Malware Analysis Report

2025-01-03 07:54

Sample ID 230428-3bdy3sgh45
Target TT copy.exe
SHA256 f266e9833cf991a972db594ad7afad2332dfccdd2b7454e49455b759f406bcd2
Tags
blustealer collection stealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f266e9833cf991a972db594ad7afad2332dfccdd2b7454e49455b759f406bcd2

Threat Level: Known bad

The file TT copy.exe was found to be: Known bad.

Malicious Activity Summary

blustealer collection stealer spyware

BluStealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

Modifies data under HKEY_USERS

Script User-Agent

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-28 23:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-28 23:20

Reported

2023-04-28 23:22

Platform

win7-20230220-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TT copy.exe"

Signatures

BluStealer

stealer blustealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\da069b05a5fe7035.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1368 set thread context of 464 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 464 set thread context of 1992 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{21B7CED9-F086-4000-A3C8-C1F024D63E84}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{21B7CED9-F086-4000-A3C8-C1F024D63E84}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Preferences\ C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Health\{9D65BAB1-161B-4445-A989-F3039E0BF5A3} C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MediaPlayer\Health\{9D65BAB1-161B-4445-A989-F3039E0BF5A3} C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Windows Media Player\wmpnetwk.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A
N/A N/A C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 1368 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 1368 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 1368 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 1368 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 1368 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 1368 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 1368 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 1368 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 464 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1732 wrote to memory of 1472 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1472 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1472 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1732 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1456 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 2092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 2224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 2224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 2224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 2224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 2932 wrote to memory of 2912 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2932 wrote to memory of 2912 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2932 wrote to memory of 2912 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1972 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1972 wrote to memory of 1988 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TT copy.exe

"C:\Users\Admin\AppData\Local\Temp\TT copy.exe"

C:\Users\Admin\AppData\Local\Temp\TT copy.exe

"C:\Users\Admin\AppData\Local\Temp\TT copy.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 1e0 -NGENProcess 1e8 -Pipe 1ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1dc -NGENProcess 1e0 -Pipe 1ec -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1f8 -NGENProcess 1e8 -Pipe 24c -Comment "NGen Worker Process"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 244 -NGENProcess 1dc -Pipe 260 -Comment "NGen Worker Process"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

"C:\Program Files\Windows Media Player\wmpnetwk.exe"

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 248 -NGENProcess 1ac -Pipe 1f8 -Comment "NGen Worker Process"

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3430344531-3702557399-3004411149-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 254 -Pipe 1e0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 26c -NGENProcess 1f0 -Pipe 268 -Comment "NGen Worker Process"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 588 592 600 65536 596

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 cvgrf.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp

Files

memory/1368-54-0x0000000000FE0000-0x000000000118C000-memory.dmp

memory/1368-55-0x0000000004B60000-0x0000000004BA0000-memory.dmp

memory/1368-56-0x0000000000550000-0x0000000000562000-memory.dmp

memory/1368-57-0x0000000004B60000-0x0000000004BA0000-memory.dmp

memory/1368-58-0x0000000000590000-0x000000000059C000-memory.dmp

memory/1368-59-0x0000000005DD0000-0x0000000005F08000-memory.dmp

memory/1368-60-0x0000000006200000-0x00000000063B0000-memory.dmp

memory/464-61-0x0000000000400000-0x0000000000654000-memory.dmp

memory/464-62-0x0000000000400000-0x0000000000654000-memory.dmp

memory/464-63-0x0000000000400000-0x0000000000654000-memory.dmp

memory/464-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/464-66-0x0000000000400000-0x0000000000654000-memory.dmp

memory/464-68-0x0000000000400000-0x0000000000654000-memory.dmp

memory/464-69-0x00000000002B0000-0x0000000000316000-memory.dmp

memory/464-74-0x00000000002B0000-0x0000000000316000-memory.dmp

\Windows\System32\alg.exe

MD5 63728662230c4215bb5c43409ea6ccba
SHA1 0d04f115874abe5220e79d100dbdf982f503fe52
SHA256 b4a45228ba2338aa4913dca213a078758b2b4ed4695dbc63a41a6d7f40a19e42
SHA512 9f7249258501aae60e9e500feaaefc2fe325a79c99c11417a63ebb749c5d46480451b75c7dc37ac73bc8576a9000cf13dcb5f4d65a1c3bdbedca7da01a22d21e

C:\Windows\System32\alg.exe

MD5 63728662230c4215bb5c43409ea6ccba
SHA1 0d04f115874abe5220e79d100dbdf982f503fe52
SHA256 b4a45228ba2338aa4913dca213a078758b2b4ed4695dbc63a41a6d7f40a19e42
SHA512 9f7249258501aae60e9e500feaaefc2fe325a79c99c11417a63ebb749c5d46480451b75c7dc37ac73bc8576a9000cf13dcb5f4d65a1c3bdbedca7da01a22d21e

memory/1504-82-0x0000000000170000-0x00000000001D0000-memory.dmp

memory/1504-88-0x0000000000170000-0x00000000001D0000-memory.dmp

memory/1504-90-0x0000000100000000-0x00000001001FB000-memory.dmp

memory/464-91-0x0000000000400000-0x0000000000654000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 4580309989be07661c7923902b5fb69c
SHA1 830b888756dd008ee036bacce19c93f353b3b1bd
SHA256 14b3e2727668c32d74cedb07db8f9fcd8bf230b8f840fd8110a77296b1c198ec
SHA512 f522ae3b7f327e7148bcf9bef2017d456ae012c9da4af6b71f9dc2e8bc06e81e75dd86ca409df547885f3a3a2ddea3d8279e02985ed3465d527eab946ec67457

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 4580309989be07661c7923902b5fb69c
SHA1 830b888756dd008ee036bacce19c93f353b3b1bd
SHA256 14b3e2727668c32d74cedb07db8f9fcd8bf230b8f840fd8110a77296b1c198ec
SHA512 f522ae3b7f327e7148bcf9bef2017d456ae012c9da4af6b71f9dc2e8bc06e81e75dd86ca409df547885f3a3a2ddea3d8279e02985ed3465d527eab946ec67457

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 df17b4328c035d1873801ad43404936d
SHA1 ca3e6cf784dfbe7690ff89a2a4ba716da92833e1
SHA256 1b06b70cb88ddcfe817f7f52fd632b00566356aca89f1ee3a980668b7f6a00f2
SHA512 c319c7409eb4323837ff30582483d5b9b6ddefb6fb6304c5209a6b6a337f75480e250007f42525056ba162e12a2826109251a166e292390784d6dfa02d674cee

memory/1992-99-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1992-98-0x00000000000D0000-0x0000000000136000-memory.dmp

memory/1992-100-0x00000000000D0000-0x0000000000136000-memory.dmp

memory/1992-106-0x00000000000D0000-0x0000000000136000-memory.dmp

memory/1992-108-0x00000000000D0000-0x0000000000136000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 df17b4328c035d1873801ad43404936d
SHA1 ca3e6cf784dfbe7690ff89a2a4ba716da92833e1
SHA256 1b06b70cb88ddcfe817f7f52fd632b00566356aca89f1ee3a980668b7f6a00f2
SHA512 c319c7409eb4323837ff30582483d5b9b6ddefb6fb6304c5209a6b6a337f75480e250007f42525056ba162e12a2826109251a166e292390784d6dfa02d674cee

