Malware Analysis Report

2025-08-05 14:41

Sample ID 250703-f6j29ahq6s
Target 2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer
SHA256 86f1d5ca95e1ff395be3a353bb45a1d33729432a51acad8243669d35ffb9f44c
Tags
defense_evasion discovery spyware stealer trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

86f1d5ca95e1ff395be3a353bb45a1d33729432a51acad8243669d35ffb9f44c

Threat Level: Shows suspicious behavior

The file 2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery spyware stealer trojan

Executes dropped EXE

Reads user/profile data of web browsers

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:29

Reported

2025-07-03 05:31

Platform

win10v2004-20250502-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\fe2a357a676a9926.bin C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86781\javaws.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWow64\perfhost.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a927356bdbebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fd0ff6bdbebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000879e4a6bdbebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b057286cdbebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063e2126cdbebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bc6326bdbebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003064306bdbebdb01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe"

C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe

C:\Users\Admin\AppData\Local\Temp\2025-07-03_113823381d651780a04c014720f41a69_amadey_black-basta_darkgate_elex_luca-stealer.exe --crash-handler --database=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\138.0.7194.0\Crashpad --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=138.0.7194.0 --attachment=C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log --initial-client-data=0x2f0,0x2f4,0x2f8,0x2ec,0x2fc,0x9229c0,0x9229cc,0x9229d8

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 44.244.22.128:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 50.16.27.236:80 ssbzmoy.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 44.244.22.128:80 pywolwnvd.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 44.244.22.128:80 cvgrf.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 50.16.27.236:80 ssbzmoy.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 3.229.117.57:80 npukfztj.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 44.244.22.128:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 3.229.117.57:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.237.146.25:80 przvgke.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.233.219.49:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 50.16.27.236:80 knjghuig.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 50.16.27.236:80 knjghuig.biz tcp
US 192.64.119.165:80 anpmnmxo.biz tcp
US 8.8.8.8:53 www.anpmnmxo.biz udp
DE 91.195.240.19:80 www.anpmnmxo.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 192.64.119.165:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
DE 91.195.240.19:80 www.anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 54.146.6.253:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
US 3.238.30.69:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.229.117.57:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
US 50.16.27.236:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.237.146.8:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 3.250.92.156:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.229.166.50:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 104.156.155.94:80 gytujflc.biz tcp
US 54.146.6.253:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
US 3.238.30.69:80 ifsaia.biz tcp
US 8.8.8.8:53 qaynky.biz udp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.238.30.69:80 qaynky.biz tcp
US 3.229.117.57:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
US 50.16.27.236:80 vcddkls.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 3.229.117.57:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.237.146.49:80 fwiwk.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 44.244.22.128:80 dwrqljrr.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 3.250.92.156:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.229.166.50:80 deoci.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 52.43.119.120:80 nqwjmb.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 104.156.155.94:80 gytujflc.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 54.85.87.184:80 ytctnunms.biz tcp
US 8.8.8.8:53 qaynky.biz udp
US 3.238.30.69:80 qaynky.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 3.229.117.57:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 44.244.22.128:80 dwrqljrr.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 44.244.22.128:80 oshhkdluh.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 52.43.119.120:80 nqwjmb.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 ytctnunms.biz udp
US 54.85.87.184:80 ytctnunms.biz tcp
US 8.8.8.8:53 jpskm.biz udp
US 34.209.195.255:80 jpskm.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 44.244.22.128:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 44.244.22.128:80 oshhkdluh.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
US 50.16.27.236:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.229.166.50:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.229.117.57:80 jhvzpcfg.biz tcp
US 3.229.117.57:80 jhvzpcfg.biz tcp
US 44.244.22.128:80 oshhkdluh.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
US 50.16.27.236:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 34.209.195.255:80 vyome.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.229.166.50:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
US 3.238.30.69:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
US 3.238.30.69:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.209.195.255:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 54.146.6.253:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
US 3.238.30.69:80 typgfhb.biz tcp

Files

memory/2352-0-0x0000000000400000-0x0000000000A79000-memory.dmp

memory/2352-2-0x00000000029B0000-0x0000000002A17000-memory.dmp

memory/2352-8-0x00000000029B0000-0x0000000002A17000-memory.dmp

memory/4300-11-0x00000000026E0000-0x0000000002747000-memory.dmp

C:\Users\Admin\AppData\Local\Google\GoogleUpdater\updater.log

MD5 f1f52561647b2fa0fb0d1d35b6d407f0
SHA1 b1d60d86c769966b511b44898024f9729387aed2
SHA256 0a29f8ba30da46953df31fe6ba0fe9ee17326b95c52cd55ad4d5d2007eba9105
SHA512 da3ef05ef1e1a4a7d08cb5591e485be49e7a6dc5da7b3ed7c4673df4ef3bf9baa53f5c360ba19da8f8399db621a395d447b1971490c5c102d8bf27b91a52aab9

