Malware Analysis Report

2024-10-23 20:58

Sample ID 240901-yd1teazdqp
Target aeacd6bfb480546d0ee3e14f0bb46f8c.zip
SHA256 e96a4277c876088b4bc06d5313152340683e53b3375b92dc831f2e6f1a2d7e34
Tags
expiro backdoor discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e96a4277c876088b4bc06d5313152340683e53b3375b92dc831f2e6f1a2d7e34

Threat Level: Known bad

The file aeacd6bfb480546d0ee3e14f0bb46f8c.zip was found to be: Known bad.

Malicious Activity Summary

expiro backdoor discovery evasion trojan

Expiro, m0yv

Expiro payload

Disables taskbar notifications via registry modification

Executes dropped EXE

Windows security modification

Checks installed software on the system

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 19:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 19:40

Reported

2024-09-01 19:43

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe"

Signatures

Expiro, m0yv

backdoor expiro

Expiro payload

backdoor
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables taskbar notifications via registry modification

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-355097885-2402257403-2971294179-1000 C:\Windows\System32\alg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-355097885-2402257403-2971294179-1000\EnableNotifications = "0" C:\Windows\System32\alg.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\alg.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\alg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\ogpimqhi.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\windows\system32\kpmjnjmp.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\windows\system32\fnpqhmok.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\wbengine.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\windows\system32\ffeaagdi.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\windows\system32\diagsvcs\hdknallj.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\windows\system32\lcbfqcif.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\spectrum.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\snmptrap.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vssvc.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\windows\system32\ebhdmfcg.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\locator.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\vds.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\locator.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\windows\system32\jdnahoqa.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\vssvc.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\perceptionsimulation\eiplfhao.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\windows\SysWOW64\fadijdhf.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\windows\system32\ijpanmfb.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\windows\system32\fkaeaclj.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\msdtc.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\gfbplcla.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\SysWOW64\wbengine.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msiexec.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\sensordataservice.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\spectrum.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\kgobpbpo.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\Agentservice.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\windows\system32\openssh\ncfgkjoi.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\SysWOW64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\SysWOW64\msdtc.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\sgrmbroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\SysWOW64\vds.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Internet Explorer\hfoijjjp.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\program files\common files\microsoft shared\source engine\gabeccla.tmp C:\Windows\System32\alg.exe N/A
File created C:\Program Files\7-Zip\lncjookl.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\dotnet\ddnfppgh.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\obkakffi.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\jbailmli.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\7-Zip\jgpijieg.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\program files\google\chrome\Application\123.0.6312.123\gcmidlbm.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File created \??\c:\program files\windows media player\pmkafglf.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\kgacdccg.tmp C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File created \??\c:\program files (x86)\mozilla maintenance service\jfapaeog.tmp C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\System32\alg.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Windows\System32\alg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Windows\System32\alg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe

"C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/3120-0-0x00000000004CF000-0x0000000000562000-memory.dmp

memory/3120-1-0x0000000000400000-0x0000000000562000-memory.dmp

memory/3120-2-0x0000000000400000-0x0000000000562000-memory.dmp

memory/3120-3-0x0000000002800000-0x0000000002836000-memory.dmp

memory/3120-4-0x0000000000400000-0x0000000000562000-memory.dmp

memory/3120-5-0x0000000004EF0000-0x0000000005518000-memory.dmp

memory/3120-6-0x0000000005E00000-0x0000000005E22000-memory.dmp

memory/3120-7-0x0000000005E70000-0x0000000005ED6000-memory.dmp

memory/3120-8-0x0000000005F40000-0x0000000005FA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2oxf2tdq.so4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3120-18-0x00000000064E0000-0x0000000006834000-memory.dmp

