000000002280000-0x00000000022E0000-memory.dmp

memory/1612-50-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/1612-57-0x0000000002280000-0x00000000022E0000-memory.dmp

memory/1612-60-0x0000000002280000-0x00000000022E0000-memory.dmp

memory/1612-63-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 e240b1002f7990d3a2fe4b0d75dfff29
SHA1 8f5948eaec4a37dad8287941af935183627d12b4
SHA256 750edd3ddf9054c37cc94324f8f4a599b1e23974048b84233ad2c917700639d8
SHA512 98524020b20f0b64ac7a31fdc626a2239c592ec8e874c4189958bde15a8272118fdc030a43edefe91f0db11e8785a9530e58cdfd7b1109daeb91b833002d49e3

memory/3860-66-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/3860-65-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/3860-72-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/3860-73-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/4372-94-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/2660-210-0x0000000140000000-0x0000000140237000-memory.dmp

memory/4456-230-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3860-237-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 a11bf1bae3bcf2671f79bb1c72c4d330
SHA1 f483f2a8efe0c35f927c7fa4b20c9d398b6688ce
SHA256 574130eedce21d826a840783d74b2401ada23835d221189aef0ffcb2b7c3aea2
SHA512 33b9c2e6bd92c15ed6cd800325cd357c32483fd11dc9d3dbe832842f86935b9cb6e421222c4388d54339f2d7878639e923d6378671e556ab1533cce05493388b

memory/1040-244-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/1040-245-0x00000000006A0000-0x0000000000700000-memory.dmp

memory/1040-251-0x00000000006A0000-0x0000000000700000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 c785d4b832e6f65cbd34a780a86b8b0f
SHA1 5bb3c5e38f2d578fba8a0a70b9abca8ee3c6474b
SHA256 853d0b493cbeba94ff5a8d91207e137f0d36d8b7ab615af6c5f67aa675f3873f
SHA512 ba28d739c0f79067b44312fc4c09adbd9f9ca196f7f909a58fdf3f759dbd05c1349070b9a36537ab088ac1f2b73d9920c21bd4abfaf369678ebb896a7726172c

memory/2180-255-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2180-263-0x0000000000D70000-0x0000000000DD0000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 9de09e847f73ded0893191999780c465
SHA1 a8c9558615a9a668ae7c7ed73e653db5bcbc0734
SHA256 fe5c141303dd9f5029be4dcc0706d31bd835c2828dab62db95ae25aa503d9a7d
SHA512 e4cf1efaa0bad44c1eb936ea45b98fc4201a6c9fdc066deee2ba591300d81f66f8b634ebd5442783397d670e6f35aea8aad7cfee242762bab3430d6fa8f751ea

memory/3040-268-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/2180-272-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2180-274-0x0000000000D70000-0x0000000000DD0000-memory.dmp

memory/3040-281-0x0000000000D00000-0x0000000000D60000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 9ea824f13fdafedbe7f17b82c97accd8
SHA1 9b8c0c8e5e60b600c76a098251443de07e5eed82
SHA256 31f508a8c59785140ec9e96f8d557112f1cab43078edf3a306c36b80ab28860a
SHA512 9c84fa061d3805e3c0e23050b4c817367c2d6d11a960e520c209afa3d0c479cdd5fa0ae6a3d4068b0d6a7bc3799eb7b661ce136f3e678760f675e37fe15229de

memory/1108-285-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/1108-293-0x0000000000BB0000-0x0000000000C10000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 95015faac6dc294dc029a2b78def71e9
SHA1 d8973a824e3321bce23f5f52f6aa6049b9abd476
SHA256 6bba33884aa96a23157fc3b15d00babaad9011031b08af5e462966c5ac55814e
SHA512 54494cda210f2b1be88a0be9f0740107585153772481a1e0bf9eed91784c826c377613212ac61cd48faa7177d4361debe72666a804f1109f9bb1f7c0c92dbf56

