Malware Analysis Report

2025-01-03 07:39

Sample ID 230501-yw2hnaab5v
Target RFQ 21032023.exe.bin
SHA256 295ebe6ba820bb813c6e9dd5526bf194a8da0268085ba0fc805f19c1ae3c6186
Tags
blustealer collection stealer spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

295ebe6ba820bb813c6e9dd5526bf194a8da0268085ba0fc805f19c1ae3c6186

Threat Level: Known bad

The file RFQ 21032023.exe.bin was found to be: Known bad.

Malicious Activity Summary

blustealer collection stealer spyware

BluStealer

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

outlook_office_path

Script User-Agent

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 20:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 20:08

Reported

2023-05-01 20:13

Platform

win7-20230220-en

Max time kernel

151s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe"

Signatures

BluStealer

stealer blustealer

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\da70c8eb328eb3a2.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1320 set thread context of 696 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 696 set thread context of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BC5252EE-6CDE-4E1B-8F27-8AB838B09474}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{BC5252EE-6CDE-4E1B-8F27-8AB838B09474}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogInitialPageCount = "16" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheHashTableSize = "67" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheLongPageCount = "32" C:\Windows\ehome\ehRec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1320 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 1320 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 1320 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 1320 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 1320 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 1320 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 1320 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 1320 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 1320 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 696 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 696 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 696 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 696 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 696 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 696 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 696 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 696 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 696 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1000 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1000 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1000 wrote to memory of 1776 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1000 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1000 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 1000 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe"

C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 15c -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 1f0 -NGENProcess 1d0 -Pipe 1ec -Comment "NGen Worker Process"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp

Files

memory/1320-54-0x0000000000D20000-0x0000000000E9A000-memory.dmp

memory/1320-55-0x0000000000390000-0x00000000003A4000-memory.dmp

memory/1320-56-0x0000000005270000-0x00000000052B0000-memory.dmp

memory/1320-57-0x00000000003B0000-0x00000000003BC000-memory.dmp

memory/1320-58-0x0000000005770000-0x00000000058A8000-memory.dmp

memory/1320-59-0x0000000007C60000-0x0000000007E10000-memory.dmp

memory/696-60-0x0000000000400000-0x0000000000654000-memory.dmp

memory/696-61-0x0000000000400000-0x0000000000654000-memory.dmp

memory/696-62-0x0000000000400000-0x0000000000654000-memory.dmp

memory/696-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/696-65-0x0000000000400000-0x0000000000654000-memory.dmp

memory/696-67-0x0000000000400000-0x0000000000654000-memory.dmp

memory/696-68-0x00000000001D0000-0x0000000000236000-memory.dmp

memory/696-73-0x00000000001D0000-0x0000000000236000-memory.dmp

\Windows\System32\alg.exe

MD5 d03b506ecb44c0113559f2fd91470ce3
SHA1 b4804420ca45f963648788265da0d89666d5e156
SHA256 4e755ebba0f30192cff6d6c716d70260ac8eeb4025ce11609cae77c742c58c8c
SHA512 6e48182663717497a932575ad2b2ae7fe5d65dcedf5e7613f5c6dc95936bf79531871d1c7e17e8ce97f7b0ba15e89111df0d41bf749841c9210d67721e017a58

C:\Windows\System32\alg.exe

MD5 d03b506ecb44c0113559f2fd91470ce3
SHA1 b4804420ca45f963648788265da0d89666d5e156
SHA256 4e755ebba0f30192cff6d6c716d70260ac8eeb4025ce11609cae77c742c58c8c
SHA512 6e48182663717497a932575ad2b2ae7fe5d65dcedf5e7613f5c6dc95936bf79531871d1c7e17e8ce97f7b0ba15e89111df0d41bf749841c9210d67721e017a58

memory/1928-81-0x0000000000850000-0x00000000008B0000-memory.dmp

memory/1928-87-0x0000000000850000-0x00000000008B0000-memory.dmp

memory/696-91-0x0000000000400000-0x0000000000654000-memory.dmp

memory/1928-92-0x0000000100000000-0x00000001001FB000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 815784eca2bdcd774b48158e58a70400
SHA1 57826043f04d4c67bb812c81536b327b3041218f
SHA256 3a04f47738cc45f5889d11c64697fec3d4fcfd90428ade2ba99d380362b56189
SHA512 312fd0bc3855cebe4f2d33c4f3cd5e1809458d6724e96355feee55bc83cb913ec6700e4fe87c8090046450e6ce90c35fa49faf16518b66b03cf62f2ab5e55528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 815784eca2bdcd774b48158e58a70400
SHA1 57826043f04d4c67bb812c81536b327b3041218f
SHA256 3a04f47738cc45f5889d11c64697fec3d4fcfd90428ade2ba99d380362b56189
SHA512 312fd0bc3855cebe4f2d33c4f3cd5e1809458d6724e96355feee55bc83cb913ec6700e4fe87c8090046450e6ce90c35fa49faf16518b66b03cf62f2ab5e55528