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 9586bcb7756d3d8c54915c83d9e4bbf1
SHA1 fe6a3dcdaf8e5b661a6945479949983e58d3db3e
SHA256 9119c346c337fd95cf41e9b28d0821401e3deff36f6ee8a3784786f44d22dc9b
SHA512 93530238bffb5ef5cfd188bdbe81e1bb57ad8b066b1c8e0a55fc70b96a3b3cb0859738868f425eb32b63f59f566d2b0f8ae74216ff4e0bb6f2c5f8cb1564eefa

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 9586bcb7756d3d8c54915c83d9e4bbf1
SHA1 fe6a3dcdaf8e5b661a6945479949983e58d3db3e
SHA256 9119c346c337fd95cf41e9b28d0821401e3deff36f6ee8a3784786f44d22dc9b
SHA512 93530238bffb5ef5cfd188bdbe81e1bb57ad8b066b1c8e0a55fc70b96a3b3cb0859738868f425eb32b63f59f566d2b0f8ae74216ff4e0bb6f2c5f8cb1564eefa

memory/1044-113-0x0000000140000000-0x00000001401F4000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 793708fbfee486b2848e5235f54d99c8
SHA1 914e3647949ae31ab4934f892d34b041b3d17253
SHA256 7c482a09eb85c47287dda9ff209b0ed5d85c449701b36b6035f34440b686355b
SHA512 00c4c4320be4e96499241932ea14909dc86f1f45884abe569c28ba826445a4cf0d42e3e45e565c1ba71aca519b5e9ced62b1a07b5ad3fedcc351ecde22f7387a

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 9586bcb7756d3d8c54915c83d9e4bbf1
SHA1 fe6a3dcdaf8e5b661a6945479949983e58d3db3e
SHA256 9119c346c337fd95cf41e9b28d0821401e3deff36f6ee8a3784786f44d22dc9b
SHA512 93530238bffb5ef5cfd188bdbe81e1bb57ad8b066b1c8e0a55fc70b96a3b3cb0859738868f425eb32b63f59f566d2b0f8ae74216ff4e0bb6f2c5f8cb1564eefa

memory/240-120-0x0000000010000000-0x00000000101F6000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 325ab5080166e5a0ad6b1e16c2c31751
SHA1 68fbbc818912a278dbafd63b6051feb914d52c70
SHA256 d88cfa0139465e76ab84b3054e87f8212fb4238ebe6ead3e2387b3b44ee30457
SHA512 15eade86e82849b2e479334514649bfc1976ab6a69cb25df9e6cbc1523f769d5ef6d440d497d105118426c3c6216e4cb7ad1c41368eaa54b540044a853960f19

memory/1972-123-0x00000000002D0000-0x0000000000336000-memory.dmp

memory/1992-129-0x0000000004CB0000-0x0000000004D6C000-memory.dmp

memory/1972-128-0x00000000002D0000-0x0000000000336000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 b6e9c1b31a968762cb4d4f0058b73345
SHA1 2a1f56d9191a797bfb19352bbfd4e5299c7f68eb
SHA256 99e05d52d9c058ded15d9ca2bbba35e66cf55c95df2d78f63b88add33ae46ecc
SHA512 925c080427142b577d053ef23f20354388f6f3ce4638026ca0b287e10327e0f1e8e7f47aac814651010c51d559c223a736f86c4287705031664e4caee226fba0

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 580d079cfc543d52ede34b07f125b5d8
SHA1 eff6975d904ee24a412d7a3d07b70f6f1767227c
SHA256 0fafc91570b020c0144f783df4beed681673025cc658fd4319f9af0aeca490f0
SHA512 03e6a90d9684510b2acb27ce6e0efd4d33d0c5661f0bbedbc2166db7a479f8e5dca803b3f62514249aa420c41ebdf79bfd864f435123b6a73d168c24a2436d04

memory/1524-137-0x0000000010000000-0x00000000101FE000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 325ab5080166e5a0ad6b1e16c2c31751
SHA1 68fbbc818912a278dbafd63b6051feb914d52c70
SHA256 d88cfa0139465e76ab84b3054e87f8212fb4238ebe6ead3e2387b3b44ee30457
SHA512 15eade86e82849b2e479334514649bfc1976ab6a69cb25df9e6cbc1523f769d5ef6d440d497d105118426c3c6216e4cb7ad1c41368eaa54b540044a853960f19

\Windows\System32\dllhost.exe

MD5 c5b862ae31f01168721c4a03287a4419
SHA1 c00d0c3a050b5658944c738fc691f7f4a5dfce28
SHA256 f4131bc60ec28177b6aac5d59b9fa37f452dd25b4f3dff653d5eae695cf7e058
SHA512 9a9a8e85dfeb666f0034bb9c6e9c76bd4f1a0541695b28977cbf6668789e038e77a5feb109f6faf58b28ac599d181d6968dd33ab51ed6a8f6a966953d74433bd

C:\Windows\System32\dllhost.exe

MD5 c5b862ae31f01168721c4a03287a4419
SHA1 c00d0c3a050b5658944c738fc691f7f4a5dfce28
SHA256 f4131bc60ec28177b6aac5d59b9fa37f452dd25b4f3dff653d5eae695cf7e058
SHA512 9a9a8e85dfeb666f0034bb9c6e9c76bd4f1a0541695b28977cbf6668789e038e77a5feb109f6faf58b28ac599d181d6968dd33ab51ed6a8f6a966953d74433bd

memory/1732-145-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1972-146-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1416-147-0x0000000100000000-0x00000001001EC000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 580d079cfc543d52ede34b07f125b5d8
SHA1 eff6975d904ee24a412d7a3d07b70f6f1767227c
SHA256 0fafc91570b020c0144f783df4beed681673025cc658fd4319f9af0aeca490f0
SHA512 03e6a90d9684510b2acb27ce6e0efd4d33d0c5661f0bbedbc2166db7a479f8e5dca803b3f62514249aa420c41ebdf79bfd864f435123b6a73d168c24a2436d04

\Windows\ehome\ehrecvr.exe

MD5 8c0ed201c81f455a7f82a5bb63738e5f
SHA1 39e65f2e9f99d2dda9c678f9f82eeb6c579dacaf
SHA256 80739a56b695740746ee0ca6f3ef76905b2225327928d401540f7e017c1dfefe
SHA512 fba21583b06519da0ac4604d86bfce95dc94db8ce7cbb9052979f1d99cb640a6fec32ed65d46cdaff860997f68e6722694b5dba3bdac80fa183ce9ed6f0e463b