memory/5116-300-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 0ac98c4d247aa6053eae757ed32816f7
SHA1 e2193b826bb0d30b112363221e412299b3918d59
SHA256 5193b45604a6498f1173a11a42c350e012cc0f5b19fa9f30dfbaf607198c7ad8
SHA512 d671b454efe5c8e73a7b426fde02b5c6dcbed3847da83265cd8f034caeea558db43dde5b481eece4fbe99e62630c84e4ec704d0ac8941df01fbfdff5679d04af

memory/1420-303-0x0000000140000000-0x0000000140095000-memory.dmp

memory/1040-310-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/1420-312-0x0000000000500000-0x0000000000560000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 8ec1dcb11503224913084383909f4813
SHA1 d65f746eaf20fbbd1cf8b83581f64e0765f437db
SHA256 d905f1a441ed8102a2ba6d194ec46e9c557d2d3dd528b601ecdacd7dfb6e7c10
SHA512 a604bc19ddb999556245ae0dab4f644ef75d6dcfc2c42e2c0e4ef6cfd2a491e53bbdf80f20096ec9c48f3b8b00f4d174d80113d1cbef649d556bcfe4fbfb7509

memory/2292-317-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2292-324-0x0000000000560000-0x00000000005C0000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 58dbf9b8eac55594a9bdef776b60d667
SHA1 905798509cef8a9781f37f05df450f856590a4c0
SHA256 96e56b78d32fbcec2c6517a70198014da174e71d744e593a3564616a64a1eac0
SHA512 b0f900ecca99a1b6f6e007c61c1a4607e0070582990313755396fcba9ff8e55fb15a517867f0e317e9632c9e5a5dfc00b8211e97c0964b596d7a8c8868a64f08

memory/3224-329-0x0000000140000000-0x0000000140096000-memory.dmp

memory/3040-338-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/3224-340-0x0000000000620000-0x0000000000680000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 d42cb5d5b3fc5ef0d9da5ad945caa7a3
SHA1 f0c41759778bcdaf2693a992d06d0e5e52789f7c
SHA256 a913b303515622082904133515119819ae99775a039a0acac58882dea517b4e3
SHA512 40d2a13ebcfb66e143579a20e3e3b4289db04a47dc3b750d320bbf6382410a37500ef7b21bd07ac32621005921b3cd6fff2b8224d858c015ab56fa229f10d932

memory/4624-342-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1108-351-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/4624-352-0x0000000000730000-0x0000000000790000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 939a148852fea7ae1226e88ca1bf24f9
SHA1 6046ea83ecd0f96fdb27e8de0619ecbd6a778656
SHA256 f73304c1dc7912dcc2b9d173748c4616cc104f567e8b5406389f23b9befc8327
SHA512 b34a7b27fb95e4194f5edde837f35b727ba3082c9bc024b9e43162d16978541be2028ad9e4cab12c654e58622e11f946cd6ee6e0ba82b4d64ea57b982e6e0a48

memory/4724-356-0x0000000140000000-0x0000000140102000-memory.dmp

memory/5116-364-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4724-366-0x0000000000A00000-0x0000000000A60000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 ed0b22ed4a19e2bed217fcd695deb921
SHA1 932bed0165c1edb01824ceffa55d2c8b22f3181a
SHA256 aa1c05b3d6c255079e94b8cfa3766db31834577bce9a2f1f6dff331b1c1592f4
SHA512 4762b9a1938144b85ec9bcb4cb3248ae74e015e781bd860ac398e07b321ed6a174744e04a5e7cdab6fdfc5132db79617d8d3981d83aa76a1a8fc678805a50ab2

memory/1420-370-0x0000000140000000-0x0000000140095000-memory.dmp

memory/5096-372-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/5096-378-0x0000000000500000-0x0000000000560000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 840e4dadec0de2d627f454144e176101
SHA1 c39763036f5b490b5f120218cb979ba28fb50d4d
SHA256 334ce62f24858d8a448e9c9d155a50b9dc9a911ce61ebef2f0d1346b50bb4dd5
SHA512 701dad2a49bfaa3b1d19ddad66ed109c48cc2d06d00451c3b5d133c8198b063c2d1314a0c5154165ce43316c7ab709657c79d2bdfd03d6db7988c286caced536

