Malware Analysis Report

2024-10-23 20:59

Sample ID 240901-p8bnbs1gle
Target 90180f284c1a5dc94ac94cae1dbdbfcc.zip
SHA256 9ba0dda8caa62e0b27cb373f38095ddf4291086f24f8a2a9bb3ad0a89b05b6b5
Tags
expiro backdoor discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ba0dda8caa62e0b27cb373f38095ddf4291086f24f8a2a9bb3ad0a89b05b6b5

Threat Level: Known bad

The file 90180f284c1a5dc94ac94cae1dbdbfcc.zip was found to be: Known bad.

Malicious Activity Summary

expiro backdoor discovery evasion trojan

Expiro, m0yv

Expiro payload

Disables taskbar notifications via registry modification

Executes dropped EXE

Windows security modification

Enumerates connected drives

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 12:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 12:59

Reported

2024-09-01 13:02

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1194130065-3471212556-1656947724-1000 C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1194130065-3471212556-1656947724-1000\EnableNotifications = "0" C:\Windows\System32\alg.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\alg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\system32\diagsvcs\dobeocaj.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\system32\jqcgiddf.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\lsass.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\system32\jijfjjok.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\SysWOW64\libkpdid.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\wbengine.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\system32\fdicbmoc.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\syswow64\perfhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vds.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\system32\dbfmionb.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\system32\mhojilhj.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\chmmkhll.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msiexec.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\jdpmbgeh.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\SysWOW64\mdabjdic.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\spectrum.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\system32\ecfmjpnk.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\system32\ehfdhhcc.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\system32\aplclpem.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\system32\WindowsPowerShell\v1.0\djgcdqci.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\windows\system32\pjakkiae.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created \??\c:\program files\windows media player\bbjcofkf.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\jqhcckeo.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\7-Zip\jgpijieg.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Internet Explorer\hfoijjjp.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\lbhckibj.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\7-Zip\gkooamha.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\dotnet\ddnfppgh.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\7-Zip\lncjookl.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification \??\c:\windows\servicing\trustedinstaller.exe C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bf014ec6efcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fc5c4ea6efcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000768445eb6efcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081d453eb6efcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054a88aeb6efcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b70147ec6efcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2f1f5eb6efcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Windows\System32\alg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe

"C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 808 812 820 8192 816 792

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/1676-0-0x00000000004BC000-0x000000000054F000-memory.dmp

memory/1676-1-0x0000000000400000-0x000000000054F000-memory.dmp

memory/1676-3-0x0000000000400000-0x000000000054F000-memory.dmp

C:\Users\Admin\AppData\Local\bcreblpq\ijjdejon.tmp

MD5 dad6df2d16e2ba34a3da348efe47d6ca
SHA1 75ca0afeeed4f992cd19f261529c5c2946a54f6f
SHA256 751ac4da6dbab19d3cdf5a44fd3537f74660e72a598db4325523e0522caa5552
SHA512 adf60d25d22a7a098225a9465ed255b3f9020e532947ec84e894db0047ed27a6ef60fabb862869a47f105530d7df6d39e750a266c9eb9e20a0faf8f72a45850e

C:\Windows\System32\alg.exe

MD5 67b2d1ce0dd8fb7726089def1fe0b787
SHA1 a3e56ecce10a5e782feab809d4b63a2e548ded76
SHA256 f9ad1ee6fe6a9d26a14a5aa629ec64b38cb0ac8f86072e92b6feb80e17ee03b6
SHA512 a18d0e346a1cd36d12d1fa9b807ec8af11aad2cb207855488d4cdc2cae35c3a79ba77c29415aa569995b7e7859679781fb29308784721c5b04b8174b1db6fe62

memory/408-23-0x000000014000D000-0x000000014001C000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 efd00b355ebc10165621b0152cc93574
SHA1 96288333d6b20de6645a11126a72d2ef004997e9
SHA256 73fe735cfa0a07f672c0673efcb104bc7485c29ed376e021183b1fa54072b5e3
SHA512 bf85d7865f35c257cf2b771ecc11b01d31498ba064f235582a66381b821c756e7e06bd5a73f2f1b60abf341e7501b8606c4f8e653470de26f4bf1718fa380ee3