memory/4300-18-0x00000000026E0000-0x0000000002747000-memory.dmp

C:\Windows\System32\alg.exe

MD5 c7486b08a15d2c25b8a5fa27d006af20
SHA1 ce5cd158023ac9787231a17abac304398f82ea8d
SHA256 5a13369cccd7a59581dd5310882a06cfebe74b8af6879727a89ef82cf1868a67
SHA512 11f84f503c528d7b3a075fc977b753c282540c9faa6b82a02777f386d4445a734d861919b9980089afb4b030b26204c1eb604c5b54cfe2023084106178be6898

memory/1448-21-0x0000000140000000-0x0000000140148000-memory.dmp

C:\Users\Admin\AppData\Roaming\fe2a357a676a9926.bin

MD5 8058ed1c664df76954aca299fa8e454e
SHA1 f3b150c672bff3827ae9d865d16b4dd9ddbf13bf
SHA256 f67476dd69a31ba3e68710007052c89fcb43bef5f2cf41b2322781f954640841
SHA512 31fc0ff3826d69c8a4929e4feb6d429e3210ddf69a2e41eb922ecf21a884d75075eadce840218526be2f6b1f25bf7263900b0f3c0006368cd1727f9a8b8e47aa

C:\Windows\system32\AppVClient.exe

MD5 d783258b338e527953fa6abc2f30aae0
SHA1 06e04315fa06c82cf102cc2ad4059c8d22438e5e
SHA256 d9df01252c500c4d5e597fec8584a1ac4926ee57106d7328564eb2f9ca854ed6
SHA512 fc05984683fce91c38e60393ecc6fcaf70518a270a6086bb3e0a32b48134df849c11d9fb6c180589295d9fd9ae4c2903b7e341302c4945e6c23f6e3479b0b07f

C:\Windows\System32\FXSSVC.exe

MD5 5f4608de154581a10de2e5860e97deef
SHA1 83de083d23ab18ed04f13a970587b71ff8d249a8
SHA256 120dde4ec693a8e49897ca9125d9541926a2dbe34235d736c09a7c6bfe5082a5
SHA512 a3eb6c8be8a26bea78f8d0c6f43e57014da07dd183571d55840fb8409a8701dbd5eccee4db916f93776eb62397d6851cc6dd71dec94fcd8ee68f86a3f630fabb

memory/3368-30-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2352-29-0x0000000000400000-0x0000000000A79000-memory.dmp

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

MD5 1600a54baf39b871fd5aa6e503e4e52b
SHA1 e12cfda04f1badd43ca6b98551ca89c5b879664d
SHA256 ae5d8b85e4b1fd5a2c87e21839531d878d2626111bc5955d9a96a559a67d034e
SHA512 ee3375bee676842480add91b8849e4d7176db41b3eff777e1879ac3184e93a7b311bf2ff742f7c28ca54415cf66edc91195ce3fa4a3c72768b7525922c191373

memory/1104-42-0x0000000000C90000-0x0000000000CF0000-memory.dmp

memory/3368-44-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1104-41-0x0000000140000000-0x000000014025F000-memory.dmp

memory/1104-35-0x0000000000C90000-0x0000000000CF0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

MD5 0d59e3c83da4dfb3d31038fc616f9630
SHA1 740efd49d2e934aa9e7ab4591e7907c8a3286230
SHA256 624bc27c7c6cc2368fb14b2c403cb7ce0a3647b3df459d56d0907bb344c7de83
SHA512 b66812a156e1e0b42172a48899833725a9ad19db6de648ac23c5ae5c15914761565aff406349f151beb2ac34b258aca4f900016a71e2264335118d2b6f62f293

memory/5792-48-0x0000000140000000-0x0000000140266000-memory.dmp

memory/5792-55-0x0000000000990000-0x00000000009F0000-memory.dmp

memory/5792-49-0x0000000000990000-0x00000000009F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 53fba451c5528597fd382a7718017be1
SHA1 8a826b52ee95012c12fa948883327c02d26375a9
SHA256 969d792306f67014cff365c1d272154f5fe888c43d473fd5bc22abcbf7d7d044
SHA512 5ec4ddc02964fae240f2654484345daef789832245731ba54e52a0c13421abcf91987705c7f208f5c2a0cd6473377e6e628e3f88814fa934dbc76ff9e8300df5

memory/448-59-0x0000000140000000-0x0000000140174000-memory.dmp

memory/448-60-0x0000000002290000-0x00000000022F0000-memory.dmp

memory/448-66-0x0000000002290000-0x00000000022F0000-memory.dmp

memory/448-69-0x0000000002290000-0x00000000022F0000-memory.dmp

memory/448-71-0x0000000140000000-0x0000000140174000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 a12fe6a03b1b15e4ea01a1dbc16f2ed7
SHA1 6126d65fc2372b66c24093feee611f2e162f444f
SHA256 78b75e2a55ef71d4dd277ffc52834519da1c93616dd3353510ee5e3de364eff4
SHA512 f2056a9d584ae7d47f3b1b2129aae5bf7a1ee3026235f8b1c352588ae4d7e0a9b5c58eb46095887d487b707d62db01f4e59b3d3928998813cfbebbb7eb997bb1