memory/2292-382-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1272-383-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1272-391-0x0000000000750000-0x00000000007B0000-memory.dmp

memory/1272-396-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1272-397-0x0000000000750000-0x00000000007B0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 c81f3284be4fc328989e7f003c5c906f
SHA1 b013bf0d14ec88a37e8b630f4a3ed45dc9155d99
SHA256 84da4a7f10ae71048229e41bc1a094f4a5ba8c3efd098f3e6577105664ecf26d
SHA512 254531a7799a093fc46d8b308483cf9bf63a6220a8259ec2542038bc692e8c7cfe1b9c9ebdb542b3e98357b7cf1ae278546b86d4cc9db3c09226a297bce962e1

memory/4808-400-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3224-399-0x0000000140000000-0x0000000140096000-memory.dmp

memory/4808-408-0x0000000000C70000-0x0000000000CD0000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 6220aff709bded9f3609c4f62d0b404e
SHA1 5c99c55bed69bca6c7d7d39fc69eeb118f83609e
SHA256 677e025436278b9c478833f091bfb9096692a0b076c575eff27d4f347b280a04
SHA512 f21eb41d4192945fc6b0aee188a648bd384f4b1639808ed058b39950f5dac9ff14b244e2e8d54fb19c51d6278c6fb8e45dc5b500efffbf8cc4ee5482a773afcc

memory/4624-412-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3296-413-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3296-421-0x0000000000760000-0x00000000007C0000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 8f837174757e86b04483b36e5cb97f7e
SHA1 b544703b5a13f2a05f3702240c2e7e205ddf9a2b
SHA256 656f51c67bec28ba42f098c5ea96dffd45a1da8b6d267d3a75e75cccee209351
SHA512 94230b75472c6157a62097b2793ce415e3486a4f50c7ff540e147e0fd31053a5b60352eb6848a1acb3446e6e23b9cbb3dbb50ec021e614fc5c21faaac53522a9

memory/4724-425-0x0000000140000000-0x0000000140102000-memory.dmp

memory/3496-426-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3496-434-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 df6186b614bd7d71bc245367099a2152
SHA1 1de8f15aca21e406b284d723b6ce416e0eb4478d
SHA256 57b565a1feb2db511bfc17408e53850a514d1f5ac82ea18a1f856a23adc84a64
SHA512 defd6a6d97fa4dea51a4791646a37134e2225d84289d8de668a5404925ff8c63c00a51de1c6dcb77c0df13a1049d9eec462d36f38c9dbbd1fdf98352707ebf85

memory/5096-438-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3724-440-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3724-447-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/2292-452-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2292-453-0x0000000000560000-0x00000000005C0000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 4a83de27de44fef88b7888df0437d067
SHA1 1c1a2e61beba2a4a8deb6e33c5b714a4b47c8b44
SHA256 870e9808cd57e3810ea88c2838884025a9ab245f0ebbf01c4234a32b31cd1fd1
SHA512 ccc91e4896785a766dc632cd485ca503d1d2da6c29c194c298a2a216f5030156a0c86dce644513bfcdc08ac88d29b630e97dd112ec876e5e3e8348c8bb9679b5

memory/4576-456-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4808-464-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4576-466-0x00000000008B0000-0x0000000000910000-memory.dmp

C:\odt\office2016setup.exe

MD5 ac354e96ba4044a3715ce6b6a51f2016
SHA1 aee56cacce8e40c4c5df54b7d43e1b4c1fb70ba4
SHA256 596b1de6ecbc1d79a50f7d9be3b1f2a7af5fb16f3c5c6f515bd67f8733fd8925
SHA512 319cacbde06122c61cfce4f8e2f41475565bea2155f86a851848ba0a520a8e02c1961e188117631270e3863628e966d66c0ec57b8811b96157819b008b2f87ef

