Malware Analysis Report

2025-01-03 08:00

Sample ID 230501-yxvrhaab91
Target SecuriteInfo.com.Heur.24719.4239.exe.bin
SHA256 e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
Tags
blustealer collection stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998

Threat Level: Known bad

The file SecuriteInfo.com.Heur.24719.4239.exe.bin was found to be: Known bad.

Malicious Activity Summary

blustealer collection stealer

BluStealer

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy WMI provider

Checks processor information in registry

Uses Volume Shadow Copy service COM API

outlook_win_path

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 20:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 20:10

Reported

2023-05-01 20:14

Platform

win7-20230220-en

Max time kernel

148s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe"

Signatures

BluStealer

stealer blustealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\dllhost.exe N/A
N/A N/A C:\Windows\ehome\ehRecvr.exe N/A
N/A N/A C:\Windows\ehome\ehsched.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\IEEtwCollector.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b9e39a5a47bf3ad0.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C785CD31-DE17-49ED-A223-DECDF4E782AE}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C785CD31-DE17-49ED-A223-DECDF4E782AE}.crmlog C:\Windows\system32\dllhost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CriticalLowDiskSpace = "1073741824" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPoitnRateMs = "10000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheHashTableSize = "67" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpRecCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileDiscontinuitiesPerSecond = "20" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMaxJobDemoteTimeMs = "5000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\SwagBitsPerSecond = "19922944" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogInitialPageCount = "16" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\ShadowFileMaxClients = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheWaitForSize = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheShortPageCount = "64" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\NvpClientsCount = "32" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\CacheLongPageCount = "32" C:\Windows\ehome\ehRec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\ehome\ehRec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE\SAL\LogMinJobWaitTimeMs = "3000" C:\Windows\ehome\ehRec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\ehome\ehRec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\ehRec.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\eHome\EhTray.exe N/A
N/A N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 1620 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 1620 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 1620 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 1620 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 1620 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 1620 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 1620 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 1620 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 472 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1456 wrote to memory of 1668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 1668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 1668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 1668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 776 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 1320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 1320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 1320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 1320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2660 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2100 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2520 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1456 wrote to memory of 2520 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 248 -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 244 -NGENProcess 1d8 -Pipe 240 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 264 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 244 -NGENProcess 268 -Pipe 258 -Comment "NGen Worker Process"

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 278 -NGENProcess 1d4 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 278 -NGENProcess 254 -Pipe 264 -Comment "NGen Worker Process"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 280 -NGENProcess 1d4 -Pipe 1d8 -Comment "NGen Worker Process"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 23c -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 27c -NGENProcess 268 -Pipe 284 -Comment "NGen Worker Process"

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 254 -NGENProcess 288 -Pipe 280 -Comment "NGen Worker Process"

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 1d4 -NGENProcess 1f0 -Pipe 1ac -Comment "NGen Worker Process"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 28c -NGENProcess 184 -Pipe 27c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 288 -NGENProcess 1f0 -Pipe 23c -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp

Files

memory/1620-54-0x00000000012E0000-0x0000000001476000-memory.dmp

memory/1620-55-0x0000000001210000-0x0000000001250000-memory.dmp

memory/1620-56-0x0000000000460000-0x0000000000472000-memory.dmp

memory/1620-57-0x0000000000490000-0x000000000049C000-memory.dmp

memory/1620-58-0x0000000005D80000-0x0000000005EB8000-memory.dmp

memory/1620-59-0x000000000A4E0000-0x000000000A690000-memory.dmp

memory/472-60-0x0000000000400000-0x0000000000654000-memory.dmp

memory/472-61-0x0000000000400000-0x0000000000654000-memory.dmp

memory/472-62-0x0000000000400000-0x0000000000654000-memory.dmp

memory/472-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/472-65-0x0000000000400000-0x0000000000654000-memory.dmp

memory/472-67-0x0000000000400000-0x0000000000654000-memory.dmp

memory/472-68-0x0000000000350000-0x00000000003B6000-memory.dmp

memory/472-73-0x0000000000350000-0x00000000003B6000-memory.dmp

memory/472-78-0x0000000000400000-0x0000000000654000-memory.dmp

\Windows\System32\alg.exe

MD5 e7c507492cf74a7471665652c5acd0ab
SHA1 eb799041e609e1595ce019ab8f59d29b680bef6c
SHA256 291080fc9d81df78bf8d0378bf8f3cbc0a03e7a2387f6319b2bafe90f0e9d84b
SHA512 0a0ed94c553e3d474f49e60b7057e874904b996f95f741a08da91d9dc1a2bf5be615bbf0f179fb9f20f927da21b9c5f0ccc3389c81bc4ecde325364e8f30ab84

C:\Windows\System32\alg.exe

MD5 e7c507492cf74a7471665652c5acd0ab
SHA1 eb799041e609e1595ce019ab8f59d29b680bef6c
SHA256 291080fc9d81df78bf8d0378bf8f3cbc0a03e7a2387f6319b2bafe90f0e9d84b
SHA512 0a0ed94c553e3d474f49e60b7057e874904b996f95f741a08da91d9dc1a2bf5be615bbf0f179fb9f20f927da21b9c5f0ccc3389c81bc4ecde325364e8f30ab84

memory/1112-82-0x00000000002B0000-0x0000000000310000-memory.dmp

memory/1112-88-0x00000000002B0000-0x0000000000310000-memory.dmp

memory/1112-92-0x0000000100000000-0x00000001001FB000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 89531fe17b6d46a5a6b871821407f070
SHA1 f58c535eceda60f71604a67d2249443accbfde82
SHA256 40f2a4d1dc58ef91655b06014ff83e1def338941afcce53ac3ca70403f1a7d4b
SHA512 27f8adb599e60ccc0846de1532c73a7ed2f6ff17c3cafcc4aeac67f75118566110a4df824bf1628bd2b31f84c6358890bea196b79cd37ffa0dfa1186acbe7798