C:\Windows\ehome\ehrecvr.exe

MD5 8c0ed201c81f455a7f82a5bb63738e5f
SHA1 39e65f2e9f99d2dda9c678f9f82eeb6c579dacaf
SHA256 80739a56b695740746ee0ca6f3ef76905b2225327928d401540f7e017c1dfefe
SHA512 fba21583b06519da0ac4604d86bfce95dc94db8ce7cbb9052979f1d99cb640a6fec32ed65d46cdaff860997f68e6722694b5dba3bdac80fa183ce9ed6f0e463b

memory/1516-152-0x0000000000820000-0x0000000000880000-memory.dmp

memory/1516-158-0x0000000000820000-0x0000000000880000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 406769c9db8b62b17526b543e94c5763
SHA1 ff24c924648ce783f1c3cc60f209228ea38a6432
SHA256 dd3ea66e302ef978c44844c151a7352873a25dc5810d31c05f2d6b9238d37323
SHA512 11a110c6e1d6f891914aeeb725a7603710088e61b2cb0a458bea7d8aea0b88be206434b897b4e85ed842af62a07ad1252ad439a7a3585bed10c4e0ac5dcb2055

C:\Windows\ehome\ehsched.exe

MD5 406769c9db8b62b17526b543e94c5763
SHA1 ff24c924648ce783f1c3cc60f209228ea38a6432
SHA256 dd3ea66e302ef978c44844c151a7352873a25dc5810d31c05f2d6b9238d37323
SHA512 11a110c6e1d6f891914aeeb725a7603710088e61b2cb0a458bea7d8aea0b88be206434b897b4e85ed842af62a07ad1252ad439a7a3585bed10c4e0ac5dcb2055

memory/1716-163-0x0000000000830000-0x0000000000890000-memory.dmp

memory/1516-168-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

memory/1516-169-0x0000000140000000-0x000000014013C000-memory.dmp

memory/1516-170-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/1716-171-0x0000000140000000-0x0000000140209000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 580d079cfc543d52ede34b07f125b5d8
SHA1 eff6975d904ee24a412d7a3d07b70f6f1767227c
SHA256 0fafc91570b020c0144f783df4beed681673025cc658fd4319f9af0aeca490f0
SHA512 03e6a90d9684510b2acb27ce6e0efd4d33d0c5661f0bbedbc2166db7a479f8e5dca803b3f62514249aa420c41ebdf79bfd864f435123b6a73d168c24a2436d04

memory/1472-175-0x0000000000410000-0x0000000000470000-memory.dmp

memory/1472-181-0x0000000000410000-0x0000000000470000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 580d079cfc543d52ede34b07f125b5d8
SHA1 eff6975d904ee24a412d7a3d07b70f6f1767227c
SHA256 0fafc91570b020c0144f783df4beed681673025cc658fd4319f9af0aeca490f0
SHA512 03e6a90d9684510b2acb27ce6e0efd4d33d0c5661f0bbedbc2166db7a479f8e5dca803b3f62514249aa420c41ebdf79bfd864f435123b6a73d168c24a2436d04

memory/1968-184-0x0000000000200000-0x0000000000260000-memory.dmp

memory/1516-194-0x0000000001430000-0x0000000001431000-memory.dmp

memory/1968-196-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1472-195-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1968-199-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 325ab5080166e5a0ad6b1e16c2c31751
SHA1 68fbbc818912a278dbafd63b6051feb914d52c70
SHA256 d88cfa0139465e76ab84b3054e87f8212fb4238ebe6ead3e2387b3b44ee30457
SHA512 15eade86e82849b2e479334514649bfc1976ab6a69cb25df9e6cbc1523f769d5ef6d440d497d105118426c3c6216e4cb7ad1c41368eaa54b540044a853960f19

memory/1092-204-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 325ab5080166e5a0ad6b1e16c2c31751
SHA1 68fbbc818912a278dbafd63b6051feb914d52c70
SHA256 d88cfa0139465e76ab84b3054e87f8212fb4238ebe6ead3e2387b3b44ee30457
SHA512 15eade86e82849b2e479334514649bfc1976ab6a69cb25df9e6cbc1523f769d5ef6d440d497d105118426c3c6216e4cb7ad1c41368eaa54b540044a853960f19

memory/1092-220-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1456-222-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 b5d1001ecb60f83d58d3acffe40aa039
SHA1 0356332d274b15aee1c733810df64c265236615e
SHA256 e5f21900fb88bdde276b2383151adf12a1c7d3ff359f17b046ea69e7df33d9ba
SHA512 58d098f084a4fc37730a9bb45f9de6d4c189eb6356f85c5e3486970c305283b929d0003ec9b43ae3e83badfd377c04407914090d51cd64ad31c3c0d63b5f9d4f

\Windows\System32\ieetwcollector.exe

MD5 ee6308328d2a186a779bbb1e1e672ad3
SHA1 622f18b8f7391cf531136a08622ab95b6523a5fa
SHA256 0f71956a67c1f0f9938933e9b196219c65fd47e86da236a23038f953c16e691f
SHA512 3c2bc58d376d931f3d6556e00a54c5113d17af9b239d2ba977cac4df814781c2e396dc181a48186222144d1841c3ad23a6c96377f015acec088ff7497cbe5ae1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 325ab5080166e5a0ad6b1e16c2c31751
SHA1 68fbbc818912a278dbafd63b6051feb914d52c70
SHA256 d88cfa0139465e76ab84b3054e87f8212fb4238ebe6ead3e2387b3b44ee30457
SHA512 15eade86e82849b2e479334514649bfc1976ab6a69cb25df9e6cbc1523f769d5ef6d440d497d105118426c3c6216e4cb7ad1c41368eaa54b540044a853960f19

C:\Windows\System32\ieetwcollector.exe

MD5 ee6308328d2a186a779bbb1e1e672ad3
SHA1 622f18b8f7391cf531136a08622ab95b6523a5fa
SHA256 0f71956a67c1f0f9938933e9b196219c65fd47e86da236a23038f953c16e691f
SHA512 3c2bc58d376d931f3d6556e00a54c5113d17af9b239d2ba977cac4df814781c2e396dc181a48186222144d1841c3ad23a6c96377f015acec088ff7497cbe5ae1

memory/1544-244-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1980-247-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1456-257-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 5241e5dbcb7a1f40e422266f400d5827
SHA1 27f826a77ad61f37b4115ad9d6a4eb859829bfdf
SHA256 be261c72e4fc9eee71e2e6627a8f8e20af42648b2530026610e00874920f47e1
SHA512 68208c8a4a302aaa5b8901050d59077d4760632bf593af393f255fb2046fd6c3e4885226e5845dca453e4a3e12b1b56a5abb3e0a3e1524fa47344d7af1600d0b