C:\Program Files\7-Zip\7z.exe

MD5 b23189892b19c470bd0a0b541283a5ea
SHA1 791a2b56c8f72b57664ba2fbdf5fd001c6e70542
SHA256 9b266bd4d030e435a00e560da7b6ce3ee0df768412d1e4e6c9fdfee8362426ed
SHA512 9b74cef1c0f91a5ea43dbb68ebb91cf2b72de87c3c33d07da6682225a1ea48769e301b75167dcad82b006001707743352b20fc91c375ed1811a969b452007fc0

C:\Program Files\7-Zip\7zG.exe

MD5 8c31acdd8e1810f0365831917d0fe55a
SHA1 ec3bf39a82c6cb38664a7707bc9eb5ddd925cf55
SHA256 0e085d21fd8d5e072499b18b475c2890dad974ab8a30ca6af7d675dfcd0f0c16
SHA512 23b8f2acadd96788ff77ee05d891fb6b09acaf4aa2818cbbbadd7ca01bed69df1a8b27823c01454e13c94bee903f5cc1fc324d6129fa5052eea2aa5a1df5e76e

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 5dbef0961aa6e01c3c6d361aec5394cc
SHA1 71d65f2ece14b6e07becd7947500d335700d2f0b
SHA256 574121bfaaadf8a0575b3cdce09679c5079870f05a710957655936c80fb79e0e
SHA512 2c9ccb5156e128f54258df3fa05c312ab59a7c58098990f9a0535f070d6150443d10665c0cef00cf4395f366ad60d4d6d989ac7b222a02e184665072f7346f65

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 d5046609c892b1d8ddef092224a319e3
SHA1 02f4c396dd3b49c6ff8f2081b8d6670c61e21482
SHA256 5da8dd85910c899614062e726a4e5b6c59f7e1e6f35d4805da734955a49bc10f
SHA512 397866b8e654670bc97de71df786693727c0cd4aba63a11f5979add31b27c482e2f827ae7d417a046af3107e928f23e5b5ba938c1e48bfeb01e161d05959e60f

C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

MD5 0c2e21cede9951f109221741790568d8
SHA1 3d24d0968a178b680f6145510ef673d0785fb4f2
SHA256 b337274a028ff638a0a437ae2d9bc6ed5b4b3af51e6941d6f341620d62270512
SHA512 2ac5cb68fbba89f62bfff9b7dd4c43326426da04ee7e1ad51067d7205dee899928d0dffeea0b4e070b389822bcb124d6598c3cc50a724b827983e1c2ded2c757

C:\Program Files\Java\jdk-1.8\bin\jhat.exe

MD5 4cc2f7c1508eaa4da809b5024b9f6da2
SHA1 5a69ab3cc442416dff93fd2da97ce8d32c490e9f
SHA256 ddbbd3a7f9a19da4aec33fa56ae15a15b451aaa3f5e230a885da2009e8d2880b
SHA512 de13c596b3f2b25beb03ef101841cd87548dcf0080f495b2f9290cb680d1ae9b28eae141ae1453cab29a775a791dc2e3f59688f93bb98b3e813e06eb79edf91c

C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

MD5 ea8864c156a419384dfa5e67f2f39e13
SHA1 e2428faf26c2f3bbe004c24e56733922f8e2cb30
SHA256 d1789a1caed80b38aa8627fcb2405bd5eab5ce159fc260796e3954aa1f7336b6
SHA512 a0fab285be111463bdc7433ab2ebd7483b301b9d89b34af6c667599ba5894bdd10d9cfdac776a069c8da71869a79f5bfbfed886ea2470c278526ea64e00e2a0a

C:\Program Files\Java\jdk-1.8\bin\jdb.exe

MD5 6013aee382db1b6f973e493e89fed686
SHA1 28b24590721e7cbe8d86f79f9568ae31f25e3ad9
SHA256 f7dd9cd72edb0bdb790cd2b7f1a89012171599e69bed6f89ce25e7d0d6b3d31e
SHA512 2bcbda1beb4fd444897d3bafa0d9c19e0da753203eaa336f7bf34cf5bf8a2670a44e96faeedfded555385b1001c010347498ce04d67f1caf2196300f7d98115e