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 89531fe17b6d46a5a6b871821407f070
SHA1 f58c535eceda60f71604a67d2249443accbfde82
SHA256 40f2a4d1dc58ef91655b06014ff83e1def338941afcce53ac3ca70403f1a7d4b
SHA512 27f8adb599e60ccc0846de1532c73a7ed2f6ff17c3cafcc4aeac67f75118566110a4df824bf1628bd2b31f84c6358890bea196b79cd37ffa0dfa1186acbe7798

memory/1220-96-0x0000000140000000-0x00000001401F4000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 6a73394cc4f8dd175e16f86a56e6f785
SHA1 c129aa28336a5f8179601ea8f788974303923525
SHA256 00fb15746b107d5f9dccfc87e04b337484c8c8c50ca878168976a467cdbbe3f5
SHA512 1cf0de22caf3557236ba1096521ab6361994d6dd4b9817f1f933a2afda807b3d6371e8234e0fdeaf72717008ea0a5a522574c35e7bddc0209d1dda8a7fdaedba

memory/1492-106-0x00000000001D0000-0x0000000000236000-memory.dmp

memory/1492-108-0x00000000001D0000-0x0000000000236000-memory.dmp

memory/1492-104-0x00000000001D0000-0x0000000000236000-memory.dmp

memory/1492-103-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1492-102-0x00000000001D0000-0x0000000000236000-memory.dmp

memory/960-109-0x0000000010000000-0x00000000101F6000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 6a73394cc4f8dd175e16f86a56e6f785
SHA1 c129aa28336a5f8179601ea8f788974303923525
SHA256 00fb15746b107d5f9dccfc87e04b337484c8c8c50ca878168976a467cdbbe3f5
SHA512 1cf0de22caf3557236ba1096521ab6361994d6dd4b9817f1f933a2afda807b3d6371e8234e0fdeaf72717008ea0a5a522574c35e7bddc0209d1dda8a7fdaedba

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 22f42bc4adeac827c3d69b6078f51769
SHA1 214d70250a72ae1a304e94d8fd004ede9a4350d0
SHA256 119028872615d4fd5b780d6c445301139ed86e0aafc5fb13a0ed7524aeeef946
SHA512 0b08b11bc0064247886a6b344a05c9ea14664aecf0c0ff566a8371d4725b04e16b9427fc3c9fa7ebbddc88f7ab9099553fe5890708c277c12a023eacbdb5ecae

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 22f42bc4adeac827c3d69b6078f51769
SHA1 214d70250a72ae1a304e94d8fd004ede9a4350d0
SHA256 119028872615d4fd5b780d6c445301139ed86e0aafc5fb13a0ed7524aeeef946
SHA512 0b08b11bc0064247886a6b344a05c9ea14664aecf0c0ff566a8371d4725b04e16b9427fc3c9fa7ebbddc88f7ab9099553fe5890708c277c12a023eacbdb5ecae

memory/1492-114-0x00000000047C0000-0x000000000487C000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 c076509dafc79d647a0738d3329f2c31
SHA1 739469f235a97385d148de8e9a5e7986b8cedf99
SHA256 219f9306e284b7a68ad1e93fb53c4abe5ce1480b739dffa06ae43bff2ce48afb
SHA512 02f2ab88f3ab799ef3ddd89de2736c78915aabed25f6e50777146fabde8fca8a1fd3e786001c9d8ae75e2793a00f1199d4e3a9082fccf1751c5cd05038610c55

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 22f42bc4adeac827c3d69b6078f51769
SHA1 214d70250a72ae1a304e94d8fd004ede9a4350d0
SHA256 119028872615d4fd5b780d6c445301139ed86e0aafc5fb13a0ed7524aeeef946
SHA512 0b08b11bc0064247886a6b344a05c9ea14664aecf0c0ff566a8371d4725b04e16b9427fc3c9fa7ebbddc88f7ab9099553fe5890708c277c12a023eacbdb5ecae

memory/1492-123-0x0000000004E00000-0x0000000004E40000-memory.dmp

memory/288-122-0x0000000010000000-0x00000000101FE000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

memory/1456-125-0x0000000000600000-0x0000000000666000-memory.dmp

memory/1456-130-0x0000000000600000-0x0000000000666000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 0e84048801d5e30f1084ffc8c8b55cbc
SHA1 10e3ab1cdc7e6266bd004390c4fbb6753324d50f
SHA256 8b67af74055dc3b101926f4ed28c3376dc8f44ade6e2099b8fb1ae8e390ac414
SHA512 b6a9b2e18d1d8f5d6569fe34caccf25feb3aa02b5f5be3bebbd18b7c179ab94e2c47e51a3e383f6b8c786e6e599212cbabe5a9a89bcbc245fb9c663d0bbc33a4

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 b88b394193d3f27ec2044b2070f0f5c8
SHA1 9332f1cd5114cacefbeb108c6a1b912e03be955e
SHA256 df6feab54bacc8ded325e41f7ff366a3b656cfd4db1be7b0dbd28b80f918e0bb
SHA512 38fc22d7e4a648855aa3458a11d1d5b027308134e0f94c0ec2252e291a49aa9351d3da74c92ee92a74083969ae9ba92a2a3e11ada073e5fb616ed125d0d5dd2e

memory/1336-140-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1456-141-0x0000000000400000-0x00000000005FF000-memory.dmp