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 ab447b754ff00bf7fa20934068b0c4b9
SHA1 e2fe82cd1837503ab3301fb9bb1df28e112bf87d
SHA256 99176141a4624c1dbb78ccbdd796af17e9875c2b254557f044d3df55e89dcf7c
SHA512 c426eaa77898f3a82bdab6fae6ca3cbdf485b6eecd474c89b74dc382f50565104045a21b5885e947ee3aeb80c13f43198877510ef3703620d5d4b93f66ba2ba5

memory/1604-270-0x000000002E000000-0x000000002FE1E000-memory.dmp

\Windows\System32\msdtc.exe

MD5 eb419f381ebadbcdabb4b117fe84bbb2
SHA1 99b2f01924c27ab52b7e8ffe83552530001495bf
SHA256 86422b0572cbc324b680c9a87bf34c31a844cdce9cd0200d98a61280efb06414
SHA512 d3baf520950584c1dbae8eee7890ad05e886f27c8576bf236f9ec285c55e75d04ab153fffb073c3d017f91d9ce96085e75fd961019a2be6ecb491ac452ef074c

C:\Windows\System32\msdtc.exe

MD5 eb419f381ebadbcdabb4b117fe84bbb2
SHA1 99b2f01924c27ab52b7e8ffe83552530001495bf
SHA256 86422b0572cbc324b680c9a87bf34c31a844cdce9cd0200d98a61280efb06414
SHA512 d3baf520950584c1dbae8eee7890ad05e886f27c8576bf236f9ec285c55e75d04ab153fffb073c3d017f91d9ce96085e75fd961019a2be6ecb491ac452ef074c

memory/1092-282-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1092-294-0x0000000140000000-0x0000000140221000-memory.dmp

\Windows\System32\msiexec.exe

MD5 b172e101cc659182d95cd4e10a028e35
SHA1 72b58bf180bd41efd97755062f657a82a5e054b7
SHA256 00a2f419fc77c5e6f803dc1fba01529894998ebbb9e9bccac70d344f0be17793
SHA512 8da6f033da64551bfd26b617aa4de8daac851ccd66515b5b5db79977170da6b10eaf837ad473fab59ac138a0fc6f87e9e697ec07896595f7c4ea81ffa183d78d

C:\Windows\System32\msiexec.exe

MD5 b172e101cc659182d95cd4e10a028e35
SHA1 72b58bf180bd41efd97755062f657a82a5e054b7
SHA256 00a2f419fc77c5e6f803dc1fba01529894998ebbb9e9bccac70d344f0be17793
SHA512 8da6f033da64551bfd26b617aa4de8daac851ccd66515b5b5db79977170da6b10eaf837ad473fab59ac138a0fc6f87e9e697ec07896595f7c4ea81ffa183d78d

C:\Windows\system32\msiexec.exe

MD5 b172e101cc659182d95cd4e10a028e35
SHA1 72b58bf180bd41efd97755062f657a82a5e054b7
SHA256 00a2f419fc77c5e6f803dc1fba01529894998ebbb9e9bccac70d344f0be17793
SHA512 8da6f033da64551bfd26b617aa4de8daac851ccd66515b5b5db79977170da6b10eaf837ad473fab59ac138a0fc6f87e9e697ec07896595f7c4ea81ffa183d78d

\Windows\System32\msiexec.exe

MD5 b172e101cc659182d95cd4e10a028e35
SHA1 72b58bf180bd41efd97755062f657a82a5e054b7
SHA256 00a2f419fc77c5e6f803dc1fba01529894998ebbb9e9bccac70d344f0be17793
SHA512 8da6f033da64551bfd26b617aa4de8daac851ccd66515b5b5db79977170da6b10eaf837ad473fab59ac138a0fc6f87e9e697ec07896595f7c4ea81ffa183d78d

memory/1504-299-0x0000000100000000-0x00000001001FB000-memory.dmp

memory/464-301-0x0000000000400000-0x0000000000654000-memory.dmp

memory/564-303-0x0000000140000000-0x000000014020D000-memory.dmp

memory/1192-305-0x0000000100000000-0x0000000100209000-memory.dmp

memory/1192-307-0x0000000000540000-0x0000000000749000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 fe0c88c9b6e3a6480f044a5c33735098
SHA1 3cdb809d4a7da3d4fcd7dccdc85f02107b83e3c4
SHA256 147c0d224510e4e2e63da41191470b88e83ae95022fc140604afa2d1cb662272
SHA512 045ffed5174ea0e2964f40f99d8de0de916380667e9b4481fe1507a542f59edaa86c8eff3fb124cdd0a59a0757ec2d2c735e2031ccce4d769d67635443604e8c

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 62ed6ab8f50b206eed66e78999c51860
SHA1 1ce8c36399015e5e481e0c325ec32d4040552686
SHA256 ae39d65cc6e16bde113bb4e67a7684a95753fad495c646de975dc97b65e98743
SHA512 abb291be52d64cb06476540dd46c6eba2c46bfa837e71ee12224df7a5a8cdd165cf72350424e02273a3f7d019b151bda3171f1743d62ab32e777e950af7d953e

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 325ab5080166e5a0ad6b1e16c2c31751
SHA1 68fbbc818912a278dbafd63b6051feb914d52c70
SHA256 d88cfa0139465e76ab84b3054e87f8212fb4238ebe6ead3e2387b3b44ee30457
SHA512 15eade86e82849b2e479334514649bfc1976ab6a69cb25df9e6cbc1523f769d5ef6d440d497d105118426c3c6216e4cb7ad1c41368eaa54b540044a853960f19

memory/2056-328-0x000000002E000000-0x000000002E20C000-memory.dmp

memory/2128-333-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1516-339-0x0000000140000000-0x000000014013C000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 231acfd4958d7b4a6fb9537ff00bfae1
SHA1 cf41fb78e024effabc103e59461653096b33ef57
SHA256 239f00df816ef0f2adc6690ad3f1801317e985ce094837d610849830601f4bd7
SHA512 c01e3c9feb2998a3f3fd45b342fef2ac443882549ab95ab626e2e49881f34910dfb235eddffb0f31139eec1e2cdd41f62444ad42a5418ef8601dae9d5697be41

\Windows\System32\Locator.exe

MD5 57ddbe1176b251af8256678d6cfe6181
SHA1 d96033c617d441dcd760ea3d6f91416449c510a9
SHA256 6a91fc32f7304cbcf33d0e6096a48a39c242be8560c8af86b037deeecf7efbaa
SHA512 fd6a8efb009e8e145dcde161a07252146fe75755120abefc07557bb85620c2443f9dc769645fd0be084ea5eb5a44a272a8edea20a0db6d97e5a2a20bfd9a4cbe

C:\Windows\System32\Locator.exe

MD5 57ddbe1176b251af8256678d6cfe6181
SHA1 d96033c617d441dcd760ea3d6f91416449c510a9
SHA256 6a91fc32f7304cbcf33d0e6096a48a39c242be8560c8af86b037deeecf7efbaa
SHA512 fd6a8efb009e8e145dcde161a07252146fe75755120abefc07557bb85620c2443f9dc769645fd0be084ea5eb5a44a272a8edea20a0db6d97e5a2a20bfd9a4cbe