C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

MD5 505db04af51a77660534570c52c2fb5f
SHA1 66694b61e7d85ed5023aabd7e94eceabd9923d6f
SHA256 968dd9717a6db837a8c4615c155a2bc119320d464135f89407747ea5f7dc4e9c
SHA512 812b281e387dfae03a0891f44253eec015b2fc878f97b788c2ef994309967ee6bb13cfd9578bdab87b05581daeb8eb151ffa3621069c3af9a58aeda67214c52e

C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

MD5 9517484a8a16612011e7c8ba999e044f
SHA1 34d967637895c5d926c3aea4e26a9990e8d570f2
SHA256 26957f9cc5ac940ebd4563643d323ea1c331989f8be26376130a94ec700b9103
SHA512 0fae1a6803514943c6746b5e1345380df82a7c3b2cd597579c3e894dda4aa11f6682771de983e8d8a436446e5a66a65ff683cd17c424d05c61dcb5353d544138

C:\Program Files\Java\jdk-1.8\bin\javaws.exe

MD5 6c41c6d11a38d2e1c3dba4503672926a
SHA1 a9e600aa1243f3097fcee98fae583e25a2cbccdb
SHA256 3e098e30c757331f8db086a142eeaea625fea22cf228fd942f9a90ec6e6601f6
SHA512 570267bae01b00c25417644492250500690f22467e94e3a8d1a32bdc9046badc3f697d1d611c070baa19b41cb18a23b6696c6863916afc95bf9d2ffa7e5d6875

C:\Program Files\Java\jdk-1.8\bin\javaw.exe

MD5 6d2454de7f4091da85e689474e5405b7
SHA1 e2c7e72ba5193f8b586371da687a060fc8c0fd67
SHA256 567b86d3a2db38382a46742a6db7ad020371933902c58eab9fdeeecd9b2f7fa5
SHA512 7c4d576479814213130de0a30c3e58787348da6f101bb671007f7411c2f258ba4ebfa67c3d30e981376e031bceff5b109acec86f36ad09df8ed490e7c361b117

C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

MD5 50aa7f7c9d78bb28174b889d7fbb51a4
SHA1 e214391dd9635727a5dfec7832007670c22dfc4d
SHA256 235cbfd0386d00c988a9ec31dc9d7a5550004b75d4caeb4ecfeff51adcac7dea
SHA512 0a7f8a863e5bc4907f4a7132fb416c3344a5f810b70faed43ce0bf6d2ee0f57e95d2e7f966eca792653044319dac329311f7dceece7af834fe84981176ca40c3

C:\Program Files\Java\jdk-1.8\bin\javap.exe

MD5 3a122ed30dcfb68f26399547580f28b1
SHA1 250c30415438f3ce5a3de26a937510fb5857f507
SHA256 7b1ece6f79dd513205ef15eea638c8bb06db162ba8ce3f2461d6528a0df75979
SHA512 e02df31d751375048b64694ba43b0122d72e65b08994ddd2ad847e7588c94b4b73d6198d8f26461d5a78901a127dfc1a631d6b9c0f55db3a18a523ee5c5ad7f7

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 ae2e7480cad5662daeb8d59e475780f9
SHA1 a51192b5d7ebc9e9bb0fe31d15ccb1983233fcf3
SHA256 257ca457170643c0aca9c7cbd6d433d53d282e70e537557f7b351ce58f0a2bee
SHA512 0f6b2353541d0e093827b644311a05a0af7941ac7f45a3156491c498d6aa1f612cdf1adb68d2ca7635362713848a6f21f83bb10989afc09cdd6f624adb51ff59

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 b04fd402fa9aae8a3021073c7a952f5b
SHA1 e2763f083610dbe3b143703dda214855d4577d96
SHA256 64db03c1d73fc9b08a5290bed46514ba4af5040d9f22f4f764f240bc85394cab
SHA512 15153ad0dc82c2a06a4f3b0ed60d167e19f0103c8e4d978bd6873d22d0b75421de4a7fd4ea4ccb8e16ad211753407b13a63e8cd625ec347b7764323d256460ce