memory/4504-74-0x0000000140000000-0x0000000140157000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 79585348f55c5a5114e5cfb9a65952f4
SHA1 8b1d29af2945a3937c17e284cdfc1e93433a28ab
SHA256 a6cfc82a937c21362a1dfc5c88dfbfb8cb3f304cdfa0333a13744fdb6f9f7696
SHA512 24f23843cf3081567115d4e34d15f2160844cbae909e95ca490496e139dfee27925cd1eec418cc1872fce5cc2e71ceb2dbaf3db654f6a8bbadc45cde8f13182f

memory/4552-84-0x00000000007F0000-0x0000000000850000-memory.dmp

memory/4552-86-0x0000000140000000-0x000000014016E000-memory.dmp

memory/4552-78-0x00000000007F0000-0x0000000000850000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 2d868bc5d6ee5107c7395049bc2dfa2d
SHA1 e817cf27ff6cf3e1d8538b94c398ee823661b0ea
SHA256 62ff6082ef905a592366e3308475c2467d25e13293888c701df0e5c5ec4157bd
SHA512 82bbee2e7cb0b31f81d2acd1926c8b81d4783c0cfe32c47697e87383ac9b3d1517d43758e90be8a738dab4260c8f2ef29ca3e45164c2022d40f2084088ab1879

memory/4656-98-0x0000000000BF0000-0x0000000000C50000-memory.dmp

memory/4300-100-0x0000000000400000-0x0000000000A79000-memory.dmp

memory/4656-92-0x0000000000BF0000-0x0000000000C50000-memory.dmp

memory/4656-101-0x0000000140000000-0x0000000140149000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 033df1dfa45974a8a8c4259f591f2a35
SHA1 c250611b857d4d64066b5469e3b060fd00ce902a
SHA256 24725b9abf6ac06d0920eccf7f9918320c9bfbf5c664b8107282147a7c0aac09
SHA512 b3297dc6adf45ed32c7316baad145c5fdc538ec3843111d0786ea94f70727f7d25f56b040a64726e8b4684144dba51b4a670b386d0eeff52c39ec35e49713389

memory/3464-104-0x0000000000400000-0x0000000000535000-memory.dmp

memory/3464-110-0x0000000000830000-0x0000000000897000-memory.dmp

memory/3464-105-0x0000000000830000-0x0000000000897000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 bb357a6fad07d1e25ee16c73eac24e65
SHA1 155250d264180e0f974e727bd1436a0cb9ff06cd
SHA256 c0eb128050bcbd2dfb13032bb5d252fa7d503ef5dc3e748dea91f56e7db48c5c
SHA512 655b6857475cf693eeb3df4445e2735174a16ac93146f86be1a22633d5672ad2a9bbb5cf281cd6c1bb06d2697037744590993e8bedd513b950d3cc074db8346a

memory/1496-114-0x0000000140000000-0x0000000140133000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 2b09bb5c7c7fe0ae1ef1d4f8db239a34
SHA1 0df29a7edafe5e271fa4b732aa849b31c719d497
SHA256 d5fe4f45542c401821fbe02d5a86bd3bcb6478f70a7d3d4ed927afc24c3a5d2d
SHA512 67f125b97e8466e98226cf3892c6499038013107b817ece00bc299d551422f3ce0cb49ba6703cb8d9d065520f7ea265c22aa02285e68020b8d8feff7ac90f40c

memory/4956-118-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1448-117-0x0000000140000000-0x0000000140148000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 ff7a81c1199e68c38faaac80dea75495
SHA1 9f31b42538703d9cca5f17264bd12b3c34c15b0f
SHA256 17e2bcb5fab12b64930126a0740c05ec69e89536ee4326daddcc20352300117f
SHA512 1de5e3e66083a59e8499a284d7846dbb95bc3bf03ffe4035d299f4054a0920e2f85f342bc72503077b34e1073af7b2172469bfd36c6c205ce62ef18a591a4e58

memory/5208-122-0x0000000140000000-0x0000000140134000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 301631ebea1f9c7fb6db0d624b32deb1
SHA1 274134e0ff190576333f40e806e3417e156e48c3
SHA256 f583ffc2de7f0570b34d48a5b4e57355f373d746324fde976623e0ba8c8b028a
SHA512 0dcb5f5eca627e6256c5591c3b506c97c49a99fa933ba5cc46976300349260c557eae608e635a51a6637c211b415a8ff18af5efb74e97359dd32b4da9d34bb0f