memory/1628-96-0x0000000140000000-0x00000001401F4000-memory.dmp

memory/1004-97-0x0000000000260000-0x00000000002C6000-memory.dmp

memory/1004-98-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1004-99-0x0000000000260000-0x00000000002C6000-memory.dmp

memory/1004-101-0x0000000000260000-0x00000000002C6000-memory.dmp

memory/1004-103-0x0000000000260000-0x00000000002C6000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 a79d9ba1ee781fcdfd43a3da37c7a844
SHA1 75361c21ee9b6a4e04d91628d97eef244949031a
SHA256 9ebbe3421d14e3696efd2c02637150ffe515086437a1584df581b611277930a4
SHA512 35b543ad55e3c31c1cb825f07b65a2a131c0bd3a65d8bd3639ed087ae045b00e2961a6d54cf1c300ece0bd5a805424994191251d911fa3b01daf3c85851e734e

memory/1004-105-0x00000000007F0000-0x00000000008AC000-memory.dmp

memory/896-108-0x0000000010000000-0x00000000101F6000-memory.dmp

memory/696-109-0x0000000000400000-0x0000000000654000-memory.dmp

memory/1928-110-0x0000000100000000-0x00000001001FB000-memory.dmp

memory/1628-113-0x0000000140000000-0x00000001401F4000-memory.dmp

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 2914e8ab528b865da3a9b14792537844
SHA1 f4a9e65c34b45c25d6618465577037299e206f0c
SHA256 35e58e151b5d196aaa95fdca9ac753da4a24e3ddca6564108f6ff229dde4c0fb
SHA512 bec09d221eba2925724c7e993ac62a2bf089e164d90267e4a85ad4790f514a0c7a8a2ab2526317ffec822d5ea46080f2f265f92510f6a8c816e7f3b47abd23e6

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 2914e8ab528b865da3a9b14792537844
SHA1 f4a9e65c34b45c25d6618465577037299e206f0c
SHA256 35e58e151b5d196aaa95fdca9ac753da4a24e3ddca6564108f6ff229dde4c0fb
SHA512 bec09d221eba2925724c7e993ac62a2bf089e164d90267e4a85ad4790f514a0c7a8a2ab2526317ffec822d5ea46080f2f265f92510f6a8c816e7f3b47abd23e6

memory/1496-116-0x0000000010000000-0x00000000101FE000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 a79d9ba1ee781fcdfd43a3da37c7a844
SHA1 75361c21ee9b6a4e04d91628d97eef244949031a
SHA256 9ebbe3421d14e3696efd2c02637150ffe515086437a1584df581b611277930a4
SHA512 35b543ad55e3c31c1cb825f07b65a2a131c0bd3a65d8bd3639ed087ae045b00e2961a6d54cf1c300ece0bd5a805424994191251d911fa3b01daf3c85851e734e

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 bf3142733d824fbb2cdebc34dea4abbe
SHA1 a0a7b95005e00f08cd3e836306b475ff409739ce
SHA256 eab7c1ba0cf204c40544db99d55185817c34cb20cd11fb17bf2d6e2b89073b2a
SHA512 f4d95e2fa7463b1f291d9b39ac90b1c65b5b71bac94ada4bcd3c6352415a518fd4e98ce95a10995cf6e2756932246bcccfc7f0222d618a626d547c82530779e1

memory/528-124-0x0000000000850000-0x00000000008B6000-memory.dmp

memory/528-129-0x0000000000850000-0x00000000008B6000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 8dd67a11080b13d0d0a4a4e9d25b34ed
SHA1 196ab250612275376f33aa3790714ac1e09955c5
SHA256 cca99e331ab920e373b7cf8682fdf57f05ec951ca40f38c706ab91f7a7928f66
SHA512 43ee82e7b3e7ac27e1a69484fc71e3c8c56eb2276ab91c6f74fbf312e0f9493e36c61083abe74b211cfc564bbb9dca3be7b087f115a958f59c10aba8f3b03f59

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 2914e8ab528b865da3a9b14792537844
SHA1 f4a9e65c34b45c25d6618465577037299e206f0c
SHA256 35e58e151b5d196aaa95fdca9ac753da4a24e3ddca6564108f6ff229dde4c0fb
SHA512 bec09d221eba2925724c7e993ac62a2bf089e164d90267e4a85ad4790f514a0c7a8a2ab2526317ffec822d5ea46080f2f265f92510f6a8c816e7f3b47abd23e6

