Malware Analysis Report

2025-01-03 07:39

Sample ID 230501-yzxzmsac8y
Target tmplhf3940d.bin
SHA256 6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c
Tags
blustealer collection stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f35bb0a7644cfda2468e984269f7febafcb672591a887a8029257dea0801a7c

Threat Level: Known bad

The file tmplhf3940d.bin was found to be: Known bad.

Malicious Activity Summary

blustealer collection stealer

BluStealer

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy service COM API

Uses Volume Shadow Copy WMI provider

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_win_path

Script User-Agent

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

outlook_office_path

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 20:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 20:13

Reported

2023-05-01 20:18

Platform

win7-20230220-en

Max time kernel

153s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"

Signatures

BluStealer

stealer blustealer

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\system32\IEEtwCollector.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\9392201d7693df14.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1708 set thread context of 580 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 580 set thread context of 1492 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6F2FFD4C-569C-4E68-8080-E8C2E9E07C45}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6F2FFD4C-569C-4E68-8080-E8C2E9E07C45}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 1708 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 580 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 580 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 580 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 580 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 580 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 580 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 580 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 580 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 580 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1284 wrote to memory of 1940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1940 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1784 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1388 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 1912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
PID 1284 wrote to memory of 2268 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe

"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"

C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe

"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"

C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe

"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1d4 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 24c -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 1e0 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 1e0 -NGENProcess 23c -Pipe 254 -Comment "NGen Worker Process"

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 23c -NGENProcess 248 -Pipe 25c -Comment "NGen Worker Process"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 1d8 -NGENProcess 23c -Pipe 1e0 -Comment "NGen Worker Process"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp

Files

memory/1708-54-0x00000000001B0000-0x0000000000338000-memory.dmp

memory/1708-55-0x00000000003F0000-0x0000000000402000-memory.dmp

memory/1708-56-0x0000000004F80000-0x0000000004FC0000-memory.dmp

memory/1708-57-0x0000000004F80000-0x0000000004FC0000-memory.dmp

memory/1708-58-0x0000000000430000-0x000000000043C000-memory.dmp

memory/1708-59-0x0000000005B60000-0x0000000005C98000-memory.dmp

memory/1708-60-0x0000000005CA0000-0x0000000005E50000-memory.dmp

memory/580-61-0x0000000000400000-0x0000000000654000-memory.dmp

memory/580-62-0x0000000000400000-0x0000000000654000-memory.dmp

memory/580-63-0x0000000000400000-0x0000000000654000-memory.dmp

memory/580-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/580-66-0x0000000000400000-0x0000000000654000-memory.dmp

memory/580-68-0x0000000000400000-0x0000000000654000-memory.dmp

memory/580-69-0x0000000001F90000-0x0000000001FF6000-memory.dmp

memory/580-74-0x0000000001F90000-0x0000000001FF6000-memory.dmp

\Windows\System32\alg.exe

MD5 7f765449c9300b066ddf33f97cd3fa56
SHA1 fd5c7b4838a18e41bb1f30cf0fc79e514669b460
SHA256 da9e0f16b4f586502527c8764fb0860f50076b59a2eaea1f4a4cb8ce996faccf
SHA512 a1b9fe6988d9c66f51503332b2556a3b694da346837c6f00c65b9e972703f8790d68ec5874c3219a6403b23b11527bb041a4b6e2ad22f7f9db31930573915e16

C:\Windows\System32\alg.exe

MD5 7f765449c9300b066ddf33f97cd3fa56
SHA1 fd5c7b4838a18e41bb1f30cf0fc79e514669b460
SHA256 da9e0f16b4f586502527c8764fb0860f50076b59a2eaea1f4a4cb8ce996faccf
SHA512 a1b9fe6988d9c66f51503332b2556a3b694da346837c6f00c65b9e972703f8790d68ec5874c3219a6403b23b11527bb041a4b6e2ad22f7f9db31930573915e16