memory/3120-19-0x0000000006910000-0x000000000692E000-memory.dmp

memory/3120-20-0x0000000006C70000-0x0000000006CBC000-memory.dmp

memory/3120-21-0x00000000070A0000-0x00000000070E4000-memory.dmp

memory/3120-22-0x0000000007C20000-0x0000000007C96000-memory.dmp

memory/3120-23-0x0000000007F40000-0x00000000085BA000-memory.dmp

memory/3120-24-0x00000000085D0000-0x00000000085EA000-memory.dmp

memory/3120-25-0x00000000004CF000-0x0000000000562000-memory.dmp

memory/3120-26-0x0000000000400000-0x0000000000562000-memory.dmp

memory/3120-27-0x0000000000400000-0x0000000000562000-memory.dmp

memory/3120-28-0x0000000000400000-0x0000000000562000-memory.dmp

memory/3120-30-0x0000000000400000-0x0000000000562000-memory.dmp

memory/3120-31-0x0000000000400000-0x0000000000562000-memory.dmp

C:\Users\Admin\AppData\Local\cbkdajfk\koedcnpc.tmp

MD5 d9c78ddeec29842d7676b22e2d6e650d
SHA1 a1d70968d7a2e08d3644ae203e099d1685bcaa26
SHA256 bee620f6f8047e46a4e653f0053350d5dcd68d1aecf0d7700d8017b9f71a9a64
SHA512 71b7f7dd4c02cf51f83542df74564c4bae81bef883266665cda294197707f4e9753a0a3a00d82508ca971d6da05b0603b390770639bbcf10db8210ad091bc2c2

C:\Windows\System32\alg.exe

MD5 b3e6116f4a6d17f72b5e6d7d41ac70f1
SHA1 0db192f9adc6ccc4001fd71c20e908d360eb99b6
SHA256 39dd5575ed5e2732a827f141d6863f16ec883157d2b1e16d55eab83ca49ad07a
SHA512 61f5210ac6c61e29433dca2b714ac0a0bc333b6d0733a077a1baf322df044f0278c74785f1bc569c1368180b467f596136bfa76c0cca027e5c98b201f4a86aa4

memory/1032-51-0x000000014000D000-0x000000014001C000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 2b28d81fe09db32dda8d8049db5c614f
SHA1 ab7279857d7b966333de2cd414c502e98c00da00
SHA256 9b337e59214fa3823eac729aef1d03a8de71aa046a9fda00a3107418495f4e9e
SHA512 d276f8421befb3b2ac39d1c4bc89331088f4a2e4041ca4b2777cc1736d0de977c683dde84bddf8415f67f17bccc99eaa56590d657d91ebccef8da64ad15eec03

memory/1260-68-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 6012c6eae885ba507939a4966e2ee74e
SHA1 02e6118c7646c6e1a461ca161c514901f6d355cb
SHA256 a52dacb83db7f54d3d31633ba38e8918c7b669667b2840e7c5b7a3270d80abfa
SHA512 26515afab8454fbf017eed949dc083b95599920902fdfe668117cd884e71b019760ca43062fc77f691ce5939f15c103b3f0d3dd0edd6a3f1018464d346c4282e

memory/1812-75-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1812-77-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 3d843ed236617f0cd29c7ac4c4275b28
SHA1 5800f2c985808c2ed66849c68e00851405cc35f5
SHA256 c6c3e9cbf78bbb22bf7d0b4b5077cedd3f75ba843adc376ad9fc426966e9600b
SHA512 4e68c914ecde00c5462042c798039870da518187df7e21ac18796add4334d143ab4b9e0a9284da8c98bd8a5f8c89576ba02fcafca98e7bcdd0f453069063548e

memory/1032-84-0x000000014000D000-0x000000014001C000-memory.dmp

\??\c:\windows\system32\Appvclient.exe

MD5 0e0d6a3e97df9ae2756fd59f964de0ae
SHA1 2e82222753890fa5dde561e64e92c894a033c27c
SHA256 d236e5e83ec4e4a89f34255a27acef6f9220ca256c716355684c425de70337c6
SHA512 48c8e039bc177a61e99a85ff75b60ad4475eac671f0b2b0051d75ea4f95a863cb13619e22cbc00214891eb1de2cf17cebb31abff6d6e85ea5fce8efff6cc2d43

memory/1032-85-0x0000000140000000-0x0000000140136000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 e906beb5456ec406b130c6699c5d5e63
SHA1 042b55fb2f2f1125ecbd988691ed886feba1747b
SHA256 650534cf6b40b39bde1a8429a9af7349ceaff5f0c54d5b2232882068c1b552f2
SHA512 24d44ac2b37e2c2fbf680dd2522e6caa39394ca346eb32b2c42a568965940da492efbdb292df991caefe5cf8da03d7bdf09477bcf325d71393b998768e4259a1