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 4d969924ec379fc1ef3c846031017009
SHA1 4e18b7c780d2414b71a7e8e510017aab38bcd019
SHA256 e6e29070ebb567b5c57e1600e217d58f452b4c42da193cbdab56276dac89c0d3
SHA512 b3ea13b8d3d1715b2649a547dc762345f67251ed94d4b2d4b016d117a70e19465dd5608b31456dd0dbd5f0fb8c9f8ce00ed5879008d3f01587e4a7a39c507055

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 0a30780bc8b703384ba646c8f04879c9
SHA1 c7223f470cd93ad8a22c9d3bf4ef3de569752334
SHA256 2ea868b06a36b2cee5ff62fb22842b78f3948ddf12e1f03c2ea52b3b4306ba5a
SHA512 fa743fe5650f18102beb60085fc415082cb182ba6b0cfc097f8596aaa56567308447468b6327836c615292e6486d6ee0986e914f2c29897cb19834ebb225e06c

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 bf3142733d824fbb2cdebc34dea4abbe
SHA1 a0a7b95005e00f08cd3e836306b475ff409739ce
SHA256 eab7c1ba0cf204c40544db99d55185817c34cb20cd11fb17bf2d6e2b89073b2a
SHA512 f4d95e2fa7463b1f291d9b39ac90b1c65b5b71bac94ada4bcd3c6352415a518fd4e98ce95a10995cf6e2756932246bcccfc7f0222d618a626d547c82530779e1

memory/1000-142-0x0000000140000000-0x0000000140205000-memory.dmp

memory/528-143-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\System32\dllhost.exe

MD5 66674d6336e382806c717216e9d9bde1
SHA1 27bd97b574f00073eba0caefe6211208e39fa164
SHA256 bc916c9de3897079d6933eaf3905f5a40c34c5bf1918dba0164272942b04e6aa
SHA512 7a0d9d2c179dc44c39e72c6f9563d5d078618f577d68ca9e57994c0098145b79d3d581b51c3992fec3c523dddd1f503a3701b6865c437fd003afdd190b49a034

\Windows\System32\dllhost.exe

MD5 66674d6336e382806c717216e9d9bde1
SHA1 27bd97b574f00073eba0caefe6211208e39fa164
SHA256 bc916c9de3897079d6933eaf3905f5a40c34c5bf1918dba0164272942b04e6aa
SHA512 7a0d9d2c179dc44c39e72c6f9563d5d078618f577d68ca9e57994c0098145b79d3d581b51c3992fec3c523dddd1f503a3701b6865c437fd003afdd190b49a034

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 0a30780bc8b703384ba646c8f04879c9
SHA1 c7223f470cd93ad8a22c9d3bf4ef3de569752334
SHA256 2ea868b06a36b2cee5ff62fb22842b78f3948ddf12e1f03c2ea52b3b4306ba5a
SHA512 fa743fe5650f18102beb60085fc415082cb182ba6b0cfc097f8596aaa56567308447468b6327836c615292e6486d6ee0986e914f2c29897cb19834ebb225e06c

\Windows\ehome\ehrecvr.exe

MD5 c452637fcdaee0ec9d5dca1f4639bec5
SHA1 fe7ac08ebe94405147aa4ea0080fdf2f588c378a
SHA256 f614c9108c26728bbc095ff845ca5789e7b0e7ebf17591cdf5eae32ff6cca3a6
SHA512 ef563de33f4db8ee7a32fc021593e1e576ecff05fe0e42b41ced1968512f005a67d51204414eb9fdbf7f93f3773ec6bcb577c35ce3b0d3cfc5fbabbca69ced6c

C:\Windows\ehome\ehrecvr.exe

MD5 c452637fcdaee0ec9d5dca1f4639bec5
SHA1 fe7ac08ebe94405147aa4ea0080fdf2f588c378a
SHA256 f614c9108c26728bbc095ff845ca5789e7b0e7ebf17591cdf5eae32ff6cca3a6
SHA512 ef563de33f4db8ee7a32fc021593e1e576ecff05fe0e42b41ced1968512f005a67d51204414eb9fdbf7f93f3773ec6bcb577c35ce3b0d3cfc5fbabbca69ced6c

memory/1204-153-0x0000000000180000-0x00000000001E0000-memory.dmp

memory/1204-159-0x0000000000180000-0x00000000001E0000-memory.dmp

memory/1680-161-0x0000000100000000-0x00000001001EC000-memory.dmp

memory/1204-163-0x0000000140000000-0x000000014013C000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 e381806783198578b5fc990394e968fe
SHA1 dac8e2f251845f6a6159d3358a270acb482d1faf
SHA256 ff478a44f3e815d85fe46b0e048c04f39b67c2f6ee5c6bbd22c08c3f608ffa3c
SHA512 5e2ebc3f52faba8d818f26d28b572ecc8456d6bb3b6f81e5a9583db054107d40c471eb53dc944828061b3c7fc7ce6ebe19aea5b7f5ead260ebad0610b14ad8d2