memory/828-82-0x0000000000830000-0x0000000000890000-memory.dmp

memory/828-88-0x0000000000830000-0x0000000000890000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 06f4e9b16ad317de4bd473baafb1bae2
SHA1 907152744f95a1471f84749b72afa4eddd76fb93
SHA256 a0485dbe5c36e40c4897ccab10fa86ce3bcc4394754d4af558357a3128987b49
SHA512 f279287f7dc3a838a98c7ebcfe5edcea9e924233f25466c7b44d612e4c96669a8323f1e99eec7ce992b4d5cc01ebc5974c8c62ed97f9afb2b22399f6a95a1396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 06f4e9b16ad317de4bd473baafb1bae2
SHA1 907152744f95a1471f84749b72afa4eddd76fb93
SHA256 a0485dbe5c36e40c4897ccab10fa86ce3bcc4394754d4af558357a3128987b49
SHA512 f279287f7dc3a838a98c7ebcfe5edcea9e924233f25466c7b44d612e4c96669a8323f1e99eec7ce992b4d5cc01ebc5974c8c62ed97f9afb2b22399f6a95a1396

memory/580-95-0x0000000000400000-0x0000000000654000-memory.dmp

memory/828-96-0x0000000100000000-0x00000001001FB000-memory.dmp

memory/1788-97-0x0000000140000000-0x00000001401F4000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 dc19f2453eeb7bf7daa7bb1211c22ac2
SHA1 e5a0426077dbf710445773bf28afcfdcdb312ad9
SHA256 854a002216a4d92eb029e136aa3236c15a16c4682e7ee30fafa68a77af1bf41e
SHA512 7062b9402ce738f665082af0e7b76d6805f5400282ba1bb94161f899cee1e82fdff8734fc708479bbb9b119507735275ea8ea4a9b07300032df4453488855364

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 896ec7c3af40667a3a4d315989586747
SHA1 c4d08ab314a68f356a6397d05eacc19cea9a55e7
SHA256 22b0c1b55acb781e9a254bf7a75d0be57ada4d673a88d38b3aeab66469c5daaa
SHA512 cdf5473c683e8c59e826cfbb7939c92cc364e51d7bd9b8b795d99d8769739069620dce900de3e1e0084ebadbcb0809aa68485a5da689d4056be51faeda679091

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 896ec7c3af40667a3a4d315989586747
SHA1 c4d08ab314a68f356a6397d05eacc19cea9a55e7
SHA256 22b0c1b55acb781e9a254bf7a75d0be57ada4d673a88d38b3aeab66469c5daaa
SHA512 cdf5473c683e8c59e826cfbb7939c92cc364e51d7bd9b8b795d99d8769739069620dce900de3e1e0084ebadbcb0809aa68485a5da689d4056be51faeda679091

memory/1492-105-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/1492-106-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1492-107-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/1492-112-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/1492-115-0x0000000000090000-0x00000000000F6000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 dc19f2453eeb7bf7daa7bb1211c22ac2
SHA1 e5a0426077dbf710445773bf28afcfdcdb312ad9
SHA256 854a002216a4d92eb029e136aa3236c15a16c4682e7ee30fafa68a77af1bf41e
SHA512 7062b9402ce738f665082af0e7b76d6805f5400282ba1bb94161f899cee1e82fdff8734fc708479bbb9b119507735275ea8ea4a9b07300032df4453488855364

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 896ec7c3af40667a3a4d315989586747
SHA1 c4d08ab314a68f356a6397d05eacc19cea9a55e7
SHA256 22b0c1b55acb781e9a254bf7a75d0be57ada4d673a88d38b3aeab66469c5daaa
SHA512 cdf5473c683e8c59e826cfbb7939c92cc364e51d7bd9b8b795d99d8769739069620dce900de3e1e0084ebadbcb0809aa68485a5da689d4056be51faeda679091