memory/1516-40-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 a883f58f270a23a16587b100dd3c4933
SHA1 2b8f7a9b63db5ae8ab867c7107a86503dc2da4c0
SHA256 e843c2d48ff1a1e12e6c921c20038291308bf55b695aff4ea98b38d938d185d6
SHA512 64ac41ebba677f28a682cbcd360a9388f4cee5ddf2f456313e08525cd3c73c025156c4f0ae49cc4214302b72444cfc53cee2cfd996f5837dac0359acbaec1c1e

memory/728-48-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1676-47-0x00000000004BC000-0x000000000054F000-memory.dmp

memory/1676-49-0x0000000000400000-0x000000000054F000-memory.dmp

memory/728-50-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 c576552ff119e19dd3f368b98b64f3e9
SHA1 e9db3cff21fefe532d8673d7f14dbf7c16c5a062
SHA256 5f95cb0adce15d226b9a0a976e26990b4b972fad7c4c84178d511b98da2824c0
SHA512 77981a2e60be7831b306cb0324ac3f191c81a20334c4c828ac1eb2efef71c4eb87e61fd0fa67cd42b2442a4a462c1a9e8f72cadba868ce6a424d2e73e772f783

memory/408-57-0x000000014000D000-0x000000014001C000-memory.dmp

memory/408-63-0x0000000140000000-0x0000000140136000-memory.dmp

\??\c:\windows\system32\Appvclient.exe

MD5 6b5a21eab6bd115a3a026bb73120f70b
SHA1 2ef3017d8456dec25305866b46c06eebcc039e2f
SHA256 1a1f69e7881b8b282072bbbc9dd30dba24e939b370869f7f98a1a1e0c1fddb2b
SHA512 25ee4c6f1737530d03c8986e13a0f3f254b6f34785fbe6f2ba892fc020c0df5ff7868ffd6b7eee6c40afc796559234a27feb958bd0dabc5b4d991eb203873102

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 0c9b82eeccebaf3088e9f328d8669dcb
SHA1 f2dca1d8370763539d8b6e19eeea7eb222a594d0
SHA256 dd1f1e961ef316b3c6944da5a5893f4062af202eef5454c409f91a6e576ea521
SHA512 508d0d87579903961411dfea13fd455f5b08e28754f4c0d9ae97a952fca1044355c0cd76c9b9bbaf5b8126868a342e78ab0e633deefc28ea1dc41a5db1a04b6b

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 3e32555b645b5dd97bb431684951f274
SHA1 df637dc036e5a84e9c9dee1cb9be1ab5e2119e6f
SHA256 8867b1f6bb82de00f4003ece23d9962d4c1b670c7d97da48b753fd53b22f98a6
SHA512 e8726b76bda1b5e1a61d503c44873b6cd8e88372ecf508a4d65c9731ac79d8f06cdc74b26710aff9ab0ef2d678bff2bb8491ebc3c74d8ac6d5007be4d18e8440

memory/1516-74-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\gejmelpd.tmp

MD5 2c0d704db7f81fa758edfd31f82d4b67
SHA1 b8e438b8383c7af870d4bcc917d71dce595974ae
SHA256 59f73bf69297f1d8f808973dfb9e1dc0d8e9cb04300d4afe436da97a35469945
SHA512 208c5635ca552b8ca27f3255e78088359cee630f0336b4f87a2e2def772fce270f5b334e3bbaade2d60fd18a9321fdbbea5ca6d30a87532e948331262745c571

C:\Windows\System32\msdtc.exe

MD5 0aa77de80806a542f472edb0dce4a17e
SHA1 8df3e09df7e85171d0aabe45be6bef414d36f164
SHA256 566ed33949719ec372325c828c845f94b8ca714ade47227b748b6b0410b044a8
SHA512 a7c302404ee241e786ea813674702070560a97cf4441ca8ef31b6ba12d370e65e236181157039612a9005ed1ef03ea0fb57ceffec8d0810ad6ecd4106b112026