C:\Windows\ehome\ehsched.exe

MD5 e381806783198578b5fc990394e968fe
SHA1 dac8e2f251845f6a6159d3358a270acb482d1faf
SHA256 ff478a44f3e815d85fe46b0e048c04f39b67c2f6ee5c6bbd22c08c3f608ffa3c
SHA512 5e2ebc3f52faba8d818f26d28b572ecc8456d6bb3b6f81e5a9583db054107d40c471eb53dc944828061b3c7fc7ce6ebe19aea5b7f5ead260ebad0610b14ad8d2

memory/1796-166-0x0000000000870000-0x00000000008D0000-memory.dmp

memory/1796-172-0x0000000000870000-0x00000000008D0000-memory.dmp

memory/1204-175-0x0000000001380000-0x0000000001390000-memory.dmp

memory/1204-176-0x0000000001390000-0x00000000013A0000-memory.dmp

memory/1796-177-0x0000000140000000-0x0000000140209000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 51726df60b79d36d4b21c9b9dbe7ffc8
SHA1 41b32658e39d7b21f82ef6453bfc835edbdabb3b
SHA256 61186e175bbe9c62fd226c4c8f54b91df69b597168a98943c2399f64ba46e88e
SHA512 590f266c00eeeedbd9c23ac10758e3cbc39126a9c70e17fcfe5d5884fbec69ac9503c6bdacbe9714194c9fff5ed1528d1a6d23fb1ddb925aef07900500466429

memory/336-180-0x0000000000420000-0x0000000000480000-memory.dmp

memory/336-186-0x0000000000420000-0x0000000000480000-memory.dmp

memory/1204-189-0x0000000001430000-0x0000000001431000-memory.dmp

memory/336-190-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1312-191-0x0000000000CB0000-0x0000000000D30000-memory.dmp

memory/1204-192-0x0000000140000000-0x000000014013C000-memory.dmp

memory/1796-193-0x0000000140000000-0x0000000140209000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 016d83127c4113bf5811ef5c042f31ae
SHA1 c0e83f41b68ccefb196907276e3bc772c30e01e7
SHA256 94c5d14d34572bbee36dfc2813d94ea6c26e341a3eec24ad7fafdb0ec6f91fdd
SHA512 0c4cea620331cbbd2a4c63715b24413c9aea86ea12123fdb66b799fb14dd1c02aa6dd48359fb5caa5e8029bb16e99791ec725c5343300332d6012807246aefb9

C:\Windows\System32\ieetwcollector.exe

MD5 016d83127c4113bf5811ef5c042f31ae
SHA1 c0e83f41b68ccefb196907276e3bc772c30e01e7
SHA256 94c5d14d34572bbee36dfc2813d94ea6c26e341a3eec24ad7fafdb0ec6f91fdd
SHA512 0c4cea620331cbbd2a4c63715b24413c9aea86ea12123fdb66b799fb14dd1c02aa6dd48359fb5caa5e8029bb16e99791ec725c5343300332d6012807246aefb9

memory/1252-207-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 0a30780bc8b703384ba646c8f04879c9
SHA1 c7223f470cd93ad8a22c9d3bf4ef3de569752334
SHA256 2ea868b06a36b2cee5ff62fb22842b78f3948ddf12e1f03c2ea52b3b4306ba5a
SHA512 fa743fe5650f18102beb60085fc415082cb182ba6b0cfc097f8596aaa56567308447468b6327836c615292e6486d6ee0986e914f2c29897cb19834ebb225e06c

memory/1776-210-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 4e6af5e37810baa93b3d8ddad0a34140
SHA1 d1f9070385fd1d1a2c0374b4f72ba290682b946c
SHA256 3d63ecece6cfc768b8284f5aac56d95f37126661de303960b65311256c00508a
SHA512 c10fdc2c59df16449543584206372d3d4a449da7000462af9c27e947407cfb91c25294ea6e6b790360e2e1d8b19e9728c03c87f7cdb0061dada9f096be6634f1

memory/2056-227-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/1312-228-0x0000000000CB0000-0x0000000000D30000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 0a30780bc8b703384ba646c8f04879c9
SHA1 c7223f470cd93ad8a22c9d3bf4ef3de569752334
SHA256 2ea868b06a36b2cee5ff62fb22842b78f3948ddf12e1f03c2ea52b3b4306ba5a
SHA512 fa743fe5650f18102beb60085fc415082cb182ba6b0cfc097f8596aaa56567308447468b6327836c615292e6486d6ee0986e914f2c29897cb19834ebb225e06c

