Malware Analysis Report

2025-01-03 07:39

Sample ID 230501-yzxnwaac8x
Target tmpj_mcuumo.bin
SHA256 bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61
Tags
blustealer collection stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc61c93084dbe9aebf93114d082667bd696610a81e8fb4bda751204f86d3ea61

Threat Level: Known bad

The file tmpj_mcuumo.bin was found to be: Known bad.

Malicious Activity Summary

blustealer collection stealer

BluStealer

Executes dropped EXE

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

outlook_office_path

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 20:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 20:13

Reported

2023-05-01 20:19

Platform

win7-20230220-en

Max time kernel

120s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 1952 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

Network

N/A

Files

memory/1952-54-0x0000000000160000-0x00000000002DC000-memory.dmp

memory/1952-55-0x0000000004E00000-0x0000000004E40000-memory.dmp

memory/1952-56-0x0000000000580000-0x0000000000592000-memory.dmp

memory/1952-57-0x0000000004E00000-0x0000000004E40000-memory.dmp

memory/1952-58-0x00000000005D0000-0x00000000005DC000-memory.dmp

memory/1952-59-0x0000000005AC0000-0x0000000005BF8000-memory.dmp

memory/1952-60-0x0000000007F90000-0x0000000008140000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 20:13

Reported

2023-05-01 20:17

Platform

win10v2004-20230220-en

Max time kernel

153s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

Signatures

BluStealer

stealer blustealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\291d1e85ea807a0f.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4392 set thread context of 4808 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4808 set thread context of 4956 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4392 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4392 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe
PID 4808 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4808 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4808 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4808 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4808 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1332 wrote to memory of 456 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1332 wrote to memory of 456 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 1332 wrote to memory of 2976 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1332 wrote to memory of 2976 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe

"C:\Users\Admin\AppData\Local\Temp\tmpj_mcuumo.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 254.160.241.8.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.89.179.9:443 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 122.184.231.173.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 58.152.191.206.in-addr.arpa udp
US 8.8.8.8:53 25.106.251.63.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 88.35.99.167.in-addr.arpa udp
US 8.8.8.8:53 12.161.5.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 251.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 8.8.8.8:53 223.243.59.199.in-addr.arpa udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 52.242.101.226:443 tcp
RU 82.112.184.197:80 lpuegx.biz tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp

Files

memory/4392-133-0x0000000000500000-0x000000000067C000-memory.dmp

memory/4392-134-0x0000000005600000-0x0000000005BA4000-memory.dmp

memory/4392-135-0x0000000005050000-0x00000000050E2000-memory.dmp

memory/4392-136-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/4392-137-0x0000000005030000-0x000000000503A000-memory.dmp

memory/4392-138-0x0000000007240000-0x00000000072DC000-memory.dmp

memory/4808-139-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4808-142-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4808-143-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4808-144-0x0000000002E70000-0x0000000002ED6000-memory.dmp

memory/4808-149-0x0000000002E70000-0x0000000002ED6000-memory.dmp

C:\Windows\System32\alg.exe

MD5 7bb66f99cd5a188c613719931045de56
SHA1 5b99253cce11947ba759b810338210c259267183
SHA256 192b4c591d6a701a3a177cdbcdd77b14cc8a116265e3f0ea558a68e5e01d87de
SHA512 2c1131c2e274cc643cdc80c0c52c6cb7652f33a812f6d3f3cc64e551a96b7a60b0b6e29ded1d2220912e4ef36a1558951fdea7ccc402eda2edb5eb65267e7f10

memory/4236-156-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/4236-162-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/4236-167-0x0000000140000000-0x0000000140201000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 dba50e62eede89edf1a907d81e392121
SHA1 1a080128957104b3d7e4cda7327e895b0adad6cb
SHA256 f5cd22617d67bc37860f17a59d7b5c3729a54b8a2b9e9ad3526fab634759b598
SHA512 00635cf8c6eca3a213c3e6064356944517276048d0515cd5fd86bcae036d2153a5afa97a678e9b6379b311ebdaf71c7ef5aa8dfa1986d1088470280ad5452efb

