Malware Analysis Report

2025-01-03 07:39

Sample ID 230501-yzw3cage57
Target tmpfkfb5hd_.bin
SHA256 66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8
Tags
blustealer collection stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66190693a0bc90c29db018f37585b54fe7a3d42bfb01dbfcdee7567f37e7f8c8

Threat Level: Known bad

The file tmpfkfb5hd_.bin was found to be: Known bad.

Malicious Activity Summary

blustealer collection stealer

BluStealer

Loads dropped DLL

Executes dropped EXE

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

outlook_win_path

Uses Volume Shadow Copy WMI provider

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 20:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 20:13

Reported

2023-05-01 20:17

Platform

win7-20230220-en

Max time kernel

149s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"

Signatures

BluStealer

stealer blustealer

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e6d03af56401d5da.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1336 set thread context of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 268 set thread context of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{23C39320-D66A-4EA1-AA27-7419FBE4DE04}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{23C39320-D66A-4EA1-AA27-7419FBE4DE04}.crmlog C:\Windows\system32\dllhost.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 1336 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 1336 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 1336 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 1336 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 1336 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 1336 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 1336 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 1336 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 268 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 840 wrote to memory of 324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 840 wrote to memory of 324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 840 wrote to memory of 324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 840 wrote to memory of 324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 840 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 840 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 840 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 840 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 840 wrote to memory of 1884 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 840 wrote to memory of 1884 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 840 wrote to memory of 1884 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 840 wrote to memory of 1884 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"

C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 258 -NGENProcess 240 -Pipe 254 -Comment "NGen Worker Process"

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 25c -Pipe 1e8 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp

Files

memory/1336-54-0x0000000001090000-0x0000000001208000-memory.dmp

memory/1336-55-0x0000000004CC0000-0x0000000004D00000-memory.dmp

memory/1336-56-0x0000000004CC0000-0x0000000004D00000-memory.dmp

memory/1336-57-0x0000000000950000-0x0000000000966000-memory.dmp

memory/1336-58-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

memory/1336-59-0x0000000005B40000-0x0000000005C78000-memory.dmp

memory/1336-60-0x0000000005D40000-0x0000000005EF0000-memory.dmp

memory/268-61-0x0000000000400000-0x0000000000654000-memory.dmp

memory/268-62-0x0000000000400000-0x0000000000654000-memory.dmp

memory/268-63-0x0000000000400000-0x0000000000654000-memory.dmp

memory/268-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/268-66-0x0000000000400000-0x0000000000654000-memory.dmp

memory/268-68-0x0000000000400000-0x0000000000654000-memory.dmp

memory/268-69-0x00000000002A0000-0x0000000000306000-memory.dmp

memory/268-74-0x00000000002A0000-0x0000000000306000-memory.dmp

memory/268-76-0x0000000000400000-0x0000000000654000-memory.dmp

\Windows\System32\alg.exe

MD5 be188c1c62d08ddfd0b566351c0dff37
SHA1 92fe47ea57ada4d1fbf46ddae55b63c3e07fa552
SHA256 b67fee5266d43e84959438bf235c8ea6f0d9a750f026a05c60163a23964e288c
SHA512 aed27b4467f03ffe015f2aaad67e09ca4864e485b3c08ee2fa48573b60b935a106a649eeb74e03dc74a05e9c10bcbd7af82ce35a5983578f3872796ac7bb7bb0