\Windows\System32\snmptrap.exe

MD5 3d5f9ff32f6bb8c285f3c2ba409b6ad3
SHA1 8b8dda97eb486998f296094dc0d4532bfe1da42e
SHA256 4dd45b5dc14d85fb0b3da094a534411d17837377df6f6df174a05810fb4a0273
SHA512 de2c5d6bbfa039ee7ad24e67a7a96a82ab76c5ec5599fd2edeaecdfe9c899b43fe659fcc4dbd602f94bbea83ba42f034700c249d9d138a9b13c3537d1d8c2488

C:\Windows\System32\snmptrap.exe

MD5 3d5f9ff32f6bb8c285f3c2ba409b6ad3
SHA1 8b8dda97eb486998f296094dc0d4532bfe1da42e
SHA256 4dd45b5dc14d85fb0b3da094a534411d17837377df6f6df174a05810fb4a0273
SHA512 de2c5d6bbfa039ee7ad24e67a7a96a82ab76c5ec5599fd2edeaecdfe9c899b43fe659fcc4dbd602f94bbea83ba42f034700c249d9d138a9b13c3537d1d8c2488

memory/2272-357-0x0000000001000000-0x00000000011ED000-memory.dmp

memory/2304-359-0x0000000100000000-0x00000001001EC000-memory.dmp

memory/2384-361-0x0000000100000000-0x00000001001ED000-memory.dmp

\Windows\System32\vds.exe

MD5 d8a403516ccdf5a0c0bed1a9b12d444b
SHA1 91a40972cc0db742fc37bf75658eba58b6fbfeaa
SHA256 a0483d5bcfa56c8ab3b7de24e186a6e309cd0c2b85af45a08f00c77304b7b3a1
SHA512 fe539126dda70ce7bd0d6fe14b1eadb7cad3f9dfa40bbeb8f70db49632d5aedb313261ab71243ad1c1534de759746bd952c7d9ad3090a690c6c0b9e3a32ad151

C:\Windows\System32\vds.exe

MD5 d8a403516ccdf5a0c0bed1a9b12d444b
SHA1 91a40972cc0db742fc37bf75658eba58b6fbfeaa
SHA256 a0483d5bcfa56c8ab3b7de24e186a6e309cd0c2b85af45a08f00c77304b7b3a1
SHA512 fe539126dda70ce7bd0d6fe14b1eadb7cad3f9dfa40bbeb8f70db49632d5aedb313261ab71243ad1c1534de759746bd952c7d9ad3090a690c6c0b9e3a32ad151

memory/2488-379-0x0000000100000000-0x000000010026B000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 ad3e3317ca9a48b84c30344dd99a7300
SHA1 f8a7a77ccc63d56b560f4c765fc663e0fd48eead
SHA256 2ccec452190fdabd8cd6decff3f3cb0f4c863024b158360b431c49f6be15e195
SHA512 6e6fc26f4d0be7a4e57e527896f8db0ca3e3ab7045379352f5bc3b5da5e408f42e1cd969dc5680ff6c3bd967a05ac68861a2ff2d82e91d30989953bdf07d59aa

\Windows\System32\wbengine.exe

MD5 4e8232124aabf692c615c634475b7c38
SHA1 d66d6b59e2225ff7115c90d278a88af43c03326d
SHA256 31582ff6a1a1a3abd5015d3ade0da8f60d12ce7892959ac36adee801bffff17e
SHA512 774dd11d423a416c2e61f1ff18ba596eff06b18b7dcc716a6f9815202262914eb8a976f18945d7930e9246853747f7de1ee5e1a931c2ea9865917e62ef66f7c6

C:\Windows\System32\wbengine.exe

MD5 4e8232124aabf692c615c634475b7c38
SHA1 d66d6b59e2225ff7115c90d278a88af43c03326d
SHA256 31582ff6a1a1a3abd5015d3ade0da8f60d12ce7892959ac36adee801bffff17e
SHA512 774dd11d423a416c2e61f1ff18ba596eff06b18b7dcc716a6f9815202262914eb8a976f18945d7930e9246853747f7de1ee5e1a931c2ea9865917e62ef66f7c6

memory/2572-400-0x0000000100000000-0x0000000100219000-memory.dmp

memory/2656-401-0x0000000100000000-0x0000000100202000-memory.dmp

\Windows\System32\wbem\WmiApSrv.exe

MD5 b9180432ec5358dac0caa97ac2bf0114
SHA1 bad756e6ce3d763fdfce91a8859bf854bea65255
SHA256 a2c5601fb9b88f46c552594140da7b3036b4549e54451e7ebe78b7abaf26f141
SHA512 be56625083cf51fe1c5c2ce52f4bf11653fd17c80c1fe0815253fa6ce067c8bbb816376729254492633c9eb587fad1b7cc47a9dbb916b7d827181dbd42006ef3

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 b9180432ec5358dac0caa97ac2bf0114
SHA1 bad756e6ce3d763fdfce91a8859bf854bea65255
SHA256 a2c5601fb9b88f46c552594140da7b3036b4549e54451e7ebe78b7abaf26f141
SHA512 be56625083cf51fe1c5c2ce52f4bf11653fd17c80c1fe0815253fa6ce067c8bbb816376729254492633c9eb587fad1b7cc47a9dbb916b7d827181dbd42006ef3

memory/1632-414-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 b9a60a1abd71b89bf371ea8e310d6a8f
SHA1 fdd3cc39c65d3660fa81bb6587ce6c24cbb2b5a4
SHA256 5627b4782b77f565473227f837556aad16744b592cad65619b7a999bc1364061
SHA512 95f8342d0b7135addef193504599d65c93d268546e2d8eb077a30f2dcc4bef1da64d96f083a07eaf59de67f57040909d58598284820180f1c30e23855f15798b

memory/1980-415-0x0000000140000000-0x0000000140205000-memory.dmp

\Program Files\Windows Media Player\wmpnetwk.exe

MD5 b9a60a1abd71b89bf371ea8e310d6a8f
SHA1 fdd3cc39c65d3660fa81bb6587ce6c24cbb2b5a4
SHA256 5627b4782b77f565473227f837556aad16744b592cad65619b7a999bc1364061
SHA512 95f8342d0b7135addef193504599d65c93d268546e2d8eb077a30f2dcc4bef1da64d96f083a07eaf59de67f57040909d58598284820180f1c30e23855f15798b

memory/1604-425-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2736-427-0x0000000100000000-0x000000010021B000-memory.dmp

memory/2840-428-0x0000000100000000-0x000000010020A000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 bc04d25db8776d300f74028f9dcb783f
SHA1 ae5181c92c077c5453966fd54fa62bb7e2535929
SHA256 3b49f554b502770b5ea48cdfe9e7d267777b44a99a2508b35aa4f3b943076add
SHA512 d4d5859d0ea10af4b7b8e7b8d89bd50f476e1a4310a006d4e7f4092df30cf570ea14800e3bcc4cbfc2f981fbf51e6936be3e6c570f9303199062ad0148d94f53

memory/2932-433-0x0000000100000000-0x0000000100123000-memory.dmp

\Program Files\Windows Media Player\wmpnetwk.exe

MD5 b9a60a1abd71b89bf371ea8e310d6a8f
SHA1 fdd3cc39c65d3660fa81bb6587ce6c24cbb2b5a4
SHA256 5627b4782b77f565473227f837556aad16744b592cad65619b7a999bc1364061
SHA512 95f8342d0b7135addef193504599d65c93d268546e2d8eb077a30f2dcc4bef1da64d96f083a07eaf59de67f57040909d58598284820180f1c30e23855f15798b

memory/1192-447-0x0000000100000000-0x0000000100209000-memory.dmp

memory/1192-448-0x0000000000540000-0x0000000000749000-memory.dmp

memory/2128-458-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2092-459-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 325ab5080166e5a0ad6b1e16c2c31751
SHA1 68fbbc818912a278dbafd63b6051feb914d52c70
SHA256 d88cfa0139465e76ab84b3054e87f8212fb4238ebe6ead3e2387b3b44ee30457
SHA512 15eade86e82849b2e479334514649bfc1976ab6a69cb25df9e6cbc1523f769d5ef6d440d497d105118426c3c6216e4cb7ad1c41368eaa54b540044a853960f19