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 52273bf6940e88289195e848f7612d74
SHA1 72688c86f88687aeae007c96f0d6b1d92315c892
SHA256 94c59e966908f4ea587b3d0135bbc44f6a411371f2b696b4a6a969429248e651
SHA512 1e10a213af7fe4e73db401f9a24139141a7c6e1e6c67ced24fb785a27f69b7d1b7ba6eb1562c1c76f8d8d46007c73214751bc7d842ac6b1c6dd0a061c02ae8fc

memory/2140-251-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 98a8c2b38c897b5d0e82ab191266c7b2
SHA1 bd57e36634790465b17f5893dce2b0cfee646671
SHA256 d0090ced93fb77802f942f0f353c3b2f346662e603df1274a73881362f4c1185
SHA512 a49f38c9413a68b38d94fce2d6c15f1244f72c8ba37b39dfadcb2ee188b2c9ddc72e5ae7578f16e7ffdf05fbaf81df0b982909d0ebcf780b3bf16ee368c05f8b

\Windows\System32\msdtc.exe

MD5 98a8c2b38c897b5d0e82ab191266c7b2
SHA1 bd57e36634790465b17f5893dce2b0cfee646671
SHA256 d0090ced93fb77802f942f0f353c3b2f346662e603df1274a73881362f4c1185
SHA512 a49f38c9413a68b38d94fce2d6c15f1244f72c8ba37b39dfadcb2ee188b2c9ddc72e5ae7578f16e7ffdf05fbaf81df0b982909d0ebcf780b3bf16ee368c05f8b

memory/1776-254-0x0000000140000000-0x0000000140205000-memory.dmp

memory/2148-258-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1776-259-0x0000000140000000-0x0000000140205000-memory.dmp

memory/2348-260-0x0000000140000000-0x000000014020D000-memory.dmp

memory/2148-274-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1312-277-0x0000000000CB0000-0x0000000000D30000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 20:08

Reported

2023-05-01 20:13

Platform

win10v2004-20230220-en

Max time kernel

152s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe"

Signatures

BluStealer

stealer blustealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\a91620f4c0346ca3.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4320 set thread context of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 2464 set thread context of 4608 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{12B41477-B896-4CE0-B721-49B4FD6AD28D}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006480ce28697cd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 4320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 4320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 4320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 4320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 4320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 4320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 4320 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe
PID 2464 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2464 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2464 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2464 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2464 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1968 wrote to memory of 5084 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1968 wrote to memory of 5084 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1968 wrote to memory of 3384 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1968 wrote to memory of 3384 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe"

C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe

"C:\Users\Admin\AppData\Local\Temp\RFQ 21032023.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900

Network

Country Destination Domain Proto
IE 52.109.77.0:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 51.105.71.137:443 tcp
US 52.242.97.97:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 122.184.231.173.in-addr.arpa udp
US 206.191.152.58:80 cvgrf.biz tcp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 58.152.191.206.in-addr.arpa udp
US 63.251.106.25:80 npukfztj.biz tcp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 25.106.251.63.in-addr.arpa udp
US 8.8.8.8:53 88.35.99.167.in-addr.arpa udp
SG 72.5.161.12:80 knjghuig.biz tcp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
US 8.8.8.8:53 12.161.5.72.in-addr.arpa udp
US 8.8.8.8:53 251.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 223.243.59.199.in-addr.arpa udp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 173.231.189.15:80 xlfhhhm.biz tcp
US 173.231.189.15:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 63.251.126.10:80 ifsaia.biz tcp
SG 63.251.126.10:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 173.231.184.124:80 saytjshyf.biz tcp
US 173.231.184.124:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 72.5.161.12:80 vcddkls.biz tcp
SG 72.5.161.12:80 vcddkls.biz tcp
US 8.8.8.8:53 15.189.231.173.in-addr.arpa udp
US 8.8.8.8:53 10.126.251.63.in-addr.arpa udp
US 8.8.8.8:53 124.184.231.173.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 99.83.154.118:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 99.83.154.118:80 tcp
US 8.8.8.8:53 udp
N/A 63.251.235.76:80 tcp
N/A 63.251.235.76:80 tcp
US 8.8.8.8:53 udp

Files

memory/4320-133-0x0000000000140000-0x00000000002BA000-memory.dmp

memory/4320-134-0x0000000005330000-0x00000000058D4000-memory.dmp

memory/4320-135-0x0000000004C40000-0x0000000004CD2000-memory.dmp

memory/4320-136-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/4320-137-0x0000000004D50000-0x0000000004D5A000-memory.dmp

memory/4320-138-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/4320-139-0x0000000005D00000-0x0000000005D9C000-memory.dmp

memory/2464-140-0x0000000000400000-0x0000000000654000-memory.dmp

memory/2464-143-0x0000000000400000-0x0000000000654000-memory.dmp

memory/2464-144-0x0000000002960000-0x00000000029C6000-memory.dmp

memory/2464-149-0x0000000002960000-0x00000000029C6000-memory.dmp

memory/2464-154-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4736-157-0x00000000006C0000-0x0000000000720000-memory.dmp