\Windows\System32\dllhost.exe

MD5 540bbf1ba85b6115c22a867e0d567cc6
SHA1 4b6d439ee19aa116dd8d3b1af79ec513c01d6852
SHA256 7bffffb573cc29757305bc9d6e3b544b5cca16886a6a3a667aa1ed4812e639ad
SHA512 81c934fd02a2e1348cee6e37701ff43536a188405b56f9ecb9150d608134f6c7029e598587ff05887d8978bdc951020cd8f207300fa6f1009f1cff24a4ebedd6

C:\Windows\System32\dllhost.exe

MD5 540bbf1ba85b6115c22a867e0d567cc6
SHA1 4b6d439ee19aa116dd8d3b1af79ec513c01d6852
SHA256 7bffffb573cc29757305bc9d6e3b544b5cca16886a6a3a667aa1ed4812e639ad
SHA512 81c934fd02a2e1348cee6e37701ff43536a188405b56f9ecb9150d608134f6c7029e598587ff05887d8978bdc951020cd8f207300fa6f1009f1cff24a4ebedd6

memory/472-147-0x0000000000400000-0x0000000000654000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 b88b394193d3f27ec2044b2070f0f5c8
SHA1 9332f1cd5114cacefbeb108c6a1b912e03be955e
SHA256 df6feab54bacc8ded325e41f7ff366a3b656cfd4db1be7b0dbd28b80f918e0bb
SHA512 38fc22d7e4a648855aa3458a11d1d5b027308134e0f94c0ec2252e291a49aa9351d3da74c92ee92a74083969ae9ba92a2a3e11ada073e5fb616ed125d0d5dd2e

memory/1460-149-0x0000000100000000-0x00000001001EC000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 4e1a10af9deb6cc0e6c36ca8952058e8
SHA1 9c08a698f29b14a4bd07a03fd73ff6bd04198b05
SHA256 0812785dc6d2159597444c58e419dc19ac1585c23c8837eafd216f2d76f69efb
SHA512 98172efbb22fd4cb33f7b1c98b122430a41d73f642a1eab6c5c3423fc50f3ead55d934b391bf1a0dd0ecce30b3bacfe60883cc9ac89d46992480a49b97143e41

C:\Windows\ehome\ehrecvr.exe

MD5 4e1a10af9deb6cc0e6c36ca8952058e8
SHA1 9c08a698f29b14a4bd07a03fd73ff6bd04198b05
SHA256 0812785dc6d2159597444c58e419dc19ac1585c23c8837eafd216f2d76f69efb
SHA512 98172efbb22fd4cb33f7b1c98b122430a41d73f642a1eab6c5c3423fc50f3ead55d934b391bf1a0dd0ecce30b3bacfe60883cc9ac89d46992480a49b97143e41

memory/972-153-0x0000000140000000-0x000000014013C000-memory.dmp

memory/972-154-0x0000000000270000-0x00000000002D0000-memory.dmp

memory/972-160-0x0000000000270000-0x00000000002D0000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 4e6d7aab04ee6582690819a5e6f87a33
SHA1 d3d398955b49d51d33bc6a08fc75da8a870b93e8
SHA256 8382f966c34a898c8176c17ea1e2fb21372d69d6fdc0966d14c043b3674430a1
SHA512 79d76f4bb87b6e8a08332a223f21d2a636cae0bd5d0cb696897ad6c607003182a0bbdceb250ae6793c5722359391f0376c9c5bafe3e32cfc87cb1c48b5f976db

C:\Windows\ehome\ehsched.exe

MD5 4e6d7aab04ee6582690819a5e6f87a33
SHA1 d3d398955b49d51d33bc6a08fc75da8a870b93e8
SHA256 8382f966c34a898c8176c17ea1e2fb21372d69d6fdc0966d14c043b3674430a1
SHA512 79d76f4bb87b6e8a08332a223f21d2a636cae0bd5d0cb696897ad6c607003182a0bbdceb250ae6793c5722359391f0376c9c5bafe3e32cfc87cb1c48b5f976db

memory/1936-167-0x0000000000850000-0x00000000008B0000-memory.dmp

memory/1936-173-0x0000000000850000-0x00000000008B0000-memory.dmp

memory/972-176-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

memory/972-177-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

memory/1112-178-0x0000000100000000-0x00000001001FB000-memory.dmp

memory/1936-179-0x0000000140000000-0x0000000140209000-memory.dmp

memory/972-181-0x0000000001430000-0x0000000001431000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 82731d7cc4971241e67b310af7a494c4
SHA1 6553bb55c4eeaf8fa27e4223fa943a771ea3390a
SHA256 9d7671dbbd114998fc3b3e4bc8be9b797391fec7eb770e1d7168890adc1f3db9
SHA512 5b4d0d68e0f8d8fd507fe48a1b3bf7681374b1aabae2c599c9a3b14ebdfc876d19ad18d092dde1a91b8b945566b562333850e0a699056a8d88d23e6fe038b860

memory/760-183-0x00000000008F0000-0x0000000000950000-memory.dmp

memory/760-189-0x00000000008F0000-0x0000000000950000-memory.dmp

memory/1668-192-0x0000000000300000-0x0000000000366000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

\Windows\System32\ieetwcollector.exe

MD5 8e635c05a5ff0a7ddd1c8fb524157b32
SHA1 5d0b620fb788f4d61f75f334cddc3dc43eb91fd8
SHA256 8f40ac0651768298f7c2cc9caea36d5b4bc75d9b89376a63522586c0b9dc4cf7
SHA512 b3bb03a31e8e700a826ea641059deadde80b6ab03260e8ce60af0247df93427e3b3c4d9144d10a9d8ddda0a18e95f538d4cd41b62bda6524cb4d9b99747e20be

memory/760-203-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Windows\System32\ieetwcollector.exe