C:\Windows\System32\alg.exe

MD5 be188c1c62d08ddfd0b566351c0dff37
SHA1 92fe47ea57ada4d1fbf46ddae55b63c3e07fa552
SHA256 b67fee5266d43e84959438bf235c8ea6f0d9a750f026a05c60163a23964e288c
SHA512 aed27b4467f03ffe015f2aaad67e09ca4864e485b3c08ee2fa48573b60b935a106a649eeb74e03dc74a05e9c10bcbd7af82ce35a5983578f3872796ac7bb7bb0

memory/1140-83-0x00000000003A0000-0x0000000000400000-memory.dmp

memory/1140-89-0x00000000003A0000-0x0000000000400000-memory.dmp

memory/1140-93-0x0000000100000000-0x00000001001FB000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 0fed6a011334193787f0124c71d7ecaf
SHA1 b4c85e6e280113c964951532cd9af175fe59e183
SHA256 b35951a7941b60f5fd918adcc623def90d70af3bbae18cee39ec831b88c0e787
SHA512 4105c88432d45cac2af764c3be1be1e880beb279dac87f9c769f7db033f85c2d2e8c5b6149a4dc8189530dfa6c7e1631bc279473aa0d28f809d64862c8112a2a

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 0fed6a011334193787f0124c71d7ecaf
SHA1 b4c85e6e280113c964951532cd9af175fe59e183
SHA256 b35951a7941b60f5fd918adcc623def90d70af3bbae18cee39ec831b88c0e787
SHA512 4105c88432d45cac2af764c3be1be1e880beb279dac87f9c769f7db033f85c2d2e8c5b6149a4dc8189530dfa6c7e1631bc279473aa0d28f809d64862c8112a2a

memory/684-96-0x0000000140000000-0x00000001401F4000-memory.dmp

memory/2028-98-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/2028-99-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2028-100-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/2028-102-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/2028-104-0x0000000000090000-0x00000000000F6000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 571d2cb2e953e864bde8bbd7ea080c12
SHA1 f2e9680c73b19e890dc79fc288d37400ae1948f4
SHA256 7ca9be0158bef5a3d182e380febc95756a9cf1de263d9e6207fd68893fd5c75b
SHA512 a9b4aa7c7ce594465aab91be554825cee4705be5845e971ef082c365ccd0889438abc9152292c0084f5948d02dea44bd532c2ad96432d1720be86542b4730095

memory/1424-106-0x0000000010000000-0x00000000101F6000-memory.dmp

memory/2028-107-0x0000000004B50000-0x0000000004C0C000-memory.dmp

memory/2028-108-0x0000000004D40000-0x0000000004D80000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 571d2cb2e953e864bde8bbd7ea080c12
SHA1 f2e9680c73b19e890dc79fc288d37400ae1948f4
SHA256 7ca9be0158bef5a3d182e380febc95756a9cf1de263d9e6207fd68893fd5c75b
SHA512 a9b4aa7c7ce594465aab91be554825cee4705be5845e971ef082c365ccd0889438abc9152292c0084f5948d02dea44bd532c2ad96432d1720be86542b4730095

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 2a75f87b222f00e3fd2d1b0218c2be7a
SHA1 0dbc1abd507b900d744ec58eb25f753d6ff53d37
SHA256 7cd4c142b08e470ec78d03163ab51e367b01110bd8de787346dcf592cce1286f
SHA512 b18ce45fade02e6bc0aa20de6705f85528e032ff9dbed3c2a1466d304c393310bbbd4f9970b1e91bbdf8dbbada7e4f22ac7e01b4ea4cda9a151e1271db8991ec

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 2a75f87b222f00e3fd2d1b0218c2be7a
SHA1 0dbc1abd507b900d744ec58eb25f753d6ff53d37
SHA256 7cd4c142b08e470ec78d03163ab51e367b01110bd8de787346dcf592cce1286f
SHA512 b18ce45fade02e6bc0aa20de6705f85528e032ff9dbed3c2a1466d304c393310bbbd4f9970b1e91bbdf8dbbada7e4f22ac7e01b4ea4cda9a151e1271db8991ec

memory/1952-117-0x0000000010000000-0x00000000101FE000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 96145154b583c65981bcda1f6a06c3ba
SHA1 18650e8431576df4895be79ea941e79350b258dd
SHA256 1b6d926724db754992b9feaa544e080bdf3a34703a07d69a0f811e8b3820003f
SHA512 643cfc6a07c770ecabe9c2361eef1b8c6103cec6ba3d172cd605f6c78408e21d13376a0c8c0a6028429ea4f2f40e9a14a9693731e64191899620fa72770ff4c9