memory/2476-126-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1104-125-0x0000000140000000-0x000000014025F000-memory.dmp

memory/2476-127-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/2476-133-0x0000000000760000-0x00000000007C0000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 ea704863024fa8095be360cf5a2684b3
SHA1 e3362b28de537ac0ac2007a9584e640631759d5e
SHA256 ea8d8cc95182dc38dfdaa1c42ead18a8907924ed1eab823bb248fbaef8014739
SHA512 f796574fa0d4e40d61daec133c6727fd5edd095fd9fff69e120946b368e11f643e35f4825556f9b76e0e015f47b11546f295d6b5acbfc7316b6cac4b8fa82faf

memory/1380-138-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/5792-137-0x0000000140000000-0x0000000140266000-memory.dmp

memory/1380-146-0x00000000009F0000-0x0000000000A50000-memory.dmp

memory/1380-140-0x00000000009F0000-0x0000000000A50000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 631b4e5490e0e825e97130ead89bcd8c
SHA1 440e6d1ec987a3bfb9334a5e174e9628f25bf924
SHA256 60061723943485bc22ecded77c2f56b5b1cf6d1dfa046254d4aa6a225ba93015
SHA512 4e40e22a696385a8b1e93919fe597703bca85f45e2991d18a62c4276b61913553f893cefebe90433b609cafbcb39deaca65aaa0f387d4827397b566d7d7c9505

memory/1252-150-0x0000000140000000-0x0000000140180000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 5a39eb8d363c1d9646626b0cf4210bfa
SHA1 4aedf0959bc12eb70644a10224e659cd71fa899a
SHA256 719d231e87ee89f911183547c5410e453e75cfd63de3ee5456a71091e98ec1e2
SHA512 2af6d3641215b2340bd40365026ee8fd511d7c7e027581f9fc574bba03ae353cdfd08219242cf5d5052ba1a0b3098e793d04207fc41d9a74289f7c2f98497705

memory/4504-153-0x0000000140000000-0x0000000140157000-memory.dmp

memory/5736-154-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/5736-155-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 9756fa823bbc75a3e4409666601d52fe
SHA1 298e7b8af16a47deb353218d8af0852f22cff13a
SHA256 2e96daed41073e6a5903b4473217e16593644575c978e3c6cb71f088de2b46ec
SHA512 143068d86f270367c3fad79dbc829392bc33c0287cca9917357e6ef240aefc4df872bac13030afcc8e90fed68ae1ea5ae5cb8a2b2a3e8d1bfd9e5e74ca1acad5

memory/4552-158-0x0000000140000000-0x000000014016E000-memory.dmp

memory/3232-159-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 16d7ae24d307060ffcb78666de90ff71
SHA1 39baf949895024f0cf4967ac4b319ccd28e168cc
SHA256 66de3239abcee69dc4179fefb3574cfaf346673d0c4a6b4dd02409a241935bcc
SHA512 3aca7ec2843d8eb4f82801f9db6e440a9a314815997b6426cc058b5aaec1a67eb667756f6454a9e014b76c474fd03b45f0dfba0d066bf88876490acbb8b857c6

memory/4656-162-0x0000000140000000-0x0000000140149000-memory.dmp

memory/5556-163-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 61cb05dec447b289ffb5880ff4d08567
SHA1 b000dd21c4bebcaf267c82d7ac1c5f05a74483ba
SHA256 0bf1118585f11c06f944f06b62fff6e8887ebb11ac62ca4b0c9a10b2ee48b470
SHA512 e38161cd0e48ae6453b6599ce639d1afcf4844e0ecb48755a3b6c9cfeb995ff4e64de62c555af3b1a72f7973ed81c3034ed9f395f9ec1056543deefe7be756b2

memory/3768-167-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3464-166-0x0000000000400000-0x0000000000535000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 c2b883b885f15eed3bf9c543f2f9ccbb
SHA1 89ab7facfc603533ed3f1c23d658fe05f492a2a3
SHA256 affdfffd950dc9ebcdac3a08dc6a7f38f0b75d3320a72c7133770b64a58c31f9
SHA512 b781aec46f9b521e63196c0871ce4e2aa55ab0b92d7da6a0a1fae1d83e993eb569164cc7eb7297831d9a59b7cbdb83443ed19ac3e99b27f25c241b00eeb78a4d

memory/1924-171-0x0000000140000000-0x0000000140164000-memory.dmp

memory/1496-170-0x0000000140000000-0x0000000140133000-memory.dmp

memory/4956-175-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/5524-176-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 38d00b3a9b373af147e9f41667ef772a
SHA1 24a10c4ad42e59b1662038b11e8edd16fa9e8586
SHA256 58dc80abe5de344c45355707873a51d6d99dba19d412c328249fb6711971ebf5
SHA512 8b38d52be3f541bf3e3e3ddf10fc8eb5b93e8abd78bff0f9f3d9757b443f0fa9a8fc3aefe9e835ac20e19112826307d52dc7cae36a0605059057c86897339205