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

MD5 80b878b71b411b285250f5d77e03ded8
SHA1 793a99e4843cf613d5b176c34ad2d0e74b2d26ba
SHA256 bf483d543349eacdfdf8988dfd6d08adf9ea017965f9e0d757e783c1bd868d1c
SHA512 25f311fd427092639ecabc1b30da7b51c7fe9c60cfcfda01dda917c0aee48f0ac6cd6879dc8f9e8ec9422666c8c72681a1815961d651d2d272258a8b3c56c17e

memory/2224-513-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1980-539-0x0000000140000000-0x0000000140205000-memory.dmp

memory/2272-541-0x0000000001000000-0x00000000011ED000-memory.dmp

memory/2384-544-0x0000000100000000-0x00000001001ED000-memory.dmp

memory/2488-578-0x0000000100000000-0x000000010026B000-memory.dmp

memory/2572-610-0x0000000100000000-0x0000000100219000-memory.dmp

memory/2656-612-0x0000000100000000-0x0000000100202000-memory.dmp

memory/2736-619-0x0000000100000000-0x000000010021B000-memory.dmp

memory/2840-620-0x0000000100000000-0x000000010020A000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 325ab5080166e5a0ad6b1e16c2c31751
SHA1 68fbbc818912a278dbafd63b6051feb914d52c70
SHA256 d88cfa0139465e76ab84b3054e87f8212fb4238ebe6ead3e2387b3b44ee30457
SHA512 15eade86e82849b2e479334514649bfc1976ab6a69cb25df9e6cbc1523f769d5ef6d440d497d105118426c3c6216e4cb7ad1c41368eaa54b540044a853960f19

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 325ab5080166e5a0ad6b1e16c2c31751
SHA1 68fbbc818912a278dbafd63b6051feb914d52c70
SHA256 d88cfa0139465e76ab84b3054e87f8212fb4238ebe6ead3e2387b3b44ee30457
SHA512 15eade86e82849b2e479334514649bfc1976ab6a69cb25df9e6cbc1523f769d5ef6d440d497d105118426c3c6216e4cb7ad1c41368eaa54b540044a853960f19

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-28 23:20

Reported

2023-04-28 23:22

Platform

win10v2004-20230220-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TT copy.exe"

Signatures

BluStealer

stealer blustealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\367231c4c4600f4c.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2264 set thread context of 4676 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 4676 set thread context of 5000 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff2c0905397ad901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab3e2d02397ad901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8322503397ad901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052384f04397ad901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002aea4004397ad901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023546a03397ad901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000725cb002397ad901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d855d04397ad901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx C:\Windows\system32\SearchProtocolHost.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 2264 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 2264 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 2264 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 2264 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 2264 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 2264 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 2264 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Users\Admin\AppData\Local\Temp\TT copy.exe
PID 4676 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4676 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4676 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4676 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4676 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\TT copy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1916 wrote to memory of 668 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1916 wrote to memory of 668 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1916 wrote to memory of 1044 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1916 wrote to memory of 1044 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\TT copy.exe

"C:\Users\Admin\AppData\Local\Temp\TT copy.exe"

C:\Users\Admin\AppData\Local\Temp\TT copy.exe

"C:\Users\Admin\AppData\Local\Temp\TT copy.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 20.42.65.85:443 tcp
US 52.152.108.96:443 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 122.184.231.173.in-addr.arpa udp
US 206.191.152.58:80 cvgrf.biz tcp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 58.152.191.206.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 zlenh.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 25.106.251.63.in-addr.arpa udp
US 8.8.8.8:53 88.35.99.167.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 12.161.5.72.in-addr.arpa udp
US 8.8.8.8:53 251.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 8.8.8.8:53 223.243.59.199.in-addr.arpa udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 173.231.189.15:80 xlfhhhm.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 ifsaia.biz udp
US 173.231.189.15:80 xlfhhhm.biz tcp
SG 63.251.126.10:80 ifsaia.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 63.251.126.10:80 ifsaia.biz tcp
US 8.8.8.8:53 15.189.231.173.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 173.231.184.124:80 saytjshyf.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 8.8.8.8:53 vcddkls.biz udp
US 173.231.184.124:80 saytjshyf.biz tcp
SG 72.5.161.12:80 vcddkls.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
US 8.8.8.8:53 10.126.251.63.in-addr.arpa udp
US 8.8.8.8:53 124.184.231.173.in-addr.arpa udp
SG 72.5.161.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
NL 167.99.35.88:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 63.251.235.76:80 tbjrpv.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 8.8.8.8:53 deoci.biz udp
NL 167.99.35.88:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
N/A 199.21.76.77:80 tcp
NL 63.251.235.76:80 tcp

Files

memory/2264-133-0x0000000000870000-0x0000000000A1C000-memory.dmp

memory/2264-134-0x0000000005A70000-0x0000000006014000-memory.dmp

memory/2264-135-0x00000000053C0000-0x0000000005452000-memory.dmp

memory/2264-136-0x0000000005570000-0x0000000005580000-memory.dmp

memory/2264-137-0x00000000059D0000-0x00000000059DA000-memory.dmp

memory/2264-138-0x0000000005570000-0x0000000005580000-memory.dmp

memory/2264-139-0x0000000007940000-0x00000000079DC000-memory.dmp

memory/4676-140-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4676-143-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4676-144-0x0000000002A40000-0x0000000002AA6000-memory.dmp

memory/4676-149-0x0000000002A40000-0x0000000002AA6000-memory.dmp

memory/4676-154-0x0000000000400000-0x0000000000654000-memory.dmp

C:\Windows\System32\alg.exe

MD5 3e5ddb574a2bb10de50c5857e046e831
SHA1 4c156cf2fbc49f8518edcbe186ca33f52bb50451
SHA256 5bcc67c55f599cd761a12c332c07526541b77b11b904cc1c87002a78f3089858
SHA512 a1016940d277c4f7a18a58031523b2d54d2924703e193ecfe0b912588e1dc0ee761421f24a15d229ff6037c0320a047d081e27f42c70ea923daa4fdd3410414d