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 16ba02e9bb717fa1ce0320c94b3a1a98
SHA1 4d4c6616f4c668a006507246e4bdd2c9038d2bec
SHA256 ffd44b7d36bd4cfe41d1b6872fbd0aec34ccefe737f338865150761b72d7259b
SHA512 c5bbbe419968e29bbd3fb856c24683b9f659fe5bb385cee1341891167735541de4d2bdc4bcd540440fa1e75d5d3677acd1a908f728ea9f4685623c739f4b901f

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 3f92332daf11923e8cb4ca3e10a49982
SHA1 e3c08bae86718916b5f3f16c89ce0cede59e9bf1
SHA256 d765dbb63dbb3d4fd5a905accf1349fdb099a0b8523f62b94feb43d02ea9b338
SHA512 cbf9b42765f46279170e7077bbd46d5b726856a4c05882badc2acb6c204252f8f20c6e596097db3572e4330a855c98e1368d09801fa145c8c3c5ca5c91f3e709

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 265f9ee302322c7424570ac23e0ef36b
SHA1 e05b25a3c4641b7998dbff22f01ec84036709c07
SHA256 84f9993aae26a3167ef8921feda6b8f2e55af40c29137fae239f957ffc7f760b
SHA512 e659a7a354c3e88b19dffa64ed258fcdd10f1cb0b7ec1d2b931ddf7469a99b204de9eb6b413daa18eef33a02c94ef75462b940eaf863cb0adbeafe82635ef258

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 ca8dc96d00cc8d3aa3636bedae4688ae
SHA1 d466913d8c7aa34c0eee43d6f2ee8a08d52c9c44
SHA256 7457913804eef4becbffbec8871fb70151018602521542d3a4ac83dbfd6d86a1
SHA512 f1fbb5ccb04d9de9c2908477cea7caa594d54144638645784d74d54ec14dcafe1b9509d3064599d3db348aefb72282a766191d3b08ad87fa18c15d361d4f08ae

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 435b8c5670a159dc9fc81f83478c404e
SHA1 065387a9a1784f9d5bc9de443e7e5777aaa79eee
SHA256 a17e6740a6bf6c3667fb5e197d85ad8ea0372db3e5978826aae70ef7eff87698
SHA512 3ae1d56049f3ed3425e960334ebcd8700f22478eee5f381e0c2a9ea6193448c5ff3bf7f0f1bb2e81ab8da6224476077c213e4cbe0dadfcbf7ad206a441e94842

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 1d6d793d4066600df5ed8969db68b197
SHA1 666b93c9d5f0ce18ecc7245ec379326c65e5e795
SHA256 dba4c9124b43c9ef499c11a2e6fed5017b660800765f7c4a8ead5c9135a73468
SHA512 c38399e94fef6ec5507ebf7ab591922c8dc5b9f0f1d0ad87b29d564045a91746b058c450b334dd507a6bcd05e99776eaaad7f82495a3d5346ef6e41e13a858e0

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 8ea5d85560add1b51f9c2777c14b50a7
SHA1 e16e1191a152665a6ba1b0292e8742f1a4d9e343
SHA256 26b0ebfad283214096bc72beb38849dc7e9aedea413b6f24faa5dae029deb184
SHA512 94c083d2ed8ef0985306d11edd2863da9ca5668352cd4f21f6a336a99c859a79082b79a6f9d2c5325988079d94a6bee506f61d898a442c8886f95e5a90a04d22

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 dc07aa5e3ff35ab022f78af1ed6c4dd4
SHA1 5407389ceb7c49f555dd2743acbd116bae0575ba
SHA256 377ccb5e4ee0377c991ed66607e2546a9362c3b4e48aa606a2ca63fa625a4ffa
SHA512 45afec8535bd0032f15a7080b659e9ec2968df3657e3155d27bf5a42a7624fe2aa2975679efae20825a4dfd3ec5d1038c46b48835884258c240efa5b198ceaba