memory/1424-122-0x0000000010000000-0x00000000101F6000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 2a75f87b222f00e3fd2d1b0218c2be7a
SHA1 0dbc1abd507b900d744ec58eb25f753d6ff53d37
SHA256 7cd4c142b08e470ec78d03163ab51e367b01110bd8de787346dcf592cce1286f
SHA512 b18ce45fade02e6bc0aa20de6705f85528e032ff9dbed3c2a1466d304c393310bbbd4f9970b1e91bbdf8dbbada7e4f22ac7e01b4ea4cda9a151e1271db8991ec

memory/268-126-0x0000000000400000-0x0000000000654000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 94cf2edeeda0361fa10ec30c76358625
SHA1 89b945b2925e9c80f9c38827e586c85965a722ad
SHA256 cb1f6afaf5bb3609338b4a0bedd4980b80603a10a6bd05e90e04ce29a2bee3bd
SHA512 5c12c80116d66d4c0ff7b88818eb6781dc5d61c2cffc239b826f12423181ec474cecda5d417afe58d187a3aef3a468ae83f7b343014fef08fe1e45101980c959

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 3eabcd2702cbc9a9094d30648aa0a613
SHA1 9bccfc07ed5679adf504bc336b8a0c668c99c7e4
SHA256 080e05041ed2a448444ced3905ce867c539e577c4aeef8535b3ece36197531ea
SHA512 a75e49fffcc7db1f6ec90b5702dcf487732cfe300ca5e7bcdad73e54caa3bf2f47d7738ce55591940c0e79f8e34fee61ae0f709290c42392483908dc93e06acf

memory/840-129-0x00000000006E0000-0x0000000000746000-memory.dmp

memory/840-134-0x00000000006E0000-0x0000000000746000-memory.dmp

memory/1952-137-0x0000000010000000-0x00000000101FE000-memory.dmp

memory/840-141-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 7a1dd533898ee630b0986ebedae002bb
SHA1 595908cfab77d0aa54cd5b0e39d8e63928de09d3
SHA256 f90b6e911ba5c48c2c42ac6dbf0c4b1a598df67a7839cc5a7c1107688aa2684a
SHA512 c6241a34a2a51834b573977ff8209ff453aacc7dbf327db7f274fe17f1dd87a560f6bb3c2af624d0b28cebfc30f7938936ff1457db275b7b7c9bc067512c23e1

memory/1748-143-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 3eabcd2702cbc9a9094d30648aa0a613
SHA1 9bccfc07ed5679adf504bc336b8a0c668c99c7e4
SHA256 080e05041ed2a448444ced3905ce867c539e577c4aeef8535b3ece36197531ea
SHA512 a75e49fffcc7db1f6ec90b5702dcf487732cfe300ca5e7bcdad73e54caa3bf2f47d7738ce55591940c0e79f8e34fee61ae0f709290c42392483908dc93e06acf

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 7a1dd533898ee630b0986ebedae002bb
SHA1 595908cfab77d0aa54cd5b0e39d8e63928de09d3
SHA256 f90b6e911ba5c48c2c42ac6dbf0c4b1a598df67a7839cc5a7c1107688aa2684a
SHA512 c6241a34a2a51834b573977ff8209ff453aacc7dbf327db7f274fe17f1dd87a560f6bb3c2af624d0b28cebfc30f7938936ff1457db275b7b7c9bc067512c23e1

