Malware Analysis Report

2024-10-23 20:59

Sample ID 240831-svwm5a1cja
Target d0880ec1ab1627d23202ee86d33b7356.zip
SHA256 d0db12599ead366e5c16b0bcc5332aeec67fe85fb2cd5eec9349992b546e0abf
Tags
expiro backdoor discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0db12599ead366e5c16b0bcc5332aeec67fe85fb2cd5eec9349992b546e0abf

Threat Level: Known bad

The file d0880ec1ab1627d23202ee86d33b7356.zip was found to be: Known bad.

Malicious Activity Summary

expiro backdoor discovery evasion trojan

Expiro, m0yv

Expiro payload

Disables taskbar notifications via registry modification

Executes dropped EXE

Windows security modification

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: LoadsDriver

System policy modification

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-31 15:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-31 15:27

Reported

2024-08-31 15:30

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4182098368-2521458979-3782681353-1000\EnableNotifications = "0" C:\Windows\System32\alg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4182098368-2521458979-3782681353-1000 C:\Windows\System32\alg.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\SysWOW64\cnoepfkj.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\system32\ciehkjoe.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File created \??\c:\windows\system32\hmpedqle.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\lsass.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\fepqiagi.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\system32\openssh\hgaienbo.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\system32\wbem\lcbacbpp.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vssvc.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\pnggjicn.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\SysWOW64\djjjglap.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\system32\lbpafgab.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\system32\diagsvcs\icfkqcoe.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\system32\mijphgfp.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\SysWOW64\cemdkpbo.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\locator.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msdtc.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\system32\fiplhikn.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msiexec.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\system32\elepifgc.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\system32\perceptionsimulation\jmkhqfgm.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\system32\ahilkilc.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created \??\c:\windows\SysWOW64\qnoipebh.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Internet Explorer\kjkookie.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\program files\common files\microsoft shared\source engine\khfkggln.tmp C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Internet Explorer\hfoijjjp.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\7-Zip\nccafaqk.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\7-Zip\gkooamha.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd7c3377bafbda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bee5c7ebafbda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd3a2d76bafbda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035ed1e76bafbda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044b12376bafbda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6dc7377bafbda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000631c1277bafbda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035cb4177bafbda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3c69e77bafbda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089f2ff7dbafbda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Windows\System32\alg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe

"C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

memory/2808-0-0x00000000004BC000-0x000000000054F000-memory.dmp

memory/2808-1-0x0000000000400000-0x000000000054F000-memory.dmp

memory/2808-3-0x0000000000400000-0x000000000054F000-memory.dmp

C:\Users\Admin\AppData\Local\rdmopcjb\kaclenfi.tmp

MD5 bc4c920812a5c6adda5e824c5186119b
SHA1 9fd94462f5319ec6bfd83ef0ba373f9f56d49f73
SHA256 065bc6d48047c3e2a37efd894e66d2a127b024b9cda05c13a77ba4270d281a72
SHA512 3369210915b62cfd9f9076d95c7e2eb26b51524b1dd8e5c3b5a3b0453cef91fd5a6c18772538b9948b01ad17d0d2b6d3468fa7d8ceefc8c504e865ae1685af42

C:\Windows\System32\alg.exe

MD5 fd9f5d8b1fbf9be94a640c346bafcd38
SHA1 28f90561cd1cf966af7826bea4604870179bb719
SHA256 ca25d0890a9dfbc683a6f07650701e91765cea4e118e5c9e70fd1a20481981aa
SHA512 0a24351d33c6faf48b07c8f957158f43e2af3b0a1d20946a2f01401e8347b6501ecb1d5450a361923e9176cf5e5b1f878223bbd1701e198a27ffc47055bd5378

memory/696-23-0x000000014000D000-0x000000014001C000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 20e878859fc9f023b26ad656e69301c4
SHA1 f0c25d98a2a052809b59b0bb46d285eb6f8f01d5
SHA256 814ad5c2f5635962c5c6c6765b489d116e116df357cf70429e3bde5fa10b4c4d
SHA512 b5d5cd7d6980da62368aa0788e85599db041e7407e3ea5570956c235c28d3e071cd76851c23ea349ac7732e081e0f00b4d66926bff6b338fba0e2a3651a829b7

memory/2248-40-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 b9bc05f0fae4a3ba4c63a60e93a28ac2
SHA1 791f9c640903fc411627936e103e072f4a76d3dc
SHA256 22c212c69876196d117f543df3263f3b9b39fe379493741b262d1667745a927e
SHA512 9665292c63e0ae36465d0f61c2b1ffdcdeabd6803be0e9beefe16569a10eef43103a354b8b62a2129f4cd391570af32fb12cd48e805673c7a0d7a70c6bdbd858

memory/1144-48-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/2808-47-0x00000000004BC000-0x000000000054F000-memory.dmp