memory/448-157-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/448-163-0x0000000000690000-0x00000000006F0000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 07cbfdbe448bfe12dc0bd5c736dca5a2
SHA1 2480878c080d686a689c3b48a575d781d11fafbc
SHA256 cf3a953de9fb8059e87d50bc4a859f4305220c6103c2a6ed4ad94a65ec495027
SHA512 54bb4b0cb64b27ff6d6c67b1302a1f496675d87a9f4c1f12cb88096745a01faa0a20fcd85cd3db6be70f8cbaba412d536e324329aa5b16dcbe03ba6e7f429c92

memory/4224-169-0x0000000000650000-0x00000000006B0000-memory.dmp

memory/448-171-0x0000000140000000-0x0000000140201000-memory.dmp

memory/4224-173-0x0000000140000000-0x0000000140200000-memory.dmp

memory/4224-177-0x0000000000650000-0x00000000006B0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 d19dd9db78498a8db00230cb4d0ae751
SHA1 d21226e54da723436f4abb98a5d972fdae7896e5
SHA256 f2765dce30754a17c61942aba9e67be45b94ae2074c2992966db1b263c5098c1
SHA512 385eb70da1ebbd967dacda1f171a4b14b09ab78ce84e3f612412938f0ae09748b49c01d85045a54dd5f98f018c099053e7c754100b7d1066b8f189d7633d9340

memory/3368-181-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/3368-183-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3368-188-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/3368-191-0x00000000004F0000-0x0000000000550000-memory.dmp

memory/3368-193-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 ffe944aad72a56b8cd8ff41ada00874f
SHA1 b528cadc496091d01e28163e66a318c87bbae157
SHA256 339dd8b4d5bb5ba9ee5e886a9ed5ef9c78d1bdb92496ede4576c7c54faf9521a
SHA512 52b32ba8ac979a6452f33ec7f6771bb9531b626a0a2fd2c5bd89bf62ef9455ed7a262726d7db22266b1eeb0bca48398391a5946a54d6b527efae2812067aa370

memory/2700-195-0x0000000000C30000-0x0000000000C90000-memory.dmp

memory/2700-201-0x0000000000C30000-0x0000000000C90000-memory.dmp

memory/2700-203-0x0000000140000000-0x0000000140237000-memory.dmp

memory/5000-204-0x0000000000D70000-0x0000000000DD6000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 77f40ca9eefa6b4bee1148b105b86069
SHA1 006530f253d1d71d46085a7613d588034b6be4ed
SHA256 2e897f320fd05b2c1c05f5f8ca650d0362b4f7325460595b2f4a8abb46e26ef5
SHA512 b2fd7c5e26a0efdcae181177394f108db83f2f400727628198518f9ac60de7840d52db516f32e5ca8fc1403741e4c5bf532cd0f120ebe5d1c317c53761a5a830

memory/812-207-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/812-214-0x0000000140000000-0x000000014022B000-memory.dmp

memory/812-213-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/5000-216-0x0000000005220000-0x0000000005230000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 a4fae5f6ab2247f89062cb61594e0c88
SHA1 3bdc4d3a14893a9077aed6ff304541bbffd311e4
SHA256 8d2b7b6f9052b7062802160ccdd0e90c00a8816383ea63a00b03125ae2960502
SHA512 a543244b45ac5fe1f559be0a1f559a9ad28bf6ea492bd814f665ba04a2e741f96f442231bf595a10729b9150b83018cf0e01ecc30133d66e2194c53d67ebc97d

memory/2372-220-0x0000000002280000-0x00000000022E0000-memory.dmp

memory/2372-226-0x0000000002280000-0x00000000022E0000-memory.dmp

memory/2372-229-0x0000000002280000-0x00000000022E0000-memory.dmp

memory/2372-232-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 7e5df302c2fe700ceb451e90e943ea8d
SHA1 f93797dcd9546fcddba81545a898d2e62d6fa781
SHA256 c4dbcebf070e38dde106af62510f104d0d632052f506a2a4c4c65f1a57424a2a
SHA512 92f11d2eb20b573ecd7b975117afa087bbeb0e3dd4fd65c330659ecf391aad1d2545d7b049112d01fa9753f93bcf92d78e3065ce6888e43d5d423d831062df5c

memory/1888-234-0x0000000000D00000-0x0000000000D60000-memory.dmp

memory/1888-238-0x0000000140000000-0x0000000140210000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 f4dc406b1b82f1943c3ca1a1ce245163
SHA1 b3e74ee94d75622059a1f4d9e9030d92a4f51ae6
SHA256 0d618dd3522f6f641c446f3555e3125db07e55639664cfaa864b1efce149703f
SHA512 5e1b63ca1c148854ce9c0181a2ec6f0880beb7cc5bc565309d14beecdd56599035573eca6e14834d19f5fcf3598d25360afac7cfb7d815e37db303ad4219a16e

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 aca999b7cbece886bbbe6cace5b05bc7
SHA1 6fc93bc96459e710a97b3381886b722a780fa4fe
SHA256 710b122f4203e923b5ead0c44e92d6f212739d4482be813c3669d1346bbf35e3
SHA512 50d0d8e036073a1a49d822753340de94160aeda1e0d9c35e4e156f30cb038f9d6e143df9e2f3e1ec11112f13d7dd7b3646e234eddc37dd171fb7fefdfd71560f

C:\Windows\SysWOW64\perfhost.exe

MD5 3900b2b5e9b2047a8d2c14aa17a8ef20
SHA1 6506a5344e5ec53d891ba4097af1e2238e86be5a
SHA256 97d3713ed8b1048661ae4b925c8ed7a4f684a593b4bdeda94f87c21b60d60181
SHA512 626109cbaa847da7daa6331cef5083848cfc09f5b418ed009d556f1a9983ea8dc18058e7e3b747bd509033d4aae33874b7cacd607eb44295ee90195b29a99c9c

memory/4492-269-0x0000000140000000-0x0000000140226000-memory.dmp

memory/2604-272-0x0000000140000000-0x0000000140202000-memory.dmp

memory/1532-274-0x0000000000400000-0x00000000005EE000-memory.dmp

memory/4676-277-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4224-278-0x0000000140000000-0x0000000140200000-memory.dmp

memory/2700-279-0x0000000140000000-0x0000000140237000-memory.dmp

memory/812-289-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1888-290-0x0000000140000000-0x0000000140210000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 2dec9fee164ba1b11a86159b63c9bb4d
SHA1 605da3a1a45a23689708686c4a27c0972c2facce
SHA256 c68cd843d889e2249399b87d686f095d0f15fe8e5de11b09211bf37840d1fd5e
SHA512 207861b2f4f87e093408ed1699d698d253b7335fb97d02bf7f682b3e7306b30bff06beaf8260154f18ae7c4d4930b8df9c62df895e3109a9ccc18c31c833a95f