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 15e3fc4f4ea969fcfbf7356ac0a00160
SHA1 f260eb23651a95db43702e27baa1dd0cd745c113
SHA256 fc84491a2e42ad8626fc3b90cc80dd663814d088a711e0adbaa6dc3e84d9aeab
SHA512 5c662a68c6166458577c1a79ba9714ca14ab168b279cc5bb60e21f58ecf0de1600b2558a656a29ac9b0d294979faf1a1393d95c3936b280c2f538611ead20d3a

memory/1284-121-0x0000000000710000-0x0000000000776000-memory.dmp

memory/1492-125-0x0000000002400000-0x00000000024BC000-memory.dmp

memory/1284-127-0x0000000000710000-0x0000000000776000-memory.dmp

memory/836-129-0x0000000010000000-0x00000000101F6000-memory.dmp

memory/1408-130-0x0000000010000000-0x00000000101FE000-memory.dmp

memory/1284-131-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1492-133-0x0000000002540000-0x0000000002580000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 f5fb122b3ecdf47a0355407f2ae0ff30
SHA1 ca355baaf34721d117653576275507722e065f71
SHA256 6a470cc71337982e8f425bf84673e9f9ee7958f3bd73459098d16567fb50d4b8
SHA512 9f1430dbf3021d47f5cd9a47ecb651d62f84a0b362ae3d0e4de59ee43dad77d74ed1263e0f10448fb06a8b9f21b25bfc7eaa029e0626fe22d3fea517b1172b4e

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 fe4f67b8b40491e692adb318113aad86
SHA1 4484b3b10d087bb98f331bf308c5059510d3be45
SHA256 6428f0568c63f9b5e5c528c2dd708e4498d2a8d6ce053a00b6f4659b3c7f3537
SHA512 130aea5b50bfd9f285b5835921b157e4514a1ff75a3f91f89ab49f10b0e8af43fec2faf5a6b328aa6fcb5d8e487b8c852fc2f3ede4ae8fd8edcb617366ac18c8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 15e3fc4f4ea969fcfbf7356ac0a00160
SHA1 f260eb23651a95db43702e27baa1dd0cd745c113
SHA256 fc84491a2e42ad8626fc3b90cc80dd663814d088a711e0adbaa6dc3e84d9aeab
SHA512 5c662a68c6166458577c1a79ba9714ca14ab168b279cc5bb60e21f58ecf0de1600b2558a656a29ac9b0d294979faf1a1393d95c3936b280c2f538611ead20d3a

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 b0579edd296df837881dba6eb0c005c3
SHA1 4ee9b11ccbc424e0ea52bb53275d46e122877c32
SHA256 17558e35c1e6f3dc447dda8370186637c540f94e5dac3f052a03d07f3cf9f865
SHA512 f0b3ab699be1e06413e5255e57cc82efa4c651bab22c89e0a716bdc3fec9f2429f29a27e269307a2e71bcb3a0c40047a33ecd2a86d1482bb921d0d25e0d4b8d4

memory/988-144-0x0000000140000000-0x0000000140205000-memory.dmp

memory/580-145-0x0000000000400000-0x0000000000654000-memory.dmp

memory/1788-146-0x0000000140000000-0x00000001401F4000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 b0579edd296df837881dba6eb0c005c3
SHA1 4ee9b11ccbc424e0ea52bb53275d46e122877c32
SHA256 17558e35c1e6f3dc447dda8370186637c540f94e5dac3f052a03d07f3cf9f865
SHA512 f0b3ab699be1e06413e5255e57cc82efa4c651bab22c89e0a716bdc3fec9f2429f29a27e269307a2e71bcb3a0c40047a33ecd2a86d1482bb921d0d25e0d4b8d4

C:\Windows\System32\dllhost.exe

MD5 a296a3fb7405abfdfae41ec735a12690
SHA1 5848fb1ab61887f78e76391071ae8901764e0fff
SHA256 a5f2fbe0c34fddb2e32d3d57aa5f3e8902c775f7a9353b8fa1e73716a88713f9
SHA512 17b7655f97d9fc2cb5f7f88125822f402a84ad49290baae0ebdf662dcc4b1e4b980239e6e600b0316435b67ad222272dd5f6fa2ecc01f5626940116da81a59d3