C:\Windows\system32\msiexec.exe

MD5 d84b344bf7925553e950bcb099930b80
SHA1 c5eddaeb00bf9e28232de95ec053c25069814a81
SHA256 28c60478899713a41852fe47805251b81a69be7bee5fd77f4cba9a0f32863353
SHA512 7ec4df5e723a504805bfe8c433ba6f5de42fc189e083ed3175a2c6183a61f5f8c0998e46d5d68805ed6e6378490b0c1c6ba26a3d86de3ae547d82c003e3fcf90

C:\Windows\System32\SearchIndexer.exe

MD5 fb17dd5c25836a81643736eb6e66a97e
SHA1 ac2cd2476df8e50042b3f1d5cb2021dba5572428
SHA256 a26b6359345f591135c64f1bbd1f973cd9f25824e74f2f3975e59481a70775a2
SHA512 dda735fd2b1dd04912fe58bb49b32b6e01a07b8b6cfc49ad8b3ede30d96063a27b04634356276bbd48acc6f4ab23a77ef90663056b9e6ce2a352c2b786e563b8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

MD5 73d43241d49b7575fafc4afb3683aa3e
SHA1 7ccfebf8252f24980b80a59f3f7ac12de0db770a
SHA256 1f278dfb721f07f3010d772002d7855271031250db977a9a81535b24c7e45c59
SHA512 4a74d1df98383ba4588a09f00c51d1488fa49411b3a135218e4e2958673b9a9ad6ed2b5dddd279c1625833860773a7b53c701907aac5060d08ec9e3ac3cbdf94

memory/4104-247-0x0000000002600000-0x0000000002610000-memory.dmp

memory/4104-231-0x0000000002380000-0x0000000002390000-memory.dmp

memory/4104-263-0x0000000006D10000-0x0000000006D18000-memory.dmp

memory/4104-265-0x00000000069D0000-0x00000000069D8000-memory.dmp

memory/4104-266-0x00000000069C0000-0x00000000069C1000-memory.dmp

memory/4104-268-0x00000000069B0000-0x00000000069B8000-memory.dmp

memory/4104-271-0x00000000069A0000-0x00000000069A8000-memory.dmp

memory/4104-274-0x0000000006900000-0x0000000006901000-memory.dmp

memory/4104-285-0x00000000069E0000-0x00000000069E8000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 d37b4746a153abe6008218dec220f462
SHA1 a473b1701862c1c79207d7bb39291f3e37ce0db6
SHA256 592b2864c29fab1a80d6789ce9e647c59b23809a4323499a43e63682dc3c25e7
SHA512 5d64373cb70fe1acace04ffd8ab279ac74e28f0c415ba0355534082abbd9cb7609f537fab249a2af4e11ead0968e461c6fcfd2082a0220cebeba1f4ab873b714

C:\Program Files\7-Zip\7zFM.exe

MD5 ae644316de57b0c8bf380100fdf6201b
SHA1 8e0ed2070e0a948993a6a80a58d5ad2913430d06
SHA256 e8d59b85e7a5efaafc9a5dfeb62f0e876567650acc11d8925635379268b6d651
SHA512 d254be661526154c2c2e028371e53759d8ab674945124015408b6878e207c35293f222a8edc50384b7baf8ee1c026810d6fb42cb6aae761175138fcf5a8bb182