C:\Windows\System32\dllhost.exe

MD5 73d5d3c81409c1ab753a775b3d2342f5
SHA1 89b12581d4b0cdbb5a20e714789b6d6c6913f7d9
SHA256 5e5e24c89be311e4cabfd2421dc990e49f1925e2d83112bdcc5681837c928177
SHA512 0fc3728723e26b3b6eb324c6e3e33fe316f4be7ac1ff2454a800db83e42731616b4b67a5c6948f86efe89b0b0893edfde15571d14328dd3bab25f76c16a5095b

\Windows\System32\dllhost.exe

MD5 73d5d3c81409c1ab753a775b3d2342f5
SHA1 89b12581d4b0cdbb5a20e714789b6d6c6913f7d9
SHA256 5e5e24c89be311e4cabfd2421dc990e49f1925e2d83112bdcc5681837c928177
SHA512 0fc3728723e26b3b6eb324c6e3e33fe316f4be7ac1ff2454a800db83e42731616b4b67a5c6948f86efe89b0b0893edfde15571d14328dd3bab25f76c16a5095b

memory/684-152-0x0000000140000000-0x00000001401F4000-memory.dmp

memory/564-153-0x0000000100000000-0x00000001001EC000-memory.dmp

\Windows\ehome\ehrecvr.exe

MD5 05f13abc8600441f535ed05f71003ecf
SHA1 84f067225adcf395d36a04c255447a41230ce0fc
SHA256 3d0219312a8a4cb7d599a405cfbf5f59727877bab81ee35bca68bb86870711cb
SHA512 cf7f54252411677ccf55b9493ec0d07d09ef59e502a33ee417814dfb87653e982c5616d2aea4ed0fca9094179dbe45b95e8c18e897ec624be48ce5a9558fbcb8

C:\Windows\ehome\ehrecvr.exe

MD5 05f13abc8600441f535ed05f71003ecf
SHA1 84f067225adcf395d36a04c255447a41230ce0fc
SHA256 3d0219312a8a4cb7d599a405cfbf5f59727877bab81ee35bca68bb86870711cb
SHA512 cf7f54252411677ccf55b9493ec0d07d09ef59e502a33ee417814dfb87653e982c5616d2aea4ed0fca9094179dbe45b95e8c18e897ec624be48ce5a9558fbcb8

memory/336-157-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/336-163-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/336-166-0x0000000140000000-0x000000014013C000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 d0efef3b8f9451008784fec780d07d55
SHA1 24ebd50c99080af89ee0b872e0d883772bd29f26
SHA256 bf9003372be1ef3bedca48bd182908749b9ac1a1cdd409bd414dd22be3fa39ff
SHA512 60325e2d24531107c5dfbe177ad013b33bda94ade5d3a51dfd46cbd90f3907d9d001213d666ce56b6466af13c76121dc79e11458ec74433981ea47899cf4e0d1

C:\Windows\ehome\ehsched.exe

MD5 d0efef3b8f9451008784fec780d07d55
SHA1 24ebd50c99080af89ee0b872e0d883772bd29f26
SHA256 bf9003372be1ef3bedca48bd182908749b9ac1a1cdd409bd414dd22be3fa39ff
SHA512 60325e2d24531107c5dfbe177ad013b33bda94ade5d3a51dfd46cbd90f3907d9d001213d666ce56b6466af13c76121dc79e11458ec74433981ea47899cf4e0d1

memory/1924-169-0x00000000008A0000-0x0000000000900000-memory.dmp

memory/1924-175-0x00000000008A0000-0x0000000000900000-memory.dmp

memory/1924-178-0x0000000140000000-0x0000000140209000-memory.dmp

memory/336-182-0x0000000001380000-0x0000000001390000-memory.dmp

memory/336-183-0x0000000001390000-0x00000000013A0000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 ca95c36821da17c41a16f8d1bd7c5f9c
SHA1 d3173657a65b18c646c37c260f783cf5f7c6a961
SHA256 df1050e79bfbe327ab410b51b7cb111173a3c267158292764359cf0251775c22
SHA512 110764c68339c88a2c3b0724fbd531fbbb889dc9eb710c6516c682f7bc0c04eac7a5b1831c7509d8ca4756046efa0219662c0db361f15c437c2e1591d73d164a