MD5 8e635c05a5ff0a7ddd1c8fb524157b32
SHA1 5d0b620fb788f4d61f75f334cddc3dc43eb91fd8
SHA256 8f40ac0651768298f7c2cc9caea36d5b4bc75d9b89376a63522586c0b9dc4cf7
SHA512 b3bb03a31e8e700a826ea641059deadde80b6ab03260e8ce60af0247df93427e3b3c4d9144d10a9d8ddda0a18e95f538d4cd41b62bda6524cb4d9b99747e20be

memory/1668-204-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/860-205-0x0000000000E10000-0x0000000000E90000-memory.dmp

memory/2000-206-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

memory/1668-217-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

memory/1688-228-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/776-229-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

memory/1320-241-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/860-242-0x0000000000E10000-0x0000000000E90000-memory.dmp

memory/972-243-0x0000000140000000-0x000000014013C000-memory.dmp

memory/1936-244-0x0000000140000000-0x0000000140209000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

MD5 b9bd716de6739e51c620f2086f9c31e4
SHA1 9733d94607a3cba277e567af584510edd9febf62
SHA256 7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312
SHA512 cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

memory/860-264-0x0000000000E10000-0x0000000000E90000-memory.dmp

memory/2108-265-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/860-266-0x0000000000E10000-0x0000000000E90000-memory.dmp

memory/760-263-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1688-267-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1320-270-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

memory/2256-275-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/860-278-0x0000000000E10000-0x0000000000E90000-memory.dmp

memory/2108-283-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 c97291a94bf2dfdcce3c17474fd88708
SHA1 754f5e18d07fa3973728338af9bda1755e1934fb
SHA256 7080a52bed2be2cbcf47cc31c025deda2a16268ad50f5cc086ab7fb235430147
SHA512 dbc6813f24e81f070a61850d066b06df638ff749fc06b55adc35d608040e1b9ac501378490a8b8b29f7202a021d6351dac0a712984f41c8a7991290962f1bff2

memory/2380-295-0x000000002E000000-0x000000002FE1E000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 36a4113f781f1730c50bce541b0ab017
SHA1 fa2490f050c4a70d66a7bdf338f656a8a21ea27a
SHA256 1ce6c9734a4f35e0e9a9641365b639ccd1d6514926747e82e79d49122ace18c7
SHA512 f2abec8c4e2e9813f90a712ce7b15744b57e24a65d97be655e3780bf6ebfd35a571aec496de8f75bb7cc497eb16faddfcad0d823039a84c0c820f21e0e7c4b9a

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

memory/2472-310-0x0000000140000000-0x0000000140221000-memory.dmp

memory/2256-315-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

\Windows\System32\msdtc.exe

MD5 7678b54a0fae311f3f3ba41555efd2a6
SHA1 d8bb1148c233c9dc1287c69616fdb3d0671c1628
SHA256 3fd624250df2663f366e18360ae137dec65b02c71d5b7006898c77db89198a34
SHA512 67d62d39fd4ff46ccfd268d2f48a2bcacec5aa486ffa40ef76feccc06ceb859a10a8368a1605a46b6d138fceb0f86eddd230fe229b2d572c99dfb763cc10fde9

C:\Windows\System32\msdtc.exe

MD5 7678b54a0fae311f3f3ba41555efd2a6
SHA1 d8bb1148c233c9dc1287c69616fdb3d0671c1628
SHA256 3fd624250df2663f366e18360ae137dec65b02c71d5b7006898c77db89198a34
SHA512 67d62d39fd4ff46ccfd268d2f48a2bcacec5aa486ffa40ef76feccc06ceb859a10a8368a1605a46b6d138fceb0f86eddd230fe229b2d572c99dfb763cc10fde9

memory/2660-331-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2720-332-0x0000000140000000-0x000000014020D000-memory.dmp

memory/2472-343-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

memory/2660-355-0x0000000000400000-0x00000000005FF000-memory.dmp

\Windows\System32\msiexec.exe

MD5 bc7800a29e4023786445f2bc5744b0cb
SHA1 39d44a327f9116dad9537d19676f515c369a5a2f
SHA256 c59b9056a2693ecc44bc5365c6b122377d0439adfffc0afc11f8669275ce340e
SHA512 b936c67fbb93eed1bbe78121858128bb9c36ba385d90eaac1d5f3d152fb3e73d1b5a49126d812a488e572ebd3dee1379bc455f971ef640ded845abf8b57ea8b9

C:\Windows\System32\msiexec.exe

MD5 bc7800a29e4023786445f2bc5744b0cb
SHA1 39d44a327f9116dad9537d19676f515c369a5a2f
SHA256 c59b9056a2693ecc44bc5365c6b122377d0439adfffc0afc11f8669275ce340e
SHA512 b936c67fbb93eed1bbe78121858128bb9c36ba385d90eaac1d5f3d152fb3e73d1b5a49126d812a488e572ebd3dee1379bc455f971ef640ded845abf8b57ea8b9