\Windows\System32\dllhost.exe

MD5 a296a3fb7405abfdfae41ec735a12690
SHA1 5848fb1ab61887f78e76391071ae8901764e0fff
SHA256 a5f2fbe0c34fddb2e32d3d57aa5f3e8902c775f7a9353b8fa1e73716a88713f9
SHA512 17b7655f97d9fc2cb5f7f88125822f402a84ad49290baae0ebdf662dcc4b1e4b980239e6e600b0316435b67ad222272dd5f6fa2ecc01f5626940116da81a59d3

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 15e3fc4f4ea969fcfbf7356ac0a00160
SHA1 f260eb23651a95db43702e27baa1dd0cd745c113
SHA256 fc84491a2e42ad8626fc3b90cc80dd663814d088a711e0adbaa6dc3e84d9aeab
SHA512 5c662a68c6166458577c1a79ba9714ca14ab168b279cc5bb60e21f58ecf0de1600b2558a656a29ac9b0d294979faf1a1393d95c3936b280c2f538611ead20d3a

memory/1940-155-0x0000000000730000-0x0000000000796000-memory.dmp

memory/1940-160-0x0000000000730000-0x0000000000796000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 15e3fc4f4ea969fcfbf7356ac0a00160
SHA1 f260eb23651a95db43702e27baa1dd0cd745c113
SHA256 fc84491a2e42ad8626fc3b90cc80dd663814d088a711e0adbaa6dc3e84d9aeab
SHA512 5c662a68c6166458577c1a79ba9714ca14ab168b279cc5bb60e21f58ecf0de1600b2558a656a29ac9b0d294979faf1a1393d95c3936b280c2f538611ead20d3a

memory/1940-168-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2044-164-0x0000000000230000-0x0000000000296000-memory.dmp

memory/1512-169-0x0000000100000000-0x00000001001EC000-memory.dmp

memory/2044-170-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\ehome\ehrecvr.exe

MD5 9d892e8066c10d4956009f54b005b91f
SHA1 8c972d115c848f25cf0aa9d5343143678c453585
SHA256 3e7ef203aea68ad6245c01e7d100a76bbce2a07ea3edc4233599cf60870b8e36
SHA512 657b990500fbb375e93d106293a583e7a539468c4f29edce55d26f32ec73ce0c1b6a0ead040965224f1c658c9fb4080b950c15c72852a1f0a019892c875d9a95

\Windows\ehome\ehrecvr.exe

MD5 9d892e8066c10d4956009f54b005b91f
SHA1 8c972d115c848f25cf0aa9d5343143678c453585
SHA256 3e7ef203aea68ad6245c01e7d100a76bbce2a07ea3edc4233599cf60870b8e36
SHA512 657b990500fbb375e93d106293a583e7a539468c4f29edce55d26f32ec73ce0c1b6a0ead040965224f1c658c9fb4080b950c15c72852a1f0a019892c875d9a95

memory/1756-173-0x0000000140000000-0x000000014013C000-memory.dmp

memory/1756-174-0x00000000008A0000-0x0000000000900000-memory.dmp

memory/1756-180-0x00000000008A0000-0x0000000000900000-memory.dmp

C:\Windows\ehome\ehsched.exe

MD5 6c39a8c20adf92f891da437a41237833
SHA1 06c8388cb4c642a5d1a2960770272ac5a734e6b9
SHA256 febc7dc43fdea9037ae209afb805c923da5c5251be3ddc95f5204695c5fde75b
SHA512 5bab0c30267db7812735c52c5a82886718802f882bf433739f337effcab18c6946778dcd9502758b684397b2eecec300fc5bf3ba80781598b4d86f0c92c804b2