memory/1768-185-0x00000000008E0000-0x0000000000940000-memory.dmp

memory/1768-191-0x00000000008E0000-0x0000000000940000-memory.dmp

memory/336-193-0x0000000001430000-0x0000000001431000-memory.dmp

memory/1648-194-0x0000000000B70000-0x0000000000BF0000-memory.dmp

memory/1768-195-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 3eabcd2702cbc9a9094d30648aa0a613
SHA1 9bccfc07ed5679adf504bc336b8a0c668c99c7e4
SHA256 080e05041ed2a448444ced3905ce867c539e577c4aeef8535b3ece36197531ea
SHA512 a75e49fffcc7db1f6ec90b5702dcf487732cfe300ca5e7bcdad73e54caa3bf2f47d7738ce55591940c0e79f8e34fee61ae0f709290c42392483908dc93e06acf

memory/324-198-0x0000000000370000-0x00000000003D6000-memory.dmp

memory/324-205-0x0000000000400000-0x00000000005FF000-memory.dmp

\Windows\System32\ieetwcollector.exe

MD5 0756611e682153f6892cdbe9ff699fb2
SHA1 f1409c856c0872338499ef4adf03e5dd322937b7
SHA256 3d190ebfa82b51177c1f6943a90b3636b7341160188e97a826e874179106b0f3
SHA512 f8cdbd8da9c3c66e79954fd37f2a517740be5a73f6c8f8bbf7038da4640b4ba22d8f5a79b30479df26b1e0c1e9d24c1f214c7a680413fc920a0f91eb48076cd7

C:\Windows\System32\ieetwcollector.exe

MD5 0756611e682153f6892cdbe9ff699fb2
SHA1 f1409c856c0872338499ef4adf03e5dd322937b7
SHA256 3d190ebfa82b51177c1f6943a90b3636b7341160188e97a826e874179106b0f3
SHA512 f8cdbd8da9c3c66e79954fd37f2a517740be5a73f6c8f8bbf7038da4640b4ba22d8f5a79b30479df26b1e0c1e9d24c1f214c7a680413fc920a0f91eb48076cd7

memory/964-216-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 3eabcd2702cbc9a9094d30648aa0a613
SHA1 9bccfc07ed5679adf504bc336b8a0c668c99c7e4
SHA256 080e05041ed2a448444ced3905ce867c539e577c4aeef8535b3ece36197531ea
SHA512 a75e49fffcc7db1f6ec90b5702dcf487732cfe300ca5e7bcdad73e54caa3bf2f47d7738ce55591940c0e79f8e34fee61ae0f709290c42392483908dc93e06acf

memory/324-228-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1584-229-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 2fa3edb26c800dee53172056ea1fe4c4
SHA1 921733ab9d1cbdcba240a41d79666f1b8997b46d
SHA256 38599326468da363ad649af61e0693f23d59ab2e79d1164a46d68a59bc28a581
SHA512 341fe3669526e32ce155a3f6ed6158495764799ac84f3a881561e64309a96e2ebff207173c7db8e886919fb31493bdbea1169ea10488f1a808d62cf84c874ce0

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 3eabcd2702cbc9a9094d30648aa0a613
SHA1 9bccfc07ed5679adf504bc336b8a0c668c99c7e4
SHA256 080e05041ed2a448444ced3905ce867c539e577c4aeef8535b3ece36197531ea
SHA512 a75e49fffcc7db1f6ec90b5702dcf487732cfe300ca5e7bcdad73e54caa3bf2f47d7738ce55591940c0e79f8e34fee61ae0f709290c42392483908dc93e06acf

memory/1584-248-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1432-249-0x000000002E000000-0x000000002FE1E000-memory.dmp

memory/1884-250-0x0000000000400000-0x00000000005FF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 20:13