C:\Windows\system32\msiexec.exe

MD5 bc7800a29e4023786445f2bc5744b0cb
SHA1 39d44a327f9116dad9537d19676f515c369a5a2f
SHA256 c59b9056a2693ecc44bc5365c6b122377d0439adfffc0afc11f8669275ce340e
SHA512 b936c67fbb93eed1bbe78121858128bb9c36ba385d90eaac1d5f3d152fb3e73d1b5a49126d812a488e572ebd3dee1379bc455f971ef640ded845abf8b57ea8b9

memory/2944-359-0x0000000100000000-0x0000000100209000-memory.dmp

memory/2848-360-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

\Windows\System32\msiexec.exe

MD5 bc7800a29e4023786445f2bc5744b0cb
SHA1 39d44a327f9116dad9537d19676f515c369a5a2f
SHA256 c59b9056a2693ecc44bc5365c6b122377d0439adfffc0afc11f8669275ce340e
SHA512 b936c67fbb93eed1bbe78121858128bb9c36ba385d90eaac1d5f3d152fb3e73d1b5a49126d812a488e572ebd3dee1379bc455f971ef640ded845abf8b57ea8b9

memory/2848-381-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2976-382-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2944-383-0x0000000000500000-0x0000000000709000-memory.dmp

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 78df2ed327426f7603293aacbb598446
SHA1 8f8ad9618717c8ad35b8f2e59fad38e5d9182503
SHA256 cbc0a96c07a3bdfd34147870837cb183b9c002977c3a9d38ff1a288172fb2c1f
SHA512 5f1ce686d025f5643aaa803aee5ef6f8616a27ab9f5d6960bb96356b132ec8fe2ca42c4aaa570fb0107e782e40da48d4b0956dc0b92b1c116f3819cbc2dee1d9

memory/1936-387-0x0000000140000000-0x0000000140209000-memory.dmp

memory/2220-389-0x000000002E000000-0x000000002E20C000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 e4685a83d0f368f2311d8b53d0d43ed1
SHA1 e1ca7e2b1b63fd0f4072331357b7f4586935e902
SHA256 455449b627a92aa4d53e2990740628ea25ac9d5d8bb4031bdb0dcac780f0a870
SHA512 ce2e7240791a44cf6ab2409b27ad4281d6c534a240860a25ccdb52c85c2239adf27e7ab6163183f269ed3a49a3621eff615bdc9379eccd94be1000cf6de7eae4

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

C:\Windows\SysWOW64\perfhost.exe

MD5 d43ebd60ad936a47f764f22c331340c2
SHA1 492ed9c2f91f28055a60c9098e01be3d33770e03
SHA256 2cd91502d59c85332500f144b8a148c4fcf3aec6e0fe1535b856d7ea4bda1894
SHA512 6787761c6cd1c877b68147a37596032e3d7aee4c1d508f742167729b9259fa10301823c18d96fb05c68e0b33540f527477164b9494ed89ef7d6e5504f4620c7d

memory/2148-415-0x0000000100000000-0x0000000100542000-memory.dmp

memory/2100-416-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2064-417-0x0000000001000000-0x00000000011ED000-memory.dmp

\Windows\System32\Locator.exe

MD5 39b3da093bdc264cea6c2b8391fa3191
SHA1 b74b25b4e92fcdcb9011999840718f569a5865fa
SHA256 6d77c85a8e5d341fafe420372ca652dfd761421e4cca1669dc132b3c78629bfd
SHA512 df5ccbb5cf12d477bd723dc168d37bebc98a1e87cbbfe55472dfcb25a033ab5e5ced2eca40e575d5676ea9466cb18aba331c184a7d83b057f64a891bac461044

C:\Windows\System32\Locator.exe

MD5 39b3da093bdc264cea6c2b8391fa3191
SHA1 b74b25b4e92fcdcb9011999840718f569a5865fa
SHA256 6d77c85a8e5d341fafe420372ca652dfd761421e4cca1669dc132b3c78629bfd
SHA512 df5ccbb5cf12d477bd723dc168d37bebc98a1e87cbbfe55472dfcb25a033ab5e5ced2eca40e575d5676ea9466cb18aba331c184a7d83b057f64a891bac461044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

memory/2100-438-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2380-440-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/2408-441-0x0000000100000000-0x00000001001EC000-memory.dmp

memory/2520-442-0x0000000000400000-0x00000000005FF000-memory.dmp

\Windows\System32\snmptrap.exe

MD5 3a3d2c34488c6ac8fc9a857772189d4d
SHA1 53d3b00c83e88178288bea0970345e35cffb5d13
SHA256 cf12765ccdc39aeeba8df4302a073f35f890aa21aae55f4f45c5fb491e842316
SHA512 15fc715c08671621bd3397fcbf5121b53fe5323bc3046684827032f30dbb889f1ffac684b6a889083e0fd9588fbee5887f9c9c59edb3b256c3709c371bf58b83

memory/2532-446-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 3a3d2c34488c6ac8fc9a857772189d4d
SHA1 53d3b00c83e88178288bea0970345e35cffb5d13
SHA256 cf12765ccdc39aeeba8df4302a073f35f890aa21aae55f4f45c5fb491e842316
SHA512 15fc715c08671621bd3397fcbf5121b53fe5323bc3046684827032f30dbb889f1ffac684b6a889083e0fd9588fbee5887f9c9c59edb3b256c3709c371bf58b83

memory/2600-448-0x0000000100000000-0x00000001001ED000-memory.dmp

\Windows\System32\vds.exe

MD5 cb5d5b4f82d8e135c6e4e5d4a3232279
SHA1 4f2dac45f221bec9a75c694d8f60a8d780a8bd13
SHA256 697aae10c91290a8db88d9ffc2209d64252af63bd7d4f5a306a7630cd8f3aa78
SHA512 280f993a50c244d6984c694b10b855d20cf3858a412793f7649b37878bb0d18cb64ccc3e420bd4a76b056f38301c0bbd46c70461e20c64b88787778686f9e931