memory/2808-49-0x0000000000400000-0x000000000054F000-memory.dmp

memory/1144-50-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 a9b87b127961bffb729578b7e3a41375
SHA1 e43418e1bee7971fa535c67b0caf1b8caf8ed79d
SHA256 fbad2ded5111b67b5c92d2cbbfda1ea0a18eadbe6091df9b50dfd1d019d887be
SHA512 2a61aa23bd176b90fa3f6955d457f50c095f050fb5d511c55c0dd94add6b21454d06856bc5905ecd31d7617820f6bf17b335b5191c22504030392d413218e418

memory/696-57-0x000000014000D000-0x000000014001C000-memory.dmp

memory/696-58-0x0000000140000000-0x0000000140136000-memory.dmp

\??\c:\windows\system32\Appvclient.exe

MD5 51c63fbc53ec639ce19309376fcd8f40
SHA1 2299ef2f99ab7754872e0c26e517a51cac4ff5b7
SHA256 c1094cd63b7f24d515379204b06c27788729f35dc06a537ed344300e419eef61
SHA512 42aee4599b183f41de8d6d3f78f85cd5f93dc36801da330cfee24cbbffb65937b7c7a668758a5c4033b18eda8b93f22121deacd685a83f6e8ce0d6dc40f0bff1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 7d0b74452b5b82e0fe2e28e2c1fd2029
SHA1 4cca205c74ccba317461a0445a96685e8089a775
SHA256 5a9709e68aabce988c8d95e2ece4bb55eb29497c2052fd6e605ca0d231d78816
SHA512 f24895a21c5059fb3e1f0d868cf661584c21f5f82fc57af6f6095f326f0f3479edf4ca700ed65f59039df94f4db069032f202e3c4349dd15c51b2c1e82637bd1

C:\Program Files (x86)\Mozilla Maintenance Service\iihbqpbl.tmp

MD5 394bd4f3344fedac858e3b3e930f615e
SHA1 4073b6b6f08e515c4efdb2c3be235c52e51563c5
SHA256 c1beeea028eeba2670dfd6f8484c0973120e734f1e65000931bc62e5933eb764
SHA512 66fc9703e034212b640fc8fcecbb9e8b91af7a1ab5d3007e3da5d77a4d3012419befbe616e10ec4530d4ea94dac31b2407bcfcae848dfce966f588205b0deb4b

C:\Windows\System32\msdtc.exe

MD5 b8b5e6a643c8069d37fe3fa68db485e7
SHA1 5844e976bf42bc90cbcc2e2954adaac92b2f710b
SHA256 5e95f41f0a0738e03a8fdcb8aba713f8190703e584ef177650b94d4b4313c6a7
SHA512 c7aaa8f63f079d40d623ceeef75d0bb60295c26dc482c2054ce2d9ffbb0071987b012156f4b1ac93baa0bcfa69a35c5edad15a922a4049b51a5ad3712f2cc29f

memory/2248-86-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msiexec.exe

MD5 c6b0750173859425708c0a356fb74377
SHA1 1087c8eade1af80be55df01d8dc7141e3aad090d
SHA256 aa0d4880d42e29f8ec2a597136b9d6f27080543c49fac73bc228d37a38fa747d
SHA512 b0a46347d2c828d7bcf27c6bb77d7c1625d2fbf26a5ce154dc7e8445a50fee717671b19f9289daea9d0a926805abfe9a169039f0ba49785c9d863b795afd7913

\??\c:\program files\common files\microsoft shared\source engine\ose.exe

MD5 113741dd913ba16272df427ca7680d3a
SHA1 994d13cad760f05c50241c1d6a926afcb0888cd1
SHA256 2f0d454a5be3edea590fb5bca7e5846fc72508177d29c21c598288b3dbbbfab6
SHA512 ae56289c5dfce89d78be98c93cab377c95a83ce47b4a4a22deca3ed987737c42841321823c0fca41268e739b522b10acee71b9ed659c1c74481a4d604fc953e8

C:\Windows\System32\SearchIndexer.exe

MD5 fdb90b061d9db265d0f3570cada5b2a9
SHA1 5627d7934101fce9b3b0e497c4bf5c79a699e649
SHA256 37bb254012a27f32ea8892afe4194b90232021e17c3db52faf348bd534e6544a
SHA512 65eae1526b2f07f1686d6b2194ae94d497e08545fd1e18a18d0922a421108141fecbc5eab798df74571479d316b13ab89a26fa9175f1e1fb10b2713b2c62764d

memory/2092-215-0x0000000002780000-0x0000000002790000-memory.dmp

memory/2092-199-0x0000000002500000-0x0000000002510000-memory.dmp

memory/2092-231-0x0000000006DF0000-0x0000000006DF8000-memory.dmp

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

MD5 bdbb786bfbaac43d6ad1d5127c53b723
SHA1 83b5878593d4050914edec3e6c32311fee196635
SHA256 2c06128e9f551b4b61257e19d605af9f32b76aef17178e6d353235ee41c90d5a
SHA512 304e979d6fbccab74614542ebe3e85b33f6af40866758b4cf570a43746ce3c81784b0d789b8a5bcfbbfd67ae12f93de27ca352eda08eba6bf4aacac4768be808