memory/5524-178-0x0000000001770000-0x0000000001780000-memory.dmp

memory/5524-194-0x0000000001A20000-0x0000000001A30000-memory.dmp

memory/5524-213-0x0000000009E60000-0x0000000009E68000-memory.dmp

memory/5208-230-0x0000000140000000-0x0000000140134000-memory.dmp

memory/2476-270-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1380-307-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/1252-337-0x0000000140000000-0x0000000140180000-memory.dmp

memory/5712-343-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-344-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-345-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-346-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-348-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-347-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-349-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-350-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-353-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-354-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-352-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-357-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-358-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-356-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-355-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-351-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-367-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-368-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-369-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-370-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-372-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-371-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-374-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-376-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-379-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-378-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-381-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-383-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-382-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-385-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-389-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-388-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-390-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-393-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-392-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-391-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-387-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-386-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-384-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-380-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-377-0x000002707C160000-0x000002707C170000-memory.dmp

memory/5712-375-0x000002707C160000-0x000002707C170000-memory.dmp

memory/3232-414-0x0000000140000000-0x0000000140147000-memory.dmp

memory/5556-431-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4956-432-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3768-435-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1924-436-0x0000000140000000-0x0000000140164000-memory.dmp

memory/5524-437-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 d270870357dfce03502019acb72682bb
SHA1 c11235842793787afe3f2ca569c318e42875bb85
SHA256 323aa9dc820010d13877d0cf9e8fb776b49da87dab0f1814f53ef48db85fd886
SHA512 5df0ecd8fd6a2c8afc8193fbf6e57b9267757c32969ba1532177ea1007b5ded39f95efa47949ade58e4b2422ce96d9d8bddacc47459ea52929d76d1e55d2d199

memory/3632-453-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\system32\msiexec.exe

MD5 715a14a544aa2134fceecbff319fe79a
SHA1 2b83206e3dea3b3caf8f42c4a210bd57d0110eb7
SHA256 54c4bf334ec20ad01bf68693c1695921c046664ca621f3d731b071a5267bd238
SHA512 cd1fca5b40662ed3a2d742b762c464dc2f5b2568836d774d0c4fdf87d087dc2d69d2d20a4d32bbab5b8997a23aaad2b640edb3fc1804b2872ab0cd423fbf87e5

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 2a6f0775dccce4900b3a10e13e16529d
SHA1 cbc2fb0d5331b2e5ffbd7e88cd8f131a48b9ee85
SHA256 a74af6afe33fe46086729e3323165bce427c4aca70824179ef2c2ba62b4180e5
SHA512 32443fa119034f40835b2e140537ccb376b83060fb8d43290ab09ef505fc8e7096230835eeb9e1c5851e79228110408d39165ed5116d58e96afdcc600e827121

C:\Windows\system32\SgrmBroker.exe

MD5 71a1bddd88401df10621702da88397cc
SHA1 83da91db1f1ce79f55eb898dc131f0b4faca6a56
SHA256 9e85a3dc080d7ac24e940eeaa52e62a0e184dfda5d2b29ff4b733a4ac5e53b6f
SHA512 0fff5a0d0a76d479b5edce401334a6686b7b49c535ee48aef7162495c41313297f60a68456875164cb5e31e73b5d8e7e4988dd2d8054a572b7d2f2b0ee0c76a0

C:\Program Files\7-Zip\7z.exe

MD5 e0693e0470bb3313d0bbb45e8de0404d
SHA1 494b3703bbc792abae787c0e9c3727de881f5c21
SHA256 8baf14d3d611325c7a04021c65d41f77682cdaa342ae01b307b4dfaf62103101
SHA512 3b0aa5381dd03189430f49fd4f6ffccbcfc3c337196b5f8f770155925956e9a01990ffdc837513dfe326c5a6ef008bce4d170da1311c5f6489958207e27596bb

C:\Program Files\7-Zip\7zFM.exe

MD5 e1e9c0b8921f8da503999d3c8d74f2a3
SHA1 bf069dd9bdf89c71314216e8d481b40fef3d5f4a
SHA256 6cacc17e7187635f63e262831696834693ddeadddcfe4ddfd25038d820545e4e
SHA512 374e61a643515966e465586457d72783cc965aa8d734c9eb03127a44e11daa9534fcf5caf8af14cb0320040618c7e0d232c73912aa32f54aed1dc686159779d3

C:\Program Files\7-Zip\7zG.exe

MD5 e42298066933fc5a653e17bff8fee153
SHA1 0455d531dd388d0375481326562a6e53a04219f1
SHA256 0f762637502c5bdd298238002eea06ea38e33b253660219a79a144db040ba9ac
SHA512 1b52a04c9b23e861149c80d979a0e4424630b540d8069d8dac7fcff117f22da3b4159c9bbedcf87c36174680546da843451ada97fd9c7fd4747041deb9a52ff0