memory/3312-169-0x0000000000650000-0x00000000006B0000-memory.dmp

memory/3312-175-0x0000000000650000-0x00000000006B0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 27212f8585d68d010553a55f71400877
SHA1 7cb3b7727cde4c96cb05a69fd0cd9a4b433af93b
SHA256 d5de7053dd6cc01da3459c307a1be132565c5747d046857c76719fca37e5a348
SHA512 d492c7f88bb5d113b7f4450fccd53a8ab767ca4482a61f3b5968ebcc91bce0d733d6e18bc5e1b0c33ef1857dea6243f8fa2ac1308992e4735ff8cab9d31bfa3d

memory/3312-179-0x0000000140000000-0x0000000140200000-memory.dmp

memory/3516-180-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3516-181-0x0000000000420000-0x0000000000480000-memory.dmp

memory/4956-183-0x0000000000800000-0x0000000000866000-memory.dmp

memory/3516-188-0x0000000000420000-0x0000000000480000-memory.dmp

memory/3516-191-0x0000000000420000-0x0000000000480000-memory.dmp

memory/3516-193-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 7189a154227085726317b0f57e137b8b
SHA1 3aa52aba342a5308069da774354b137bbab73bff
SHA256 b8232f6072bedb34c584ff4eb52c9fed47676a618487a588c1a9238f67b72834
SHA512 01020bc69b9dc9c7a632c9c94f96c8575e1f535532fea799346cb312f43f445c4edfeffa6818c9ffdfd3fd47cef2fc9c180d74a29f6f4adcac3d9456fd3c3d6b

memory/1652-195-0x0000000000CF0000-0x0000000000D50000-memory.dmp

memory/1652-202-0x0000000000CF0000-0x0000000000D50000-memory.dmp

memory/1652-205-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 f4caae509912422d4cb91879db09cd05
SHA1 fd31a047707d0a6345c4d3a1751e195ea9b1ce05
SHA256 4ff5eabf88f74281e2379bca67f5dd602dc1472440e81b875ac3ff23929a4f7f
SHA512 4fcd1b6c807f6493aff98392be17557431504113eb07624d55a59c5fb10ff8911c71d8b1bba99165f5e1917af4605cb03f94dbae2b0f3dbc0f6b1366a05e626a

memory/3780-207-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/3780-213-0x0000000000190000-0x00000000001F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 b3e03b8a5af37518f2c66e603803ec31
SHA1 ab524bd8d1a6913774bafd68b15e2ac5f83b5dec
SHA256 ea719bdefcb8ca7324eb97609dc2518d91cd804c4adda8073592405fa02654f2
SHA512 c2e19aee184438172737f9077d8a5a34578388e5d3e59815cdbd6ae196e53538048161e33e1473bb38d1062dc9cf052968b874e57f3ffad8b3a3b23417921869

memory/2552-217-0x00000000016C0000-0x0000000001720000-memory.dmp

memory/2552-223-0x00000000016C0000-0x0000000001720000-memory.dmp

memory/2552-227-0x00000000016C0000-0x0000000001720000-memory.dmp

memory/3780-228-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2552-230-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 1c2bb8e8e66233498fce0a9811928146
SHA1 6e12a156c27cf885a39010b70e4a9dbfff0c306b
SHA256 be85d3ac78c68d5ad9216974940380588d6de07789aa34829efee5ec0f2ee204
SHA512 79b6b7e935bab674d053c97872d273627a3ec28fcf0375f5299ce5515ba5d4c211073d1fc994db8a7174e106d3bd424825e9a8f9776837be82b5e5bf9f4fb531

memory/4980-232-0x00000000006D0000-0x0000000000730000-memory.dmp

memory/4808-242-0x0000000000400000-0x0000000000654000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 facb91f0f70e4abe0eba10141f3a660c
SHA1 cdc3d71995130e04568637efc43a468afebc3039
SHA256 fba0dd03085352473f9c2a8e1477b33b7ec3c0876705f65b868874999cfedcc3
SHA512 6045dbc71eab785cc686b8ca58bc330cdc1e495ecd9d28a8362354686ab02f990da758dc7f37f9308a04cb7a370f6001f593c23578a9f1d07d66b7db4a0fb819

memory/4980-245-0x0000000140000000-0x0000000140210000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 9b0dccdfedc24f5b09aa39b38211af07
SHA1 e45bd03973c253607604e5d6f83797aa4d030f11
SHA256 54f319fd51c33736263bd307d353899ae0f2d1fb76c14721133089aea0201c6f
SHA512 b4605353b3160e7da97f125a08281c4c47a87ed57b81d5e0bddf6568d90950ed577c54f91977c0326a0ca925c1e17db37c24fd82b89dfc05347fe7e0010def7e