C:\Program Files (x86)\Mozilla Maintenance Service\jfapaeog.tmp

MD5 789cc1513b7f6a2b57d5d4ba94bd590c
SHA1 ab5ef5ace329b553f23b6f96dff7516802d60fbd
SHA256 2138ee2aa423b4e1e84340232538bf3f782c452d8f7047dc76a9c381139c7d8f
SHA512 e63e666abc37243474e2f906b4696cbe8d56fc2e37c166eb76f98e4f8996dbd4a540fb4f9386255b674261ab1161c4c99089eb781c5d107044472c0962fef135

C:\Windows\System32\msdtc.exe

MD5 904db4660edbe4243dce97d9e81d3f5f
SHA1 d3574d4cbee71cd2fb6a0936cbef4a355362f379
SHA256 550203e4043cb5748ebaa5db506e07cd237c032321344de9155b25ac0a053707
SHA512 42bc4bee25ebdc7c8e8686cf99b537b5d28aba05b2a8f8bc9c9858396854273df26a6763988a2a33ccf205d5f207398a29d5498e8e4e466bf9d1f402d59b6831

memory/1260-116-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\system32\msiexec.exe

MD5 5f76624bcc21a72e93ce22170ff093ff
SHA1 5acbc8daa95eb8ab598afa40882bd8012a296d7c
SHA256 35a8747943ca670c14b2b86fad269f1b51bff57822f4e4d654dc868d6957a0c6
SHA512 977ce3cf41ce493520f1b9f5e2d99f379e358aad9fa61d67fcf4263b58c3f73c5c0993fafb4192f28867e3eda297be47e1e0725ce3554156a2833541f933d30e

\??\c:\program files\common files\microsoft shared\source engine\ose.exe

MD5 d3c884029e2c59df60fea782637ddd3d
SHA1 b5b69df34afd482f54832b7186867c9fdcf6853d
SHA256 3aaee9f0e94587691e89d86eea1f6b593d6b87d3710dbb6b903fd3b1b6376dfa
SHA512 8b77059ded491cd1113218c660151fdb277f071f058455be333c10fbaee2a73f627e2993f099cf3754c828f891a7575aa2d4e865cb0dc0b4fab42952bc792676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

MD5 043836adca7e2a07dcbc402e677795f0
SHA1 a48d36b506ae08e195deb20590205deedff75ef2
SHA256 4c5c5ffaa3557ce2cdd4dca3a7e1b09807c69257ffa99dc27c29e96eb56f3b4c
SHA512 a6d0376bd4506b2af8e3ae116fb05537fa6247c8234d82bc426a801f8475ab42ce6175dcb37a11925aa69b56d7a2397fc41056e9008d658fe8b11111327c6789

C:\Program Files\7-Zip\7z.exe

MD5 3fbaf757b462f6e60fe8126d139385f4
SHA1 6cb81cae948838bf5a1bdf922c7c79c5c7792d28
SHA256 6ba9d2521978722af9d4ec824eca4806d01ed383bb38a4fcd95532524227daa8
SHA512 4be174a9801c4e0c2f69f9c93026d44095988e1fabfba6bc629c31bf4a7aa05bdb15ddf6d490b092321e339acbf4ffa6aa72c6ccaca136c21e8020eacfcc9982