C:\Program Files\7-Zip\Uninstall.exe

MD5 02d07e523294f15cf76aef523d4a9024
SHA1 cf63c36513dc3de346d5206c52ba619861dd7a47
SHA256 025ef181058a3a7db92d8e2cb79a549f5c2751b9756a487aff01af26318b8b01
SHA512 59f8a37ba5a5fd4f45cb70addc88432a5ebcf720556d339848f2532d22b0ddfbab0a1f5260815a655f6bb7016a4f7aa75096f00a934a2ac4b8df95470704906d

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 d8d6c6972fc658e83c1dcd8e906d4166
SHA1 cb2d1ed0326c8b19dbbd2fedc6f0a1185d512a14
SHA256 709c18f75d9996d3d26db1d4e1e4cfbfb95c53f53f7f40085c925e3040e1a787
SHA512 7f738302a2618ec2d8b203e310245aa0c17acf1d0c7567ee1e197ffe3d7ac7b2b4269b14e012988686b672a3ff13311d185a02b21edc10f8907da06cab0b3ac9

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 0a45a2be1f533a790b64b875aa78ad33
SHA1 2a128e7d51f5a62101c5925adf57e045e3521230
SHA256 d816d7e6bd1cd746ed4d0368bdbd6be3e57ef534b02c57c3c9b74f7bed839c4c
SHA512 81bc0f0c7696f1c1228c8590730f8efe90034db6c939df1607e4e72174d37ef56a3857e1f1cf8c85060103785b5e72fc3f5a8b9de4298af7b83aad0208ef0969

C:\Program Files\Java\jdk-1.8\bin\javah.exe

MD5 0ba9010d14c858d014aa4e692a216613
SHA1 bd26572bfc2358953c4dfdcae715c9e7e98879f3
SHA256 9860820a91a9538e766c3bb376a2585fc633f78345e1ade1f034aafc67d4a37a
SHA512 e80a2fe3b92b8cc1aed3e2116ae4b51ae3ade92452513c26beca624a21dbfaec2a41c4456a85f3f183973c547fe035f79227670d841286fdb6d86f6d9c9772cf

C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

MD5 3a9009da79763bd57c6da4d55b0b9c77
SHA1 23f5133fbd53b99656d0367cf9e6cdebc7f6dda1
SHA256 5607fcf521340aa6ab5b60f91af7f02b0b17795dacd18b0ea5dc5ac2ff08a994
SHA512 7454c1aad74ab1d243fef9908602c6b0b0bf07ced36408ced6b4056abec1ac0f8f104d9fda709009a47b152c2b2e80e7fe64b972872c9750c793faec435ffe43

C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

MD5 19294a6c4a6b219797816abac1cbeb34
SHA1 95615278f14ded5c1caa44d4f15a461452bf4d86
SHA256 98b98d163ce31b6d1f1c75aa3424e18ecb85209bb8cc73f46c9614b4ad77a89b
SHA512 dcc7d88be301b7990d268f29dd75342f6a415d5a23d29ebc1d8e0794ea97c3561a1f9142dbc8a2b912f66f42add374e5f71906d4a201d2257230fb18f86e3015

C:\Program Files\Java\jdk-1.8\bin\javac.exe

MD5 f073be820bcbb319c47b9ce034f302b1
SHA1 81a3803e2b31efda6d889dd817bdfd9b6d46f51e
SHA256 a727f843e1efad40fa506e0236e9e267ddb2a9243c352934ac13bc07a6bdde6d
SHA512 31552fde53e3a04689fdb228f3df5470aa40e2c81c4efcf744725d902a33ff3c64db0aa62d61befa248861471ffa53987d6315a45b7296fd60f507683b9197c2

C:\Program Files\Java\jdk-1.8\bin\java.exe

MD5 7c4dd031ec178f3c66a10ea13fadfcd2
SHA1 79bd05dda32e8e71accfac2060d24bb18d3c2f4b
SHA256 69d11416fb0d1716cf9fbb743b47c825829caa8cfff3c33e46cba6f3cfc9d2b2
SHA512 92449980912e84dad709887f8624a7c062cc5ccff4a158d05af7ac10373aafba814559cb19f7c5503e26f84f07dc55461cbb0ba84d878da882a5785878e34ab4

C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

MD5 9710bfa9a8ffbf7550c3d3921e358dce
SHA1 23bfcabcbcbb779ab308be66734a3f930c71f729
SHA256 6d0ab4633479c30e6f52706972c933067f8db74b43d2d085190194a0c3ce9dcf
SHA512 1f3433f59b32dc315d9c99306ab7f333e24c18a68d5ed6bc0675c32ec349f2de4419c2c1e0f0dabbd3a972d9e3058ecf533753e17301242279577cebf90b140e