C:\Windows\System32\alg.exe

MD5 48fd1c2b0ebac9a69f7529d6b16ade23
SHA1 4139d0311d9fe0b1b8f472db1a1ae37c512a7771
SHA256 01dd180137ac82c11f764fdfc9059da27959521a12a4782beb88da323879195f
SHA512 48a55db42574f9ea6cdf3889bdeaec8bde964e84bf4571dd0804c70098e0669fc252113d6068cf8bb22b8ee655583a0939e6eed4b864e395e940c82a7e638a3f

memory/4736-163-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/2524-169-0x0000000000660000-0x00000000006C0000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 e3cde4aa7dc1d3472c1f5ee00af9a8d4
SHA1 22b3e9c4e69b166c2c8a92e7b17674a0c8317c25
SHA256 61fc767d21422e11e0403e14bb75939e95e1c373d099e5cf6386c0d9ffac6493
SHA512 7ce889b093ccc66bfe90a6e69379b0a4f831e05cf3a2c11282b76dfd0627cafdaf095a45b7d9535173b677a9334e9b5bbd4f44f09ae16acfa64764b0f598204b

memory/4736-175-0x0000000140000000-0x0000000140201000-memory.dmp

memory/2524-176-0x0000000000660000-0x00000000006C0000-memory.dmp

memory/2524-177-0x0000000140000000-0x0000000140200000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 de77e43adb12f6caed09e905bb1a889a
SHA1 4c096fe67fc25d3d1623de6fd9c890d8d891cf23
SHA256 02c142e4d44e3e8aab0e80aadb5db58d502be97cbcc1b8878425d339c2fa8cac
SHA512 2599a4aab299fda4026e0f4ba6c285baee5d08a963df3c43aa7430146996f9c9f7d52c5e402ffda3af24dd265480fb659cc0b3ed146cbd65c68984c8a4ce7829

memory/2688-181-0x00000000008C0000-0x0000000000920000-memory.dmp

memory/2688-187-0x00000000008C0000-0x0000000000920000-memory.dmp

memory/2688-189-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2688-191-0x00000000008C0000-0x0000000000920000-memory.dmp

memory/2688-193-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 a0ea7df583cf199f7f11cfda25721b8d
SHA1 718d157fdbf6cdaecb305d70f2628ebe260cbf6e
SHA256 e8f250f5572be610de5864831da19fbe35527f57d64d2804dc22c34cb4d27ce6
SHA512 e6687218d427436ac243a806b10e135b10c09cc6e49617f14dc7023bdc46dcb45e0e6530150fb3030511fec2f619687eed598bb19625fe7a5401465aa6504f42

memory/3288-195-0x00000000004D0000-0x0000000000530000-memory.dmp

memory/3288-201-0x00000000004D0000-0x0000000000530000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 98fab8319fb3ca593ddc88e50dd929f0
SHA1 d01d8c92b6a8a3302af3dc4305cd4a885289f22f
SHA256 1b1212fc864e3d1bf913ca08f16e70ba8ff4416c14f402e446fffb3dc719bd89
SHA512 586a7a84bdfe078b447458f2a421fdbc237690ec2eaac1eba28a06f821224f362ebee5f0460f44dab8c37507d06fb972c656cb5ef10c046fc35683b1d360cb82

memory/3288-206-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1948-205-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/1948-208-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1948-213-0x0000000000190000-0x00000000001F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 24394a04040bf575e6f1456c085a5fd3
SHA1 0c7b97a5d259a1305b3ab07df173eeedae3de7c7
SHA256 02f2e23b74c8a2fb0d1f01e4197ea9aabf6d93b501367b66a6898ef0125893c8
SHA512 74c8cd165126a888758e5fc6034138ac64c2e56d9ddf1cbe660bc60ab4ed494d1d62d7191dd12ba6549ec0d17cc159e45e9079075ee145e85b9c742361d794b4

memory/1072-217-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1072-223-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1072-226-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1072-229-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 686f26d642441c6f02c99983b3b8ea07
SHA1 2f6a4d3ef5927d39d23ac7e0dae0b321a1e84ba1
SHA256 8cba5d656713c8f46822bfb047de7e038301c7933835fdae040ec9ae256099ab
SHA512 74095ee4daffafc800ff2f1e0f232b6bc17f28a2d94eeae473477cbaeb9f71886047fd7218a85b135e261e82070fcf03e20e80525e766da1585c8b95ba538642

memory/1760-231-0x0000000000D00000-0x0000000000D60000-memory.dmp

memory/1760-241-0x0000000140000000-0x0000000140210000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 5aa6226fd6e3f5fae82ef1333a72055b
SHA1 dcdfaacd0d16cc69e23bd678ceb5d4d598024316
SHA256 bf21affcab8dfaff93e727aaf331b7744415244ae29e8a7d2b50d5b9fa247f6d
SHA512 20a797f2ac198cd52e7946b8045acb1e39f6a33a2e6980489d3324a76d16a70ac81c1ccd616c39d48b46e16cf7beac279e907b490a937e0095ba940d92d35d10