C:\Windows\System32\SensorDataService.exe

MD5 43949de982d36d4f15a708ef1afd5564
SHA1 ede7553bd60a9290fd30d129789f35dadd1ca0f1
SHA256 bcca292ea392b2bad9986c18fdff0d30693e60c89bb1cf0d2f7277b4e72a012f
SHA512 ef087d07937f1db299ab61fc9f1ee84aa9f3f9634a651d7fc127db42b0b9ec5ff0c21aab962faee183b16db4e7f34f9d64d3dbb51517553953eb3f1eb001fe9c

C:\Windows\System32\snmptrap.exe

MD5 8bc50336e65b6bdc02f9d56ab876051b
SHA1 b4088baac4b01f42e6c3b939bffe6e12bca14207
SHA256 837d8b1457f6dcd93c5f8ae23e4453d2161de07940ae95a45cc773be88234daa
SHA512 c10a176789e593fb41457bec7e289df29bf11d9e95b68a7b70bf95f36ba27c1ce5c8e01d3ee32e9ace6f2a3ee00a59083a14f64578db2ea6fb58372a2a514e73

memory/1472-315-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/1500-317-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4060-320-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 ecdc19db307d558f708d1c5ac20d39aa
SHA1 5180b16954a871eb483ca99990e7db2a84758da2
SHA256 73c6521c0c12e3b0ef4cf489cb8e2091009682cccb66af3d88d144ae6286ebf2
SHA512 2dee4b97f2a7b711d8ea29339a07cab7dc62a1fd629d1547f764a0f3a68ff551f64f8baaa11735d70573a9fcec5f418a3900ba718b87d4f2eefc42b134afc191

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 1236ba953a2e1e5c1dd7860c1b5a3a06
SHA1 63933c5deb4ddad335fc2ce324ac74e97141f1d3
SHA256 0de0198f3692d6a723d100418cc27f5464a1bd7fc82f7b278017ad189e169d10
SHA512 63e0ef678e9213bbfb9afa1312e90d8c1fa95c745b2b32cb97dc39ea04c44fc59f05de06fac90cb392a06ec65dd1af97ea0f8037df3cb673814265806523cccf

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 1236ba953a2e1e5c1dd7860c1b5a3a06
SHA1 63933c5deb4ddad335fc2ce324ac74e97141f1d3
SHA256 0de0198f3692d6a723d100418cc27f5464a1bd7fc82f7b278017ad189e169d10
SHA512 63e0ef678e9213bbfb9afa1312e90d8c1fa95c745b2b32cb97dc39ea04c44fc59f05de06fac90cb392a06ec65dd1af97ea0f8037df3cb673814265806523cccf

memory/4944-346-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2512-347-0x0000000140000000-0x0000000140259000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 b4c808a1acc8d9451952d95e8183076b
SHA1 70a354ec9c88a569ebccf2074b53da5dc523b9b4
SHA256 31f3f8e7b7370a96029a74a6a46b095f21bf8a39105de31b36e92d18cf6b6db1
SHA512 135bd50302cb012ec7d3dba327a97364c68ca650021a78a0aa06789917ed1308a3f6cba230e3c4681408f8ac0cb9ff6c928ecc7c36b708f8cb6daeed16b60cf3

C:\Windows\System32\AgentService.exe

MD5 838cd821f36100db61aeccd8b15f57cf
SHA1 062f3dcd04d3c1f8a52fa6ace78fe1e6feb230ab
SHA256 115a76b421791333187e5f9bdd34ac197306db8d84f9bb7943ace6f02fcd9709
SHA512 bbc1d0862ca7516b2a8fe203db36649de4e7768e692f206257801188c64e69a2de47653adc195102bdf0bdf3047272d145514ac8e3ff0551668398400917f2e0

memory/2616-366-0x0000000140000000-0x0000000140239000-memory.dmp

memory/404-369-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/404-373-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 5b7cf36a082b253b7efbc7e0c51c3cfa
SHA1 483de1b02a93402380cd0ef9590286e259511676
SHA256 60fd210a66e3496394fcbce1183af6bf0f49fa08749d624611f34b5b1c11c57e
SHA512 1e3f47b60d1f362e7caf04f23be99cc23907223ceeb770eb8fe851fe8cff1952540d9fadc82b3ecbe2eb890f9fffe7d1146f905d435c0df6dee0ad2588d0eaa3

C:\Windows\System32\VSSVC.exe

MD5 01881f0e74a33915845ba8d3910a9e1c
SHA1 12f2e63c6a7016ce76c3960918d8a364668176eb
SHA256 550ceb29999e15f0bbfdcc6aa983d752b13a1598d193da6d7c55184773a1ce56
SHA512 03e847ac57f54d5961524492d546fd1bf3c66ab066bc23298b8032c041847a2f99b5185ac1ad858a60014a2d69dfb2b5c20316b33f730fb4fc1b3232b617b783

memory/4916-385-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4140-388-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 9eda23758b59ecfa1b32f510916b0bd4
SHA1 a40187be56c04939bd9e83421134006ba13a6e07
SHA256 4a6d50abcf08dc2bcff42e383452e8164e127476c7783a95b3684d353d9a5655
SHA512 9c63ce91bfb0cdc2bad1879c4d97313a0cb66a3ff5d8dc45df05e9a6a8ac2e512a9273e6b52ec492593d157a1bbfc03d3e9ce4f89f9db114f0425fd94d7af450

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 e7fb9c06d5fc3982bc10554408f6652d
SHA1 7551e5c1469dbda409dad9bdb62d3979f5b19ebe
SHA256 67f2d76177cd2b28d6c210a935dbc67f75ef2f662156fbd1088bbdb5aab2031a
SHA512 f1376a37d5293a7f00559fe513e21237664fc2d7677dd2bca663bdb54e45079f06490f390ee0fb4d796c13d64ab9595a23fe324b7758cd8dce0803270c04f0df

memory/764-408-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3028-410-0x0000000140000000-0x000000014021D000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 78731ccf2f4615fd2ecf52fbfd93900b
SHA1 e0e9dbf2e41a81ef7ba43013b3b8b36681201c40
SHA256 1f1b5e23da7276efecec002e3676d81f4f84d42e019fae371b6f8fd8d5094bea
SHA512 b630d158c321bbcd759dcd8f6a0004bac459bcdcf5ddb7fe559dce24a40de560c672a49f3994fde69b70ac1afac419dcef8e04da016dbe8bc343402d219d524d

memory/1916-430-0x0000000140000000-0x0000000140179000-memory.dmp

memory/1500-520-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4060-555-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/4944-563-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2512-565-0x0000000140000000-0x0000000140259000-memory.dmp

memory/4916-590-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4140-591-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3028-594-0x0000000140000000-0x000000014021D000-memory.dmp

memory/1916-605-0x0000000140000000-0x0000000140179000-memory.dmp

memory/1044-651-0x0000026479B60000-0x0000026479B70000-memory.dmp

memory/1044-652-0x0000026479B70000-0x0000026479B80000-memory.dmp

memory/1044-653-0x0000026479B70000-0x0000026479B71000-memory.dmp

memory/1044-735-0x0000026479B70000-0x0000026479B80000-memory.dmp