C:\Windows\System32\vds.exe

MD5 cb5d5b4f82d8e135c6e4e5d4a3232279
SHA1 4f2dac45f221bec9a75c694d8f60a8d780a8bd13
SHA256 697aae10c91290a8db88d9ffc2209d64252af63bd7d4f5a306a7630cd8f3aa78
SHA512 280f993a50c244d6984c694b10b855d20cf3858a412793f7649b37878bb0d18cb64ccc3e420bd4a76b056f38301c0bbd46c70461e20c64b88787778686f9e931

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

C:\Windows\System32\VSSVC.exe

MD5 d1ba43ad28205ee24d6d45f5b9ae0d41
SHA1 1659d62a235847ea87882d2e2bd5c5013f1a7de4
SHA256 4692e08846720d619dbcc10cc47bc0aa6738dae06bb09e3a10996dab53357fe4
SHA512 b31dd657816290da8beaa22b4beffd596502697c8709a49f26d403430a322ba05574693b18ed1dbbc63aebe68852183a1d28b7dca7e21f125539a8971c1b5114

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 b957044772075ece31a877d7f2d195aa
SHA1 cc3f9a1434a2ffd71180b51169780520b8c9235e
SHA256 2ac2156383143b84361af09ec18cf43b9b3d86ea5de3177d9f2ff370197c1757
SHA512 d785d2b8b867d2d52b4954852f592e7117efbefdff3a1b2a48017333b8c763b4e0311f8d350598d26db3c1796e015b21b24c89dc2dddd1de1ccac75bf187b273

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 20:10

Reported

2023-05-01 20:15

Platform

win10v2004-20230220-en

Max time kernel

171s

Max time network

182s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe"

Signatures

BluStealer

stealer blustealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\6c876258c4600f4c.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 3628 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 3628 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 3628 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 3628 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 3628 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 3628 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 3628 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe
PID 1496 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1496 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.24719.4239.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

Network

Country Destination Domain Proto
US 20.42.65.90:443 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.247.210.254:80 tcp
NL 173.223.113.164:443 tcp
US 52.152.110.14:443 tcp
IE 52.109.77.0:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.247.210.254:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 122.184.231.173.in-addr.arpa udp
US 8.8.8.8:53 58.152.191.206.in-addr.arpa udp
US 8.8.8.8:53 25.106.251.63.in-addr.arpa udp
US 8.8.8.8:53 88.35.99.167.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 12.161.5.72.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 251.182.224.103.in-addr.arpa udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 223.243.59.199.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp

Files

memory/3628-133-0x0000000000570000-0x0000000000706000-memory.dmp

memory/3628-134-0x00000000057C0000-0x0000000005D64000-memory.dmp

memory/3628-135-0x00000000050C0000-0x0000000005152000-memory.dmp

memory/3628-136-0x0000000005400000-0x0000000005410000-memory.dmp

memory/3628-137-0x00000000051E0000-0x00000000051EA000-memory.dmp

memory/3628-138-0x0000000005400000-0x0000000005410000-memory.dmp

memory/3628-139-0x0000000005710000-0x00000000057AC000-memory.dmp

memory/1496-140-0x0000000000400000-0x0000000000654000-memory.dmp

memory/1496-143-0x0000000000400000-0x0000000000654000-memory.dmp

memory/1496-144-0x0000000000400000-0x0000000000654000-memory.dmp

memory/1496-145-0x00000000029A0000-0x0000000002A06000-memory.dmp

memory/1496-150-0x00000000029A0000-0x0000000002A06000-memory.dmp

C:\Windows\System32\alg.exe

MD5 3b299f4b3b87a1424bd55ac47d4a7bd2
SHA1 aba340ecb1acea78d642802fc372b825f9c0213d
SHA256 f60d838eced04c9c8f46e96cc2c6e89ec14b5ba2a4d89c572cfe38cb8d65bae0
SHA512 518064d2039cbb12c443ee687bff357fcc27006657f29e761a5336e4af264e3e4d69fb2609599322ed40c01caa46c597d7a463730e4d81396a1f7c421eb6e92f

memory/3900-157-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/3900-158-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3900-164-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 4e4351cff04a937990dda051551877b7
SHA1 bafce7c7c59db97184415f55a5cc59402463a13c
SHA256 e58c9c89de63f6e8637417b1d0714a4d56218694e8f9a0a92aa1a34c7e1939fe
SHA512 66cb613e9a95adab7edd4ff6471a9b64ab911b61f5105cfa32537854e3091842905ff98ae6c64adf959f9bf84f7fa74977b61df17310d329d03244549a971f18

memory/1388-170-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/1388-176-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/1496-179-0x0000000000400000-0x0000000000654000-memory.dmp

memory/1388-180-0x0000000140000000-0x0000000140200000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 75fa3ac4e2e1b15a1b4fe8763adf2eaf
SHA1 ce9856e8dc16a98e946443897b25f5f1e9e5ab55
SHA256 5cb72d3d7184061523cd2a729dca59df4b429a176ef5b7f719b6673211a879c9
SHA512 30485551b9cf02bc5061e7126c4e082f8c81f7a591d0f978d78cb74ce11a0dcd681f5d0ae78fe1fa19bf091db5ba6422893ab00fd7167bc6f05f3bd68c4eb6e8