Reported

2023-05-01 20:18

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"

Signatures

BluStealer

stealer blustealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\afdd1ac1ea807a0f.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3212 set thread context of 464 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 464 set thread context of 3448 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3212 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 3212 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 3212 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 3212 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 3212 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 3212 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 3212 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 3212 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe
PID 464 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 464 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"

C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe

"C:\Users\Admin\AppData\Local\Temp\tmpfkfb5hd_.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 52.152.108.96:443 tcp
US 8.8.8.8:53 254.49.247.8.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 20.42.65.90:443 tcp
US 8.8.8.8:53 254.162.241.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 126.139.241.8.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 126.49.247.8.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 122.184.231.173.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 58.152.191.206.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 25.106.251.63.in-addr.arpa udp
US 8.8.8.8:53 12.161.5.72.in-addr.arpa udp
US 8.8.8.8:53 88.35.99.167.in-addr.arpa udp
US 8.8.8.8:53 251.182.224.103.in-addr.arpa udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 uhxqin.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 223.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp

Files

memory/3212-133-0x00000000009B0000-0x0000000000B28000-memory.dmp

memory/3212-134-0x0000000005B20000-0x00000000060C4000-memory.dmp

memory/3212-135-0x0000000005570000-0x0000000005602000-memory.dmp

memory/3212-136-0x00000000054D0000-0x00000000054DA000-memory.dmp

memory/3212-137-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/3212-138-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/3212-139-0x0000000001340000-0x00000000013DC000-memory.dmp

memory/464-140-0x0000000000400000-0x0000000000654000-memory.dmp

memory/464-143-0x0000000000400000-0x0000000000654000-memory.dmp

memory/464-144-0x0000000000400000-0x0000000000654000-memory.dmp

memory/464-145-0x0000000003340000-0x00000000033A6000-memory.dmp

memory/464-150-0x0000000003340000-0x00000000033A6000-memory.dmp

memory/1208-157-0x0000000000560000-0x00000000005C0000-memory.dmp

C:\Windows\System32\alg.exe

MD5 69053900aacc664a29d165730a797ba9
SHA1 05cf0d021c327eaacfd9b84862aa2cbb04b2f2be
SHA256 eacd7af066206513a641839b1d65bb6b986de60c60640b618525f63633c44463
SHA512 a922a6175006304f204aa8bc65c86b2fbff3442feff390ff0d5cc7a4952095b94397642eb5acdacb75b8ce054bb59dc4ef6daad98da3e88dd799455450137cb1

memory/1208-163-0x0000000000560000-0x00000000005C0000-memory.dmp

memory/1208-166-0x0000000140000000-0x0000000140201000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 ed8f66a46db65b347871e9e06c1047b3
SHA1 8420738d0257462dcb28cacfeee20953753efaf1
SHA256 3b8f7f5b4706d0abe5a14d57a4e6d7c2654359156b5ed912a3ec00ba869e6c0e
SHA512 765d115a3a6a4c69abe57c084bb69a57425344903f4b318f81d96a5cda1ef236222e19c0a84bd55951449a45d887da6fba0d65f4775ba39c25dbc4f4c6bca5b2

memory/2728-170-0x0000000000650000-0x00000000006B0000-memory.dmp

memory/2728-176-0x0000000000650000-0x00000000006B0000-memory.dmp

memory/2728-178-0x0000000140000000-0x0000000140200000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 7e83a75dfb4c1600ec49bac2f51df220
SHA1 b64becd6af46568ad78f6954aa1bd3cf14e3172f
SHA256 ca416efd03a5f276bdfdac2592a80d6eaaf15300b552ae6f603e156845330363
SHA512 b35197fe7fce8b177021ffa9a76cadc6ee82dc960f28b62100780cac8997a45ecc319999e22f39955df6ff3b55586a7d0dc7264bc64791d7ca1a93f04f2db33b