C:\Windows\SysWOW64\perfhost.exe

MD5 c9e8a9c5fc0e4e6362aa7105c0d65984
SHA1 e3d449235bcfc1d21b1d83a9b84300717eff7553
SHA256 1d797698b8ce5b4209f8578fe83fa90428f9dd5d7fc64bb11c05710d5cbc7696
SHA512 bdfb10540a8497e5abf3d11e42ebd8b47a0c97734d0489fde596624e1c4a2283ea7b2771f7f4094a14cf5f7dc96b5f25718f88c93a2c81328f8e40c2a6ec2718

memory/4896-269-0x0000000140000000-0x0000000140226000-memory.dmp

memory/4688-271-0x0000000140000000-0x0000000140202000-memory.dmp

memory/1832-273-0x0000000000400000-0x00000000005EE000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 1d7cf56d11ee01f08b21cf0f84cc4804
SHA1 dc2274f9ce1f4f6df343c0f9034fd602fc5b8dc8
SHA256 ce7dce6e9270b0a87d2bc169bb1a4544970bd7a4d9eccff438aa2146d991464a
SHA512 dd31ad0bb3e6cab8d8e7a2aa19162ce4f90eb4f38e43a1c31ddfdd4c600becebef9f292100fdc38fcef641467f1e009feeb3ee762c94f15d81361b609c10390c

C:\Windows\System32\SensorDataService.exe

MD5 8d9b7829ec450dc2fbf565d58db32a64
SHA1 92c9bcace466db3bd01520b5d521eddcf776dbc7
SHA256 f6305d473d354223f23339e692a7e32530bd74a75e0e793b850da2554cfa8bc4
SHA512 2ae346e4f85ab0453cc028c0076552b8698a087ecf32ece3de8ac0d58f557e43a54d03047e49d124fdab62d697f3a2655c694d7e10fd3117a09ef0d44d6d572b

memory/3368-299-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/4976-300-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 b6b2c3ee8989904f27665d94e9b147d1
SHA1 e86ae1ef2568cfa56f30eaa37fd6cdd84f5726b2
SHA256 a151fdb79a307fd55407b02826a8cd17dcd3b648c4adb8e02aa410b092441b08
SHA512 5b80006e043631014f0556e65802ff1ff4baf12bd93616a73f61d0839b60d1a89ef650a0f3319c4dd9a57eff004c219720250d51b5da1ff4878ebb1926fe9c41

C:\Windows\System32\Spectrum.exe

MD5 4fbab786bfa177b68ec484f45d010004
SHA1 1eac979bd3127323fffe639aebca623a24262c2f
SHA256 1782f3e2c704bb937a1f34f0788397c22237ae636c8721fa29a1f9bbd9494e70
SHA512 72d3666fc1b0d1cf1b833b1b63119e28508e82499ba152a88e9eb1c2d34953c45f0cc97c8f89b9a886d24464922be7fce25355ed79cbb664c85b98bc2773d988

memory/2708-321-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1152-323-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 1254c25da7921c58cfc0f34ba3cc3fc9
SHA1 72cd9b476b44c57287d2c3dec58f3fdc18e04c6f
SHA256 6fbef5c6b5b38049991c589f66b06a3eec13a5eae88557e368ee4c548d5b86dc
SHA512 cd2b0c84b697eb84c9e32d15b90a5463b9f010d21476fbefd3b2d5e1253d1be0b36ac286da07656a877525079e801e996535b9f393a44fbf6bf46705a9045a75

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 1254c25da7921c58cfc0f34ba3cc3fc9
SHA1 72cd9b476b44c57287d2c3dec58f3fdc18e04c6f
SHA256 6fbef5c6b5b38049991c589f66b06a3eec13a5eae88557e368ee4c548d5b86dc
SHA512 cd2b0c84b697eb84c9e32d15b90a5463b9f010d21476fbefd3b2d5e1253d1be0b36ac286da07656a877525079e801e996535b9f393a44fbf6bf46705a9045a75