C:\Program Files\7-Zip\7zFM.exe

MD5 ad8bd45b86f6817deb0ddcc4b3791185
SHA1 870e54dea305d566e8865641dca531b1e563a266
SHA256 82eb5d98babc682db8be79331055e5d930ca04e1f1563e5a8cb91ba0ff4774bf
SHA512 62a066ada95fc3656fb2e10b0eebc2a90e263489ca958e66d6c63f378415f7777a2564301610c1a6f94c1628c87fb93fc2902ea9fbb7805c60884c2c2a4ba98f

C:\Program Files\7-Zip\7zG.exe

MD5 2376f2de2b1b70324cfbfc94b51781d0
SHA1 9066aafd306aa95920529639fcc1bc16ee7f98db
SHA256 284c7d2f2623c9d5f578f971a47e6a111ae545a75650c2ad66e89ffe0d649f8b
SHA512 501f8e2a2ebdd3534e360146302e89f1581d3c1058dd185d92faa6052f637695c8c2a33189a3851608e343bd3527a9e1fa05d2c6b88dabc0e0914ab06bbfc796

C:\Program Files\7-Zip\Uninstall.exe

MD5 3d70580d4d9d99e27ac3b9bb5b7c42b6
SHA1 28361530988a7fa8d7c0f03ecffe3ab1bb4d10c4
SHA256 38912be802ec8218c9c04fe12b7b0c6eb1ce34c07dcdef94994a7201ed3fbc32
SHA512 7e6c58716d63933a70c3337b6f71ec35cd7ed0368c9f96f9cef175bba616e8f8b7cd52927d4fc0b35e1e680834a411351b1b4cb004d63be3f23de5e7347f9a20

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 8694be26700cca2d83e3989b0ca03ae1
SHA1 8c5a60c21750400ffe1d6f256908de6c1be0aa80
SHA256 dbddd6e696b0cabd915346e1aa480ff479b69ba7c357637b2f239814f006f9fc
SHA512 c66b43ab5c45e8787adcb226d4e5eab4b9f664c4b9edba181c6cdfc26c66a36f2a5ce593c554c6ad7a8770c7660f7746faf48a153efad4cfecd8cdc3fe06db03

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 7fd72275b4b7d896ccb7c1e442b1ef3f
SHA1 dcdf05514301a151053cdaa565979325b56d194d
SHA256 24c12c323792571b44dc06d49751f6b4b3f5969cea300c1617087e2673593251
SHA512 942cae18a22419890d51f4b940163d034e4360e11f1462e84ceaadf1d306859d855b6c9b15dd5fde622089bfe8f0378968c2357e1316925ca222a1252f3444c6

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 dd96d5815b973e85f39844939c276111
SHA1 f302d7ebedcb14ee94ffdd37efd61cfb93c41804
SHA256 6ae5a5a613c27e9db624ba97c44b9ffc5ec310af1c6237057bbdeb4dd704239c
SHA512 92ecae0fb2bfb565fe372776c03931e1a1acd7cf52ed4c7faa5ab4f1c9f6008c30abf1039fcac2e3491b3282632f877f72bb7caa6e546af59833887049860e7c

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 3f8e2b7f5a4877ada549b478f7cb2a68
SHA1 e737caaa33d156ffbe03c14b3eaea06a5fb1fbd6
SHA256 dddc7d6ed82a8d0cb02ce01d66a619fb1c55dada25d87172937368816fb2bc60
SHA512 686577335d620628f47c3470f2f22be22d604bb972151be0a2c453706bcc10facc4d45754fc55be50a02507a8e2483b6ccd1a8127a07368dc0ae0e73d07e7071

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 a204cae6f07d98a62acf4448e0653a98
SHA1 7cc6dd1ddaac04bdf782cb87c8a3e66fc2893815
SHA256 8bde9f66d43c82266d346039d3aca415205a23b5be415073a786d570cdacf0da
SHA512 691e08b57f6dd54c19af07922d8f59fcc568d2e51b0f87984b356198ddb7e470d9acd26489970813a240a4835be3670d786fa3e2e2463815daa79132fb0871c0