memory/3664-181-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3448-182-0x0000000000F00000-0x0000000000F66000-memory.dmp

memory/3664-183-0x0000000000E50000-0x0000000000EB0000-memory.dmp

memory/3664-189-0x0000000000E50000-0x0000000000EB0000-memory.dmp

memory/3664-192-0x0000000000E50000-0x0000000000EB0000-memory.dmp

memory/4952-196-0x0000000000400000-0x0000000000460000-memory.dmp

memory/3664-195-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 4241571bf1c533fe24a3b1a8092b7589
SHA1 794bc2012c9a112a2a08317cd5069421d041164b
SHA256 85b75316662149a5775081e97de467a445b11317fbea9935205d22216a34d541
SHA512 cc601f391ef76ced71e7dbe8129a40bff86b07fa229f71bda9c53f06f3a3953f471fbe6ca6e82d5b15e78862659714c410cbf90240bd368ad3d86440bb2e42da

memory/4952-203-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 be1fe249efbcd08cb69a3bb5ee16b75a
SHA1 9e546ee762bb6b0796d3e70418813f93310e80eb
SHA256 098aad87cb80124c8add7e985c38abde0f9d45d2eba1cfeb92780383be6ce9b3
SHA512 bca0497b29bfd68cf7b006cc040377633a78dc03f86672de7941129a1dba97028e3fa9ef431ae4f5e3a9b775b4e03f6efdec3456fdcc66a7aadd45b16af5ca67

memory/60-207-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/60-213-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/60-215-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4952-216-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 a7c3a39fcce45007f12ede313bb08498
SHA1 ec31e7d0a15bd50d4cc75ad79514e7bfac4589d7
SHA256 3619730026e9bd0a14d42d4571cc23848b6af5c8059c2be8295d05382b13867c
SHA512 f9ed9b5d84afeb6399c833040444fcbe54bfbac7ff6835eddb7c487e3fafb238e0efe0ccc253bd8f807bbc614c995808fbe71d75906f53880b98ae3b936c2fa0

memory/1268-219-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1268-225-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1268-227-0x0000000140000000-0x0000000140221000-memory.dmp

memory/464-228-0x0000000000400000-0x0000000000654000-memory.dmp

memory/60-229-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4952-230-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1268-233-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1268-235-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 4d25152dbf789ae9730498781d42b7ad
SHA1 63269cdecf36e4cbc89d2d3ee3a6993717c8a85a
SHA256 41ade0962888048aaabdcacb311f5edcf6636e3be294dbc7dfa89466c25c3352
SHA512 f9c0f23513d3aa9e5c906b1b433aeb931413c849b2bbf51675c56c43bdf1bda1301c7a55220feaa9854a821af5826c54ecbf933474a52f1d7fdd328e0defb3ef

memory/4468-237-0x0000000140000000-0x0000000140210000-memory.dmp

memory/4468-238-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/4468-243-0x0000000140000000-0x0000000140210000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 d0056b950d457cdf1fd9bc4e435783d6
SHA1 848f31e2110931771fd0e8e5a0334138993427ba
SHA256 50f5adc2c5e6c53ed68f0608bbfd09251d840df959029b24adfda8a017836d6e
SHA512 46f68092a865d6b86b1185443c860672ae0d9d9870984eb13696e82041943a10d540d63f61d4d706e2dbc33b3b1a7c0c7ca137f7817e68e69ed2b6a24afda126

memory/1320-256-0x0000000140000000-0x0000000140226000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 21b1f96ca6d19652b057be1a9206d944
SHA1 c61260572352db98ebedc5539b6e257be3f0983b
SHA256 55c2c55e96e0f18b30949754bc17f22bc567451004b2d22583cd6af9b55420c6
SHA512 075b96e6b99815dcd60340809dac41d37ad10cddc22f18a6f57c49ed872227489b94f89b98c86dd2f619880493a3d27e8f7446e4ea1c8bb300d1b1d27af81d3f