memory/1840-182-0x0000000000A00000-0x0000000000A60000-memory.dmp

memory/1840-188-0x0000000000A00000-0x0000000000A60000-memory.dmp

memory/1840-190-0x0000000000A00000-0x0000000000A60000-memory.dmp

memory/1840-193-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 949ffc62dd3c38b44772e1d7b623e5e5
SHA1 fca5c8009d93e0752f6096d57c2440c7d3e171e2
SHA256 4f8f468aea770766dce5f5c466464f638523ed08c03a92e4a30bc36c9893206a
SHA512 dd81b9feabdd896e3b03e1105f8657cb3eaf6df3c1739064326797d7584ece889e50570ccc70490fec4e3708bb8b3cd44c98eae6d46e866de0b834f30000c65e

memory/2824-196-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2824-195-0x00000000008F0000-0x0000000000950000-memory.dmp

memory/2824-202-0x00000000008F0000-0x0000000000950000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 493024b1358ab9cc58e6ad583eff6a11
SHA1 2856de332d911e0adf79e677f4c48e88cd83fa9b
SHA256 81c546c1a570516837a9e8a7b99ce1e3e789857c8c5112ca826e2345161adbc8
SHA512 2c49684e4f92274485487988f40be147edfb570c30214a7e6a54603577b51f22f30556a5af7be0833233acd0d01dc412f1a4d50e61fa97efb8f4817825d51a20

memory/1076-206-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/1076-212-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/1076-215-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 8fd7c7ce8d587ff2d3991814db8eb403
SHA1 f746bb35b71da6958699ccd213eec15a009feec2
SHA256 f3f1dd83126bfdbbb9c0f6196b08665b92fd8626290445e7d9d042f1b6107664
SHA512 7227a8311755564fc2e033d1704e64631fb030feda96c1e2b6e463a3d54e492c777f91cb9b091649d9c6de7e040fcbb2afd49255a1d57475f2137a3a99eda489

memory/4332-217-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/4332-223-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/4332-226-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/4332-228-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 e3e6f99388ed3cd278a5daeee388b266
SHA1 71304fcf60b376502c14ace902031e1ed94ef482
SHA256 5601fee0d9f8a1099a232aecbbeada86160b8e96f78c9ae6b535c501b6611996
SHA512 2b4a8f16a57dde097fc00dd47d3564238eaca7750fdfecc6746db2addb102f74b3b5ea6882ded3b916c3ae991ab3ba2012c3f69ec9349972b0bc0e3dfd264608

memory/2208-231-0x0000000140000000-0x0000000140210000-memory.dmp

memory/2208-232-0x0000000000D10000-0x0000000000D70000-memory.dmp

memory/3900-240-0x0000000140000000-0x0000000140201000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 d42b617f3116f8131f6b42478533bc74
SHA1 58d764aca0a65a01a20805e8ce001befe5816abb
SHA256 fc979b82a7b83f4888786cd3fdcc712a969101d61c58cbd76c6c460252dd05b8
SHA512 396419494548b9ea6c8391582139cc61f32396f6da67a59ef1502115523c7c8ed39baf2a5e44161aab6a6a9b95ac73ba333922cb7bcd1a8250b0b59870563e30

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 af15896522e69dec1144e376a8357f7d
SHA1 45e4464cbe66189520c6dd4fbba47436138059f2
SHA256 35a5999c0b438a4d8f0cabe8f06655b91f259f9a7282d5349bc3a6156e816ce4
SHA512 940b580b0e65bfcad35feb4973fd206bcd7220a4cb80874c31fc08c3d2df3e591465a16902b2c7c072a2d37e61934a974e44e2a9e47d1569bacedaefbf3f8b72

memory/1372-262-0x0000000140000000-0x0000000140226000-memory.dmp

memory/2064-265-0x0000000140000000-0x0000000140202000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 ad0a19f3e54ea74464224f60243b1a7d
SHA1 64185820f088df700834d30d8ebf5ef46f5e7796
SHA256 b8ea50f59412bdabc6672f4b601e6a613e9bb7b281d4690c7abf9643f50da5eb
SHA512 fc6262ae58cfa76fd05db5d80ed2d6a376f1cff2b9fa3ae659aec5547e7ae41dd6c2c297dc135170ec1b740eba3061c8a2ad93a74a45ba165dbf15a077b3b4ff

memory/4244-277-0x0000000000400000-0x00000000005EE000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 0df96ceea13d45ace0816a1dce5731c7
SHA1 71e5b4b644e0e7aeb6f4a86a1bd75591aee36072
SHA256 be21d3090a5745f5703db7e9a19bfd8deb485d7511ee193284cb5fb6bb7545f8
SHA512 6bf060e5487a001a93112cc92fe0361d5ed120b654e3321a6a3d5d2201801afc5f03afafb86101c4742a7dce4bf26d56abc2d2944b712fc0e6c5ed3d17080ae0

memory/2824-288-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2364-290-0x0000000140000000-0x00000001401EC000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 d53b0ea33ffe83a85fd89c68a8e6e1af
SHA1 8dd49f4a4aef976a837c5381050945765f3b23fc
SHA256 651bbf2a54d1d6fa582f94dcf30639ab4b6a9b47e199d9a9887d78515d4caf1e
SHA512 f80197d33db77ca1ae395a2f5451db936dedb89955bf23cd6cbfb25b2cc096371c72942a27ee2eb58033a43579f9d6a21f31f3e47ce435c9bffe050b49109192

memory/4220-301-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 bfde860516567531e6fdbcd4a356ac22
SHA1 310e15cf93c7630f7e9ba01177fd3b38b15022e1
SHA256 ffbc34222c9b5921eebc48742633e6e70b07f723d997754c59be407a25f3e377
SHA512 706e21dad6aa3c9e8368ac063bd10109448e53a1d9060127827caac6b60fd6f6178d5a87a85e4ddae77588471212f5ba129c008796cdf9d225e71e2e118e279f