C:\Windows\System32\TieringEngineService.exe

MD5 4fa98772e03d10b14141a7bd90662eac
SHA1 30bd6f98ced9b992f9a156e4ff29b225e585d69f
SHA256 414c84dc2b1a6166da622d95ac4c29127f35ebfc08dcb02ef0b49feff6ffdbe4
SHA512 cd1c6114064e472de859b7f3d5157ea5c521574b24b9a2f184a223615a76b62975f1b924bac5c830004d9f8d516a4a69c79719c37736f592d0fef49038dbca34

memory/1112-344-0x0000000140000000-0x0000000140259000-memory.dmp

memory/4184-346-0x0000000140000000-0x0000000140239000-memory.dmp

memory/1652-347-0x0000000140000000-0x0000000140237000-memory.dmp

memory/4976-350-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3780-351-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2552-352-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1832-353-0x0000000000400000-0x00000000005EE000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 82dd9c82b007f9d70d4d64863e08d11f
SHA1 a46e1dc2ec392d92fbe6a7e6692e2e27ca2afe52
SHA256 6dbd039dd1f5e87449a1b131c662d91cce26ddfb803dc004cadbcfe48117307f
SHA512 a9a62d21920b52369d74e75eb7580d3cdf78280476c245348dfc0b24434ea6a9f78eeafcf64ed96fa731ea1e31b727fc3addca9c83b4f7c0583f848e651e7879

memory/1708-366-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/1152-367-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\vds.exe

MD5 9cfba1639782e6403f41d2dd17c3cb10
SHA1 5416ee7a45ac75a25b12aa2dff6ae651bfb832ce
SHA256 d319bf0d38f64b7475852112dde0bf69f0679fc39deec6bbc520ed20836bd9c7
SHA512 2f1372e498b72d1b128be941bde9b8740d998805c5c2454af205f085d44e5953545ad14f14693079fab396254e5cb3b4c6cfdadace53f424d2822fdfa2b724a7

memory/2464-369-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 3f99417eec81084afbc1dd9d6bc08b07
SHA1 e36782a171e27b6f94b3285871efc8316fc2e738
SHA256 b4a514df030f832cdb046dd726c0a9f85eb69a011ad48515ed984607422a2f8b
SHA512 150c8131198db3c7db1f6f9bafee304379823105964b4ef80eaacbd44bcc7dfb249b162e3599d5ad7d5200040ba11d582635094f88884ac0ef858ace05c00a6a

memory/4360-380-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 dac4013286ed8f8c18fd27e192517c6a
SHA1 216801b3c38b50dc0521b2ffb533ac8cf70480d3
SHA256 872e6ab646ac6bd3f17c35f4242ab5c976f04de0a6a9e60f352c2d36876a2f3c
SHA512 c2b59bf079c0a44fc0f2d1e5f2b22a97e99f7a930e0cf00a54464e2629cd01ccc995b387a990d948a5bca9599b9a9069414b9009e4c4523f89e7b6bde864cd19

memory/2812-400-0x0000000140000000-0x0000000140216000-memory.dmp

memory/2464-401-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 51ee17fbb878d4e67c2101e62991111d
SHA1 2d90ed291c0028a4ea3a95f4281e8ef75f80a131
SHA256 5c15065d686cc4c9a9cb723330cb687925aa6ac67fef0939aba27353947d6de4
SHA512 53f24cf58a3f6f5278f6f2fbe16476be32cd0d4b33a176a3cc8fd139b3577884c1648f86d624c575208ab9cfd524cab1fc7f1fbacd2fb063d0566f632ed7a1ba

memory/952-413-0x0000000140000000-0x000000014021D000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 919a0002200a7df28321b6545baf092d
SHA1 1d4d13c624bd53ec1a937c6389663930dbd9734e
SHA256 2adfc2251838f93308c5a18ebb89dd8dbd790b7cc5917e82b06d043e2a526db6
SHA512 0e0e4f5ed61993c1deda171e4c033c6946e17d540942e18b72a93ff40d9fb9e2264e03cf186ed77c0d6725e010eea5390c8ead8fb884facead98dc7f63f4992e

memory/1332-417-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4360-479-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1332-482-0x0000000140000000-0x0000000140179000-memory.dmp