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 f11a249018403e2a0b21b5efef5f8204
SHA1 5c47eb78a324cb8a8f80ca1b80eec60dd5df2605
SHA256 61eba7f68aadc299a6f04d5349cf1d1b8ef09b9e5a1e4863bb7dc555e39b3db3
SHA512 a19e0aecb9a2c951e7d72143befe7f169ba417c73516f1442b2d1bf56dfaf472d2ee257663dfa458ea6bec2bcca87352e104c963c43098fbf7f1b284f2cdc003

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 e619f04e87873234e534af1f103c7a37
SHA1 384847efdf1aa5977e9e82ae1563cb88335900a3
SHA256 4426bf97c79e70da5bb7b7749390f320c216b96e8a903da9831922c93154f84e
SHA512 91dcd43d0d917e5786692f8bcbd1ae507ba0456353959dc6a695a852123efd001bfa6e81025ad45cca807bcc39e3eab8b05f4434a7ba2193a9361dea50e6c189

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 471910c409009e792f63bbbe5e30b898
SHA1 010f44aaed760fa2dce8689438b582e8721243fb
SHA256 ad7c5af94f478144f550ee330d443828bcf7e621fe63fd122489434b821c30ec
SHA512 27b8dd806b90bb4781967b8aa6312eb245a9b9830f70b7ef842b870e10b68e941e501fea4024b2698dbd99175bb595a9f7cfac8acd36276f0c80698c182e49fa

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 5d95c4857e9e486f776ea9906f06da7b
SHA1 9d611ace837f027029d49fa20de9c6ad587a5417
SHA256 9805a99ad0780aff64623f89940cf35c7a79393e1d50ca92925d42eafac83fc0
SHA512 48de0c7c6402f286bfdbedcaeaf00612f033c2de53b5529f879273d8ac1634fad253e31f2b5750c56ea91ea2fd58d460b8c0efdd5a7ce8ad5eb0d048fc9813c8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 2bde50fa0de3b80a99d30bfd48b55593
SHA1 fc77f87d53a30e7365e501c276892e8fb0c669be
SHA256 6a0e83cbd4460d9a79cd6e58a5fed65b2ee00712af42a31f061e36c1e8c2d33f
SHA512 87d33d7be2efe4d293377e8d3994faee818f0a2fea2d40dcaf9d6e07f3147b43a7a74ec482ddcd7b1b4be27ba328e9edc5999cff13de5fdd9ab8befeada4b697

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 99d9737b880e6c3033a8fd5baa02af32
SHA1 e4d9713e38e5781123d29c52c47b989306041fd0
SHA256 d354d1e0a388a34986ccea5cccbfca5117867aa863d3145ae86d9a2ed01477f7
SHA512 038ca37558cececf9e18ff7feb446f78726322168752683128eda9a8a3ee9917ecad7b678d60a0c895b8f40bf039e3307fd053da108bebe00d76e761eb53c5d0

C:\Program Files\dotnet\dotnet.exe

MD5 540d392e1b392bd4aaead4be51c69a91
SHA1 31691b717e65c9f26d657942f1f142b8de443815
SHA256 23b7758c9e135d61bf58a30e44998821a221612dd74ed27685013fa5d1da9b9c
SHA512 d1533140f67106c940ffb8d5ac91b3d3be66187a8b67edc125a655d3495245422ffd13a31092fad16d7b5f6da97e7c17d8dac45295825207de688ac2f865d290

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 199111edbc3e106e95ff3502ca4f513c
SHA1 dcde5335a472c5910e6f355aad4527e70ffb4775
SHA256 2e70d4cc53b63bd425ef70e1c07ebc69cc9da075b7092de35f297d26435b4e53
SHA512 a0a934e731dc6fea34902151f781680443b5c63427f5634513521296b1aa97dd586fd39b521899496851deaca9685cb2f9361b6cababe13f84c4d971da8cc32a