C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

MD5 7d33d2e66c659858402dec55b44de6cb
SHA1 7500a3d89bee24d240a3e5f40751c199c715ffa8
SHA256 488bcd84bec3dae24b513b4188e30507d4677ec5c226b4b612ca8fb11e9dbfef
SHA512 8180469edfa290ba5b2e3032fd9644db63ff3a8ff5963c95f43586679058dd79c963afba7e8e8a814a6dcd8afa794c19f2ed0b217c5082cafa25d1dd11383ae2

C:\Program Files\Java\jdk-1.8\bin\jar.exe

MD5 0aab029838155b492008787ab6e235f9
SHA1 43cb1b390ea1ef6a7edf87b749353601372105cb
SHA256 1d6e193a91a53a5c078415ad9240d93304b66383bab4857a9bf9b37604e30d4f
SHA512 f2b811e56b42c23a71c5cd884a89cb549082aa320accb6d7d0094cdb357a5a1d1330bd774177ed34c20fde47f443695776a66ef9afb05614d11b02b554de1cf7

C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

MD5 de2425e34d8e7d68500a86a092aa9f72
SHA1 68a75f8e8d11eccf85d75480bb557cbb9c032b70
SHA256 137ccd7234687dec2f859bb18861a8f400657067c9b0ebbae8acfdf2704108fb
SHA512 7648969f44beaeb89d5d13c2ad3c1cf23ebe659722b3345f6a6367c7d90eff97def7f5e4cfefe78aca815c2b6fcbca787032f7bf37bb9accd92b1f7591ef8f2d

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 98603151562a388f93595ebffb03c89f
SHA1 d29e53a492145185cc4651af674766c9aabdd3c1
SHA256 14d1f21314bc724b79c7ce6f75b28931128dde690cf6c388eb4efaa7a19f7dc9
SHA512 9649d05755a7adbf4b94580b2efeb147dc822ab18570f40be09b2a88b482623867c216de2c984b7fa2f3352230d173eddb0d9a58a8d4b469cc7e60b6a6d8c2b6

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 9efa04983443a8e9842764f8afba438c
SHA1 5723581beffd64550b4db4df1aedd0b448fb3016
SHA256 1a7d42eb68e60170e8fa798ff8153bd8b1c55f950636799c498636add86e190e
SHA512 5cdf413e6e278b2f262832405eded8ae8ccd1ec2805bacf983f74911efde05a0987e8de95ac9d2be868b70b29130144e5da20dff32cca20d40166fb83f142534

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 b0530bfb0ae37605bcb7b94370d6d4df
SHA1 93068767db91dc21ff751e14b3c92ab80ada851a
SHA256 905bc0ae2dc8ab0cb05a388ca5ac0a3dee8d1ebecdd4543c15f63a9666a92e2a
SHA512 bc6ff3a498a497c14fc5efafe1339b3bafa61c404f4def9a7691d002974d27316c6332199d810d71e7572b9cdb546bc144fe2982ea7348afcc0922be7237be8e

C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe

MD5 7c22325401db9675201ba3564e640602
SHA1 8511cf647dd35cd211e2c526e87ca6014ff05b01
SHA256 ea020e0ff8b91b0074317ce4fd4e83ef73dc597b21521ccdc0663c75a20f7829
SHA512 6c076d3738705f86a194a580ec6f8b198833d9e4e0e107aa7b37a229c7f6282fb62e9592f40304ab04726c622fdbe47c0ee88308764ac60cf082f0fe91632266

C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

MD5 3cb679435d9eea5d9dccdd46ecf07e1d
SHA1 7efbe5a37678b62db29fb13c2fde8ce57e6bb8dc
SHA256 d4d22fb6d807a2da64c851912d1356a3b654fc4e1d75414e647d95279e1daa27
SHA512 9cd7fe86baa479f33b43d9aa6674982cb19bb7d4caa0a2081a6660e4a52b4cd3575c1d0055b3942d24e0173616759983d3e6bf5f534f0d44c0aad1a4771b0483

C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

MD5 95f61bb9d4009a02fef20fed00b843ce
SHA1 2d78d44cd479797634febf6519d819bd8f728da6
SHA256 66078efa28eba1f540a0b774d947381e0b3d7e90f8610c90e53c71b5018a9821
SHA512 35f68259b8971c900872e5cc07172c79c1ae903f4eb5142a1a69559b54a960ee267d4e82d74893d7634ead3431ecef5284790b2226b0e06411bee7bf2d6d79d0

C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe

MD5 e0a36977513a54141edc3dcd62360470
SHA1 d2cd97a86ea02f720f27d7d97f5fbb7bcd335286
SHA256 cccfaa34d36aff6838145a82902168414c5375a2c3cd648b55094c657e84aacf
SHA512 8bf33fe3086aed57bc5b4f57a694594da667f3d5d40d51186d36cd2fb53df831c7be4ac59683458527c2961c63691dd8253fe6049420421dc30338b57e3584fb