memory/4592-268-0x0000000140000000-0x0000000140202000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 a05619e2ccc12bef4de250b40f98de78
SHA1 69b76ad1f31fb7cedb0aa0834a89b742f5d92538
SHA256 29243a80e9dfc2af9dba861882b3d3db8dfafbc2f6952ea63eabc61f3bc6ad28
SHA512 2d63c2158861130a6255a119d9d86f9e7527f2b24145b61579ee75a5047a01de8d65659736f7738147630ccedbf5e7e616519d324439868d7c820648aca03506

memory/4080-270-0x0000000000400000-0x00000000005EE000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 fe1b41f8d33223ddbcf15ca337a92ef3
SHA1 df9cd65e5f342ec8401c49988524692de23da3df
SHA256 55af2d16409a1cf4e463ff3cbf29e69f895b59a22cf56037bb72077b7c8f223e
SHA512 64b5734b0b4468f2b35570d0900eb02727fc60770c8169e10dceb728a7316965b66dc7d327825a602db440293123132ac2b6516a7c8b8900f1a3f724b979fa0e

C:\Windows\System32\SensorDataService.exe

MD5 c18c8422e90c489bfea114350242eb8a
SHA1 9ffe66e7edb21a30340e1a1df4b1ea0b510e14e5
SHA256 e01bb5aa4f3a864d94d59e5a1c36a8cd3b5387cc5628abb3980a181a5e39a3f6
SHA512 ac146a0d0bb033c05997463d130509a59c21fdc584b60ad07733af30f4fd7ff348cbc0714bd247b840ad692b03be7039c2490fcfe02a82ee3d228a6638314780

memory/4652-291-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/1644-293-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 caaf85852b27c75b6f3be67e4eb945ba
SHA1 71acc24be2dc1674f56418dbf73d9eab43bd1cc1
SHA256 ed2388449ee08fa1f3f581a62796cdaa482f89431bc38552e0363b72737b34a7
SHA512 b11bb7734c58f6c3087cf8e2826612c98ed71ffbf5d40804af402d6a1876dd9b01e8418fbd3562dec154b7452bb7a9cb20c3cc148d4a79cf0ac8941934a44a7f

memory/3236-312-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 ccfe54e3f9ddfd558c9cbcc4baef28e9
SHA1 624fbae96350a6507af1a1be3c1d23b4bb45a00b
SHA256 040c4ad409cb6927760805185667f39dbbcb745eb9898222304116a374cfad93
SHA512 ca0345406be591545283d984fd1e9cff43117b3284cb57c7a24627bb6169ca394b19b7cac1406bf7bd7889f9cbbcb4525d8b6b72af024d0c3a9e6acf594e8f7a

memory/3768-322-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4080-326-0x0000000000400000-0x00000000005EE000-memory.dmp

memory/1644-329-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 5ef8d1a03993450a76cb41a99635b412
SHA1 49754c86a827073711874143ed495dbe904fe20d
SHA256 6afbb5bcae2d5ea9895691126785cfbde74bdb98910d2b64951e0496557fdfc5
SHA512 3f30f220d645a8c43039278019f56f8b09f264c0bef5e970a361dda8fc07ea739ce154e12def36c1dcdebc7e0d7d6c8aa747b814fffd9d6005a5e537ee21f2ce

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 5ef8d1a03993450a76cb41a99635b412
SHA1 49754c86a827073711874143ed495dbe904fe20d
SHA256 6afbb5bcae2d5ea9895691126785cfbde74bdb98910d2b64951e0496557fdfc5
SHA512 3f30f220d645a8c43039278019f56f8b09f264c0bef5e970a361dda8fc07ea739ce154e12def36c1dcdebc7e0d7d6c8aa747b814fffd9d6005a5e537ee21f2ce

memory/4836-334-0x0000000140000000-0x0000000140259000-memory.dmp