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 7ba7efc65e2e0178b4e518e4ebb8662f
SHA1 3c37f5d13d3e752ac34c12a7f055cc8485d931d3
SHA256 00bde50667707e5caa6d1c5882bcf516ae8987a8287325c7395c7a42031b8ca2
SHA512 eb4695cd59bff89afd5f3740d584cc4a0f051ff6a94e601f536c519453e6ca568011103d8a103bada8935eb59d316a47e9bbc9afb24bf2541f2bcbcd086bac48

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 656207137c5ff3a26ee06a1d7d3a354e
SHA1 4c70f0dd0362fa9739c455ac90081a8cf6ffbce1
SHA256 af46f48f63e58f456f17f8d1d4005d7e56446cd54f174d3c1597627684dd3bcb
SHA512 04ee4b4b8bd037aa1ccc274d3ce9d6f5f648ef3a7b78bbb725d62c054c8896d726915b06121d87fbb0bc6605dcd53708bb20691557d3333c63d63931589025d3

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 cfff2f688684d3c5ebbb8322a483e336
SHA1 3a9c5c1f5643eac81ab2015311b577bbc118c9ac
SHA256 4d9bb3fdaf1341cf9819033be44fefa356de3b97848596ed08176a9370f87dfb
SHA512 8754e01e9f8e6e4d3dcd5b9fa67722d5c6e688779b1a8c1f6bd06f381e098728c54986570ff5d7bfb03c9dfb29cb6a0919c2b57fb1f4e38e9df3a8b095d4c884

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 1128963ee11e7dfb20981c49461e42c8
SHA1 b5ab751a64619f64c8af8ad4ea2a4123cddcb7f2
SHA256 6555b46bef90ea877617ac17dfbad2b3b5dc055580f786da42460aa6d780d77b
SHA512 81fc9858c55ac78d44ddd380c8479a14ad6acab49d94ce6fd7abf0eecc8eee3a794ea42a9a185315579cf6f2a696a88ea67c0dbe8774dacec9ce75eec8109eec

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 cbef32668f2ea562efee6549fee19560
SHA1 9b224c524680259cf5c3033faf35aa88a12db6ae
SHA256 f1dfbe827407a6dac83df28434aa5f5b817dff467e8bb447b2438e6612fdeb18
SHA512 b2675b201584306e0b59b35ad68b535c0d5bcc33df198bfa1eaaf9dfdb66be1d9b6a02efa4f2c551802111cf6a00bf0d1e1e6db8bfef7f30f5b2ba129a76daa0

C:\Program Files\7-Zip\Uninstall.exe

MD5 3df448a8dd1b021d4cf95afe2dd00317
SHA1 7c4a5539da755160a4af489e1e6988344f98acc3
SHA256 d708cc78e03859c171de548323f37423e6de53bc61c502e0cc99fb46747655f4
SHA512 5ae2e8c697c2ddece2b3c2a1b1bece24b712c948f33fc4c81534a24fde391cd79333561e5dfcb61be512a62c8371ffc6d4b88eadf20505052fc1bd9cf1559314

C:\Program Files\7-Zip\7zFM.exe

MD5 37d3e6d1c5ae218a907e4d83c792692b
SHA1 9db4161e4831e24b11eadc4e9846d95ab5f44a45
SHA256 cd0a101fb0310fce0998307329abb8a4bc45c30aaaefeee2704f7c19db055aa5
SHA512 bd6411781cb2642aadddefda69c573c508c1d567251122a1436585d865b6e68a526416374fc4a83965607a88ef8f5c88d63690dde6eae1cca5f840668f637aea

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:58

Reported

2024-04-07 20:00

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe

"C:\Users\Admin\AppData\Local\Temp\fc30de5f041264e2cf1740a3e139ad6c3d3def0b473588a7d8a81d5752da268c.exe"

Network

N/A

Files

memory/2768-0-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/2768-1-0x0000000000530000-0x0000000000597000-memory.dmp

memory/2768-6-0x0000000000530000-0x0000000000597000-memory.dmp

memory/2768-10-0x0000000000400000-0x00000000004B8000-memory.dmp