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 ffd47e81b1768d312c8ecc9166c833b5
SHA1 50833ee0d6170eeee615695fa574a0d0e7839e9f
SHA256 51680bbbdd0bcad11ea5260854bb9f95ee6d7c25a8179513f6a325dbf80d454e
SHA512 01e875b25d4b0342857c396f7b9050a1251fca8ac4f45f93ab227dfbd013b5f2a4bce03fc732bf621c4bc1599f733a638b2a06ea71a9f4de65ddf4162fef6085

memory/4616-262-0x0000000140000000-0x0000000140226000-memory.dmp

memory/4208-264-0x0000000140000000-0x0000000140202000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 f34ae0e8fecfd19c89869fa5e0f4d40d
SHA1 9d71ca3c6ddceece89d1c6c5f8b961611fd67238
SHA256 64295ad25309811b8f0c6564a0d0cbe8a8e341dee9c3e7cabb8c61782b4f7f8c
SHA512 762abd9f560597814414f35c9939ba07a9a51ab855862ae9042bf9cd3f20a7c914aed953fca86e63bc13d43db10ef738e7fb78c0ea04b75f8f2238a584d33551

C:\Windows\System32\Locator.exe

MD5 dc3a5b28b5905d5ad8f0b4f20dbec578
SHA1 ec15654bb06305b0a7c57c1dc87fd22280d4943a
SHA256 5a8ac6839305e358922899493b49ddc97e6a2a274ae014140b1d178ec2a85991
SHA512 aae620fa489afd0932212755e23c26260d9f054e4bd6dca499a275ec279478b22b607fbcfaf5b738b4de47f2f0bc620ec128808b12833c8e9af278a622607f35

memory/2212-281-0x0000000000400000-0x00000000005EE000-memory.dmp

memory/1620-283-0x0000000140000000-0x00000001401EC000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 bcb34fccc9a7d90740dbea80ef146ffe
SHA1 0eecd1b9ff37db0803a989195ba1930f77fd0d05
SHA256 e9a3fecac0f36812e88cdd1d571a939c3ab4b8059666292390952f821f3ae46d
SHA512 6c527b81b12c3d03b8fe39978dced3a12766b5320508b3a2b1b3de5b4fd08eb4288cf0a6d3f71d2d808ea08255fca17dbac39d6daf2e7e1738b815cae3aaa0f2

memory/2012-297-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 90a72157e03a02e67008fe778401cd4b
SHA1 0cc908d4c1469ab18299974132b1bc11ee8c27bf
SHA256 bc66d2c560f8c9b5f22f4a97c66959239beb582f81630bb156b990e22539e817
SHA512 be02f45e73630293877b1df84b5ea1ecddf76511a994a10d227541b3499f0ad9b713e250f976ca426d7c7f43846661e4136c869f5ff364a6130c4fd44248b185

memory/2464-310-0x0000000000400000-0x0000000000654000-memory.dmp

memory/1736-314-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 1298d779e88fb8ddba6e89ff8640dcb3
SHA1 7a5108f031b1deaf723c6f644e8f2939a2f98290
SHA256 dbd16f0ef289818b9606bf0d51be469174fbb915c5b01b77e728ad34cd16fe10
SHA512 53c18090b7842b1ab8a685e11e0175e1c6d294af7202ba3efe03fec98dcddbecb30798e4cc4300ef1c747c5a49d5f18636a792621a518d7c67b28ff845481ffa

memory/4444-321-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 92097aada7ae10b08f17d72d8c1c6732
SHA1 d259f4da0a005670b4cad27cf45669f949892e35
SHA256 428312af0f25fd90a4741cc364dbe765470d47343f53be891a4dc06197b875ef
SHA512 d325fe1e164de43db4e825b40ee195fce9100e8f7db2021907f55eb826fd0462aab9da73fad697fe0039709b8a2c55aa0c7ae79642e29368d83ecd7e66913d15