\Windows\ehome\ehsched.exe

MD5 6c39a8c20adf92f891da437a41237833
SHA1 06c8388cb4c642a5d1a2960770272ac5a734e6b9
SHA256 febc7dc43fdea9037ae209afb805c923da5c5251be3ddc95f5204695c5fde75b
SHA512 5bab0c30267db7812735c52c5a82886718802f882bf433739f337effcab18c6946778dcd9502758b684397b2eecec300fc5bf3ba80781598b4d86f0c92c804b2

memory/1360-185-0x0000000000170000-0x00000000001D0000-memory.dmp

memory/1360-191-0x0000000000170000-0x00000000001D0000-memory.dmp

memory/1360-194-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1756-198-0x0000000140000000-0x000000014013C000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 15e3fc4f4ea969fcfbf7356ac0a00160
SHA1 f260eb23651a95db43702e27baa1dd0cd745c113
SHA256 fc84491a2e42ad8626fc3b90cc80dd663814d088a711e0adbaa6dc3e84d9aeab
SHA512 5c662a68c6166458577c1a79ba9714ca14ab168b279cc5bb60e21f58ecf0de1600b2558a656a29ac9b0d294979faf1a1393d95c3936b280c2f538611ead20d3a

memory/1360-207-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1784-208-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 15e3fc4f4ea969fcfbf7356ac0a00160
SHA1 f260eb23651a95db43702e27baa1dd0cd745c113
SHA256 fc84491a2e42ad8626fc3b90cc80dd663814d088a711e0adbaa6dc3e84d9aeab
SHA512 5c662a68c6166458577c1a79ba9714ca14ab168b279cc5bb60e21f58ecf0de1600b2558a656a29ac9b0d294979faf1a1393d95c3936b280c2f538611ead20d3a

memory/1784-219-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1388-220-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1756-221-0x00000000014B0000-0x00000000014B1000-memory.dmp

memory/1388-227-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 15e3fc4f4ea969fcfbf7356ac0a00160
SHA1 f260eb23651a95db43702e27baa1dd0cd745c113
SHA256 fc84491a2e42ad8626fc3b90cc80dd663814d088a711e0adbaa6dc3e84d9aeab
SHA512 5c662a68c6166458577c1a79ba9714ca14ab168b279cc5bb60e21f58ecf0de1600b2558a656a29ac9b0d294979faf1a1393d95c3936b280c2f538611ead20d3a

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 723f1b196d33087012b93c3887b5edf7
SHA1 2a23b0fc21dbbbde9e4b129d34950176e02a0e60
SHA256 351e5c27edd9e547deb92d6a5beda31670e2ea333c7370a7308ad3d1aaf317dd
SHA512 67feffa8f7a7a33bfe8a3ce5de1640da5cf8681a89e5bd095bec1bb65c5314176d15d33d52ef2826e82b1df6290bd2f89b917e0101c3b6d960bd6dcabf6c2159

memory/468-242-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1832-243-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 15e3fc4f4ea969fcfbf7356ac0a00160
SHA1 f260eb23651a95db43702e27baa1dd0cd745c113
SHA256 fc84491a2e42ad8626fc3b90cc80dd663814d088a711e0adbaa6dc3e84d9aeab
SHA512 5c662a68c6166458577c1a79ba9714ca14ab168b279cc5bb60e21f58ecf0de1600b2558a656a29ac9b0d294979faf1a1393d95c3936b280c2f538611ead20d3a

memory/1832-254-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/1912-255-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\System32\ieetwcollector.exe

MD5 e01ce49c8751d5849f615dff1c33bd2c
SHA1 dd922d13f65beb3a4099fa2d2b53cbb9e8ebe4b8
SHA256 15bf5f9c4fb031a54d785d382eb8561d0198b257fc1b2523ed096df9eaa6abfd
SHA512 fdf605ed66fb2a97c9eb660ba8ad9b6a07e35f5185980b6a3e91b53e61f4fbe11e8767ef38a8d26b526b19c27a2db87db6c2d74ae30cc61d62ce412e9a3c8dd9