C:\Program Files\7-Zip\7zG.exe

MD5 cf4b2a7fec07e59a61682fda102494a9
SHA1 8888ac4294f0e4299df1453aa02928261dd597dd
SHA256 3b25dbb38185eb6501a47022e579e9a63befbbf9217aa7a27b78e068bf50d868
SHA512 69f14a52e396cec44cd499041a80f14cf305a5a2405242d09846881e179dd1e86c9a8201eccd45d177a408641162c9599fdcfc102998247f832cb9b4ca36ec8e

memory/1584-315-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-316-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-317-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-320-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-319-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-318-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-321-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-323-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-326-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-325-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-328-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-330-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-329-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-327-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-324-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-322-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-331-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-332-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-333-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-336-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-334-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

memory/1584-335-0x000001F0A4240000-0x000001F0A4250000-memory.dmp

C:\Program Files\7-Zip\Uninstall.exe

MD5 4e3d1b52c0977001b717300355b600cf
SHA1 e3615160362af023a082b00f68ae9981437cea10
SHA256 f7cd9fe1474a7e96cdf8029043d1641d76478b6caecb27253546e01d1e8e396f
SHA512 855c4cc6eb21293b02e1f44a8e46855497054e5d4af3b8279d9eaec89f3d2c9e8ee93267634d97ff7ea85f6be00a04019906f4b58a104c630338997ae5ceadf4

C:\Windows\system32\windowspowershell\v1.0\powershell.exe

MD5 e8a63952b999c9578136f9a7ce6b0654
SHA1 00e6fe8a0d43a683d43d5d3c8c3708edee12ba7b
SHA256 55b097da49d177957b70829acc9e3570aa0ecbbd668a53a8059953e159db18a5
SHA512 2c4226eae2d1e62b759b4b2478384dc90a1985ac7b7f73eb6d9d750a2aeb5ae7247783e72b7f3156241af7510a001b817af61deb1795aa72346b658cb87deb4c

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 cd98bf3cf0569b3979037e8460f89245
SHA1 9ef80255655214f32685c42aefa33c39737237cd
SHA256 ae8d09070e85210d7d0382d6ed2b3c375d1c0eb80c0b75c4752db5aafea94ab9
SHA512 0760868de032a8c64497988e47b59061895e74e9dbb21ad57fba6f33d3602f344f3b1602df0937a6fda9572b7e86fcf68e3e5d95f3e2656bb51392d7f8ec49ff

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 ebaf6ab801a8bec40079f34477886c85
SHA1 36eea4c2c5bbb26327f4ec0f4c0c05831f167134
SHA256 59742c6b75db910ede74740bbd1f4acdb92e6a1b9e85197c21ec96609fd44011
SHA512 eceb94773f02f466141e9563fb00bd6d5c4bc3261e7097b3f20386700d5b279bd438ad74fc807d3ed75040acdd2ff6292207e16a50badbf4a59bcabac41bab5f

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 29d58cfec058511f5c97e5342d8aac13
SHA1 e8bfce0354a518e444c2397abe4700855515b676
SHA256 a477d3fedbb1cf10a251e05e7c2a9538fceffa463b430cc8faff19ee4bb9d691
SHA512 ad6f3edf5cbbd92a711c0fcc465056b6a7e66389a68df81e33f71958d8cd470ac69e81e582aa350ae676cb07e428babbf2f8e9763fc186d8dec79561081eff10

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 b95a3115be79e0a681e206df9d2a70f0
SHA1 646946a39585c2f6b2234edd60dcc8e2fcf512d8
SHA256 9661f8b126bb3e8f7450f6a41da24f5958cc48a44bc6c5ffeb40742a929c701a
SHA512 5081618735bf94cbc9eb5f47e49101aa9d534c8958fd1d4a6a7a363df46c0ce10b89ec73c47e60d1ffe5e6aeaaff1883f942f716cbd00790f0dfcf95f2663602

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 a14df0b641a9d2b9941d492749fa4744
SHA1 a126c239d21f0478ff61a601039faa868e1d4a04
SHA256 c147e846f372f5b696ced2bea6d03beb1210b04b890a54781f25b387cbafabcd
SHA512 b995a37bc8dc313bda8af0f174cc2d6f97340661d1b35a4169420dc1a3bf4ef61553a8734ef8da419865d65e1a84394082fba43843b4da9372c2c7cfaf9f7d54