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe

MD5 82f9341685a8649443e36e41925fbeec
SHA1 a3e8f1e067386d16c92513c8e9f96521ef3a9856
SHA256 411495a4b4378f0dcad81fcd744ad10364a98224b4eefd35456c1147fe42995a
SHA512 e7a9bd3feff9ad0fec8ae3459615a844acf31bf75e2808d0b2569a85a82920908bbaa2ae30fd82cccc7ad49763ac1f43c0e47135ef1c15817138c6bfb0e5572f

C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe

MD5 f06ead6f7e150921454028df5c215972
SHA1 a2133eb6828bd0b01557e036d88205ddf09a055e
SHA256 cadfe9efb1bb37efc1f4817478a677d2c5960cccc37955e35859f800d6027caa
SHA512 ac66e500d9e5e99c062bb37c1dbf67cfc672abbcec8a9cac050446ca63a0e2fc1471724697b08e80de3a34319e9f1107e1f8156a4a3e91be626aae2e2732f3c8

C:\Program Files\dotnet\dotnet.exe

MD5 c03f87107e538d4533006cbd6f214c69
SHA1 4311717efe005a1697f9bd3372e03649cb284798
SHA256 74747e890a3915c2f13262e2fe67e70cfc360ebdef25f83d74e2e1fa6239ec07
SHA512 3c23ec4631f55a1379898568c4442c8e5590f4d8b3341bf310e5dc8f6e421a0f3609f8d2df8c169320cef5211b401f338b0ce0e2a9bf8c16c7b32de2e4c68001

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 167f5a880da599f9d37e0a1268d3ebf2
SHA1 0187349c5636719396e17f6853a1fd4b5ee7c036
SHA256 105a791bf6e0d5704b17c122b0804051a4d78c7517f5e67dc613c5b2540abad8
SHA512 84f334840d41116b1bddf1fa5525906ba42cc50194ca9a5105051b5938c5915630fc3feaab5173826aa0a0a4c085af009f9ad8a965802eab6762f11a63a53075

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 cf04d87c6cd3b515203b547e0401d48c
SHA1 37796fd78e6794c45fa0c6ad28dffd118c1978ed
SHA256 b0a4fce18ae020d3fe7fa1c0c6abb0406cf8758dfebfbeb6da56a546cc00e706
SHA512 ab8669c023c144ff64599f61ed6c0e59d3bd7c24d540af08d223f3e0a10784b3c3aa31eeb75f734e9861c0a5da6ea3827f99e65f7f722a7963671da7791bd92d

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 1cf63f86fef08c602b5ebb53767613e7
SHA1 435009a3bf297dbd496d48441b1ad654d14919fb
SHA256 20d84436abc116e697c6c1748643acb522cb6fc740da57d60a98ad47980ae0f4
SHA512 d6fafdaaf1a3d3ac61e1b46f28d3397c5a14fadb8938cc4720bdbe93355413aee31a8ade79d9e0ac0b1beb7ff2d6d57ded3f9a2c4f1cf0b1ca25794b666a7b40

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 8b8888b63b5a20e75a19f330cea16c0f
SHA1 65f6606b1ab371dedd023f84ad3bc6ef4a42630f
SHA256 9d216d5c9088a68d64c91409c0203cecd10c96292a814e906cabf65df2c363be
SHA512 6f15ecaa85d88055c9ad3d1a12a126498697c064614be9ae9e850743e1386ed1798ed3c7f6d5e108233f096cc60cbbf940496e55bb4b71e2e6c10c486ba723d1

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 62e539131e7423f8a0fee0d10b28c5c4
SHA1 26b92f2215d4b21f7f4ff9c103c6cd47d0815199
SHA256 9b9b3576ee84fa4f0ae8a1ac3ceb825a7d2e582df077f2bd407bee8c98a4055b
SHA512 7cd7b9da0a19bc902a08900d3113fdda0ea40696ba0d19454bdfc494e4136926d8254bc80aa8430b5a77ce74717e72d0e8097d86781ef496b7fbcdd744cd3742

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 6efd52018860d156eda900f0fdd70d21
SHA1 12ba26402ad519d7309c1f1dfb45e92b9828a936
SHA256 629df74ffd6dac033b5eec2c83c22bb5a6c23a26a91e78f1c07d4be2df51b3e9
SHA512 ee2bd85348e85bc6c248921ed19f2ef1ddfe541c4c3722bfee4dce8428fd2ec6e9f7ed1cc3063c351320db3065cc1096760546d8ebe3e2cb7965220d1c4ab5ee

memory/3632-501-0x0000000140000000-0x0000000140147000-memory.dmp