\Windows\System32\ieetwcollector.exe

MD5 e01ce49c8751d5849f615dff1c33bd2c
SHA1 dd922d13f65beb3a4099fa2d2b53cbb9e8ebe4b8
SHA256 15bf5f9c4fb031a54d785d382eb8561d0198b257fc1b2523ed096df9eaa6abfd
SHA512 fdf605ed66fb2a97c9eb660ba8ad9b6a07e35f5185980b6a3e91b53e61f4fbe11e8767ef38a8d26b526b19c27a2db87db6c2d74ae30cc61d62ce412e9a3c8dd9

memory/880-267-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1092-270-0x00000000008A0000-0x0000000000920000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 9d44de9e2eff09e6dec5741f6d9579c8
SHA1 1f40793f851805140d8e9bc7349fa379a5171bb2
SHA256 1f79090c7e3abf4f0cebc7860ffbedf688e660290b923e43a7cfae2238be84e4
SHA512 b403622624c19e803c8cb9b81635ac8177e5890b45151180b292f746d5cd7d2dc676d5ddcac3b2802ca1e8626a5e5801ca06b95674f6a9d6c36d5d84f9d8ec99

memory/764-277-0x000000002E000000-0x000000002FE1E000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 86ed8a6b8cf00b87bf5ab815b35e814e
SHA1 d1757ad80c0cf331d9a061a5ff82e71ea617740c
SHA256 74d6a150bd93d4f8f41d77f475a9a1297d7b031c21d4913b769585af2f8899cb
SHA512 bb9ec9223ee03214d2d80a4a915f246cadead8a54d2ec6ada97e9c0a5f3a6e20215eea527e636b750a4822fdb2d94711503ca9c2156788f57024edb666aa73bd

memory/2176-290-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1756-291-0x00000000014B0000-0x00000000014B1000-memory.dmp

memory/468-292-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 15e3fc4f4ea969fcfbf7356ac0a00160
SHA1 f260eb23651a95db43702e27baa1dd0cd745c113
SHA256 fc84491a2e42ad8626fc3b90cc80dd663814d088a711e0adbaa6dc3e84d9aeab
SHA512 5c662a68c6166458577c1a79ba9714ca14ab168b279cc5bb60e21f58ecf0de1600b2558a656a29ac9b0d294979faf1a1393d95c3936b280c2f538611ead20d3a

memory/1912-296-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2268-304-0x0000000000400000-0x00000000005FF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 20:13

Reported

2023-05-01 20:25

Platform

win10v2004-20230221-en

Max time kernel

203s

Max time network

570s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"

Signatures

BluStealer

stealer blustealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\dfe4c22ac9ce9937.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3740 set thread context of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 2212 set thread context of 2712 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3740 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 3740 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 3740 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 3740 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 3740 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 3740 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 3740 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 3740 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 3740 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 3740 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 3740 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe
PID 2212 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2212 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2212 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2212 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2212 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe

"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"

C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe

"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"

C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe

"C:\Users\Admin\AppData\Local\Temp\tmplhf3940d.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.49.247.8.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 126.49.247.8.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 122.184.231.173.in-addr.arpa udp
US 8.8.8.8:53 58.152.191.206.in-addr.arpa udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 25.106.251.63.in-addr.arpa udp
US 8.8.8.8:53 88.35.99.167.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 12.161.5.72.in-addr.arpa udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 251.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 223.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp

Files

memory/3740-133-0x00000000008C0000-0x0000000000A48000-memory.dmp

memory/3740-134-0x0000000005AD0000-0x0000000006074000-memory.dmp

memory/3740-135-0x0000000005400000-0x0000000005492000-memory.dmp

memory/3740-136-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/3740-137-0x00000000053F0000-0x00000000053FA000-memory.dmp

memory/3740-138-0x00000000053B0000-0x00000000053C0000-memory.dmp

memory/3740-139-0x00000000012A0000-0x000000000133C000-memory.dmp

memory/2212-140-0x0000000000400000-0x0000000000654000-memory.dmp

memory/2212-143-0x0000000000400000-0x0000000000654000-memory.dmp

memory/2212-144-0x00000000028D0000-0x0000000002936000-memory.dmp

memory/2212-149-0x00000000028D0000-0x0000000002936000-memory.dmp

memory/2212-155-0x0000000000400000-0x0000000000654000-memory.dmp

C:\