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 92097aada7ae10b08f17d72d8c1c6732
SHA1 d259f4da0a005670b4cad27cf45669f949892e35
SHA256 428312af0f25fd90a4741cc364dbe765470d47343f53be891a4dc06197b875ef
SHA512 d325fe1e164de43db4e825b40ee195fce9100e8f7db2021907f55eb826fd0462aab9da73fad697fe0039709b8a2c55aa0c7ae79642e29368d83ecd7e66913d15

memory/2524-332-0x0000000140000000-0x0000000140200000-memory.dmp

memory/3584-334-0x0000000140000000-0x0000000140259000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 2cb8767f61bd0a5e450bf5bf191f0332
SHA1 352c3987a208a680108907a204f2d1becc55e0f9
SHA256 efbbab5b05da84bb8f7e9f0ef7c4b0af7b5fb415dc07ca4d719db357bb45c4fd
SHA512 a4a322061411f86fe1d8f60dc47c5574d3a9c6b220a466a9d90de31365c32ca0149a9e36ff661d7981a5521b7b9e6e2c549ef9a7137b6324d4888097aaff55a9

C:\Windows\System32\AgentService.exe

MD5 476ed83873f5a0cd8b14a72852a1a33d
SHA1 472dea25d53fa5d4c72fd8980b0ebeddddfc2e6e
SHA256 bd28f18127ec70e942262f345ee1cf5b9d7a5f9a200a6e91cb38d9ff026cb37b
SHA512 80e50df47cdbc6e3ae880280c26595c7230e1142c1d0d8d02bd677366b5ae1e0f6583e44ece9b1b9272824e18ec2906fc04d47f8925e0eec9bf04e27ecb09eac

memory/704-350-0x0000000140000000-0x0000000140239000-memory.dmp

memory/844-352-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 f239dd6e55b339c0ad1005310b569feb
SHA1 d6e784d31c0e7d4e1a42c889dd3de1d5ff6d3cc3
SHA256 af3583a4c322978c797bb92c9421befbd660e5d539c44e459c555d5fe9e43ab2
SHA512 4c45a8c6f4114b2659c66787bc745de8f6782e838d614b90c2a1b641bda848f4b192a800ebaace86c61b1820b496d20d5d6125351042a6de2cb04daa932378e6

memory/844-360-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1948-372-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3288-370-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2016-373-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 fee16c5d0ef5406636b54e8e6175c25e
SHA1 1413381587f47ec8f081d284f07d8b92d191b28c
SHA256 d855dc5e3988e2d04983c1c09b64fc065f834031239b8cc8a0bc6b58dfd47671
SHA512 78d08a7717156cfca8fb2316de2ae99334ade39fcadc2214b16b7080396fcc5fc209bc65ef665ec6e32ac3f858e00a5307330949b6e1939a8919f41d373ec9ec

memory/3848-383-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 a42f63309921ff022e7bb883f985bf00
SHA1 da5909add3a14f29cde564f7c3f7fe7d391249ac
SHA256 3e4cb2fdb1e4ad5de4174d832f15b3471418e0bcbee736fad4f6eebf0c9b5291
SHA512 99a5b4d89dc26fca3deff0e309a574128ffed4927664f3c86ec402c421129d714cc778b5454eb5851de8b509dbe133093e314e74bbf01116ef09930d0639310d

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 7bddd58d73da6a1d9bd586b0e7d752f8
SHA1 e623b663d688995c9b9c47fc11a84beecd2a6829
SHA256 3d5863000162c52f731b75b08b294dd9212b0a74d0ff22128a07e7887e65bc83
SHA512 1b6f5f86db1bd9b6692b8338f8aa1a7c95787e0deb3a4a45e29299137536dfe5a9dc6b3ffaa21d8898ee40eaa2a2dcebd4cc897978c2c25549fda4b787d52504

memory/4344-401-0x0000000140000000-0x0000000140216000-memory.dmp

memory/2032-404-0x0000000140000000-0x000000014021D000-memory.dmp

memory/4608-408-0x0000000000500000-0x0000000000566000-memory.dmp

memory/4208-410-0x0000000140000000-0x0000000140202000-memory.dmp

memory/4608-411-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/2012-414-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 a123979a33b3a8962149fd5a9bd0a1a9
SHA1 55c2d92db3329416e8a0fd6560af7671f9e30e90
SHA256 c8d18fa1a512cfaad700cc5dc19cc5311e0441e5f7f553f7ceadfb474c8e0fb6
SHA512 d9fb70b5efeb6549f968f25fba64d4c3582e111aeb55fc51e1070807a3e52cb9f2ddb126c60358be93a1c9833dabcb1c9bdbeb498de5377c5b4123a8a57ced3e

memory/1620-424-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/1968-425-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4444-477-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3584-494-0x0000000140000000-0x0000000140259000-memory.dmp

memory/2016-531-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3848-532-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2032-533-0x0000000140000000-0x000000014021D000-memory.dmp

memory/1968-546-0x0000000140000000-0x0000000140179000-memory.dmp