C:\Windows\System32\Spectrum.exe

MD5 535c7fda089de4b4828ab3585981514d
SHA1 305aed213bc348d9060b19bd4cf2ca1bf9754fef
SHA256 3b1aed3ea77066d27aaafee83da59c56a329d3d89c550a9ac4b999922a89bce9
SHA512 24cb6a1dd8625fe9e7930516b993d2d16bf72023dc4e2a72de483cec4a385249d972a538a6b0fe42d191ebc203d5060b9295ebcd78ca2999b5fe51dbd40e3923

memory/4128-317-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1076-314-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2068-319-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2852-325-0x0000000000F00000-0x0000000000F66000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 1c759eb97c355edcb1316642e53fa78c
SHA1 ef2e9fb966449fe1a4e1178c50c324565cf83059
SHA256 eaafc8976ae084577cee0f3588e4325e70a5894dd492317b5c15ce5635a34d18
SHA512 8188553102a6d83c2815b1576c6a0642b6af4e551f72253068318fee1e635142f1f24c5c03d74007d89689171683cd3b08c8681c317a6a8b7b51a9e9b138091e

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 1c759eb97c355edcb1316642e53fa78c
SHA1 ef2e9fb966449fe1a4e1178c50c324565cf83059
SHA256 eaafc8976ae084577cee0f3588e4325e70a5894dd492317b5c15ce5635a34d18
SHA512 8188553102a6d83c2815b1576c6a0642b6af4e551f72253068318fee1e635142f1f24c5c03d74007d89689171683cd3b08c8681c317a6a8b7b51a9e9b138091e

memory/2852-327-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/2208-339-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3924-340-0x0000000140000000-0x0000000140259000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 e235b4c6538cb5b6d25dac0675008880
SHA1 b333e72f4b6d6a5b9f1c6d1cbdebc0288de1c41e
SHA256 850b0ac90c7b0e84d1494ce05250ddb60b4c17fcc7c3ca383701f390b801c9e1
SHA512 f01dacc2bd4c14b4b08fed6f18aea0d420dbdca7eece53f9830791eb1269b6dc8a370aed28fcd223d2f56f27835bfc83f99f47297473f244fac0d8ac191cb705

memory/2700-351-0x0000000140000000-0x0000000140239000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 19e918531e2fa599bcf4a8759922190f
SHA1 cbdac5e19a371fcd41dd6aed47cb88e4ab39142c
SHA256 d0b2c971d649608c0fa32e0bdff178e0fb73214865cfbbf49a5b086fb3df5ea3
SHA512 7907251885cc1ed45200da332881e6b8c1bd653be8873a8da6c35f1b6fe27e0d4630d8859720646c4d77a0547ec02c054dd59ad9e710721eebac39f047ae41c4

memory/4684-363-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 3dd576f435b8ddae517456e1268ca195
SHA1 3cc9c7f42339abb3c5de93d04362306107aa8e44
SHA256 c4610552556a7de1ba3cab8ed407f3e7b5c353d28d9b3288481efc9e8f804527
SHA512 e9bc47139fc78676d2999c33ec457e2c34f556ba567b0635106a0947be9e4066932eb303d57c0ebba574798070c3ff9ea86dd9a07ba5a855523b2d9c2adc029d

memory/4684-367-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 7ec1b1ce504655e8348960489a55b37c
SHA1 163862c9f8a50a1a45bae5f14b64b1767bddd1e2
SHA256 31f5a4d33f93d3ca332497323dfdda0c72dfe9308dbc8bdc4ed445b6e28221fc
SHA512 bd74a82c1edd74bcacbb732fc1c3db41b49f7df6d0fe16ce523da1d9426becb5cbc81192e0c8d359b55848e8656e2e6b88a1c95929c03b47e11506397dac3662

memory/3568-379-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4756-380-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 ec93a5fd7eddd3a33fc09f08e1958543
SHA1 ae178cd44b1fee81c86912f023f267a54dfe9c1a
SHA256 b8b249e021011ec8390622e30493cb6f4693795ded4fffa54c048ba3c69b2a4e
SHA512 19f9b3203f4f6bca6ec6355fe402a58110b96239f4591803d38e79e3fbf09efe4be5582e9825fa1d7364dd8f2e7a8c1f0b9d69495141c5773618b8cf3cba5d3e

memory/2064-393-0x0000000140000000-0x0000000140202000-memory.dmp

memory/4160-396-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4220-403-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 4a7b2e991c09f43e20274c96ab5cabee
SHA1 5f10e1443f8cf2cf9a21be6b53234218857561b3
SHA256 961469f65cb567698ca88be9aafec0cb04219448110979fc4dd80081ef2762b4
SHA512 2367d19583c1280ab213b6d9e02a43cd091b88d9e39a15323b66abd9345d0f83dcebaacbf5485a5259cf75c1cfe2b98173a23e6f2f22fd3e17518d94c3660d45

memory/4732-414-0x0000000140000000-0x000000014021D000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 7b06723da8c0d15f5c6c0680fbcb6e0f
SHA1 507af4e06c0c6c68f89a12a63705491875a871e4
SHA256 18511c5b27ca0d177959ce2f964db4bcf13352b83bde6bda026ab4e310c6667f
SHA512 f51b554ff46e71475bb07dc41cdc4373684af015135e4e5460071f6de9786b1ac7e1e3c65de092a1b6439dff975bf9a79614660a24a8f8efa46ef531ff31b489

memory/5100-420-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2068-426-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3568-468-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4756-469-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4160-471-0x0000000140000000-0x0000000140216000-memory.dmp