memory/2488-266-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-267-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-268-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-270-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-271-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-269-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-272-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-274-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-275-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-273-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-277-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-279-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-281-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-280-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-278-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-276-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-282-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-283-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-284-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-286-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-287-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-285-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-294-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-293-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-292-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-291-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-290-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-289-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

memory/2488-288-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 04aeac909638aee43acddb5833fc4207
SHA1 7c0096ef3ea0cf44b09eb0f68195b42affa10742
SHA256 cfa2841d5733044b25bb8b680ee41e412ee645ee5f4b7d87fead672fed0e3551
SHA512 2113a05de97738be2a0721ff53360e31c8a2258d9078639ce0a20a763a2fad6ee26365824eaa57e435108c8891428a8904636ec4851271a2e40556f57354c006

C:\Program Files\7-Zip\7zFM.exe

MD5 205cb92b74171f11a46bf5d625af1aa0
SHA1 7654ceccc5d9220eea1ddf663d18b2a48c65f863
SHA256 c9a28e50d2b57896e185063f215bba980304ea23cda9b83d84f82878e756241f
SHA512 54f7b81b2909352182b28c469b4817fce830ce34df0b2e9b446de00317f7f4d509fe28e0e2794ff9e397b658e4ddc689c361a916c5d02d13618bf7dd345f599c

C:\Program Files\7-Zip\7zG.exe

MD5 dea09547ba96de90d61b37adf0b4fc67
SHA1 ba9be74b45649f9a812eb9402169918170607577
SHA256 da10496491cc0ff8faa1f0e35c616672533a1cabde7d68dbfda809a080773da6
SHA512 8cf851bd1407f176432cca16e39b3c6d94e22e984ea41c8039f93318c5e5472511ceb27a434670078bdce68f460074bf384b786af6eeb75f8eff6ed2800b0954

C:\Program Files\7-Zip\Uninstall.exe

MD5 7776832995b3e30f757beb5d66433f38
SHA1 128acb25bf1d2919179930edf9b75b6d940ea9f3
SHA256 41b1081c1efa486136d91e0d10b17f52eddf12e425aa9b17a0490dacc5041044
SHA512 8e87993512124110ca6f5fc256f8a645c5ea16bdad57c621e0e56d2ca1415ae17ea57eb552cf5b2366d530d1b44c920845a5b7ad310d5e9f00861099440972be

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 ac0897d022d3c27248370685370ae1ec
SHA1 24bf22db804346de25d32f4eaf0a34ce2f583e4c
SHA256 143f6a0d9e2e73ea44fd8eb1e55dde308c7c90bdb9cff88bc16bb65be2ee683d
SHA512 42dda251364cc78866c2f1746d907be2256774d5b3430d6f6d582d51a7f222a46cc57b4ce6ba4113c756cf51cb71fa097a350476f40b5f558a1e00a204a67987

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 8748b307e297382f5fa5eb44ebb2a971
SHA1 a521155634a5f8b05c32b96edee41b52031e342a
SHA256 81a80f827eebc82aaf174af86e773cd0bef6e5726776ac360fde5a4cc1ec02b2
SHA512 67efccbf9c73fe517614983a32b1da39a38314c15b151909f1fa94f910203a2ccc769cbc631b493f9d90390698509b10deeaeb63209d18fcd1d523b5c4c3cee2

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 c5c148ea805961f1b3f92e4f662142af
SHA1 594f3c81e9047c47676cb4387114a66080b920eb
SHA256 26b525d0f45c10a23bf4c3487a2c4a1d8ebe16115a9d16a0ba0ec7705e835838
SHA512 1df40ce6754694bda85dbe84f8ab9d5e26d571de3107ec1e81313e1bc0d7fa79e655711ef6a7b8fea9928d01441d6caf0188d7e562b4a9582e5fd15f51a7f385

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 2c85e12bf48cd47f0f7603a46a649a66
SHA1 d594947d16d029cdd8e8fd0a98dcff1eb00b9938
SHA256 8190c49e50d5fdddb6e253edda5b408f60cf1bc54c7e754504fbf1455dfa8a23
SHA512 b1ac1d870c61346906a2f59dc14d55d54a11091421c061b1f7c3f19c8db49d9fb21dbf0848f90fa518edbd98951ec412f923b70084d9787589fad6bccbddae01

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 5d6800283fc0a339b9dcaf17168a7ed5
SHA1 aee8ffcabc943b6135008b0c7febcb4bc95e49e4
SHA256 e7d6495c99ca67d737463f8c251d5b7abe7f829cdb0dc0d7d33b029a935ad12d
SHA512 47a3f03a31a6cc3239bc24f1c8543270129e69a425093676e515eba57417d5a963d1373935b4f3b8b8e29686d425d737cf18761a2488dc1d7b57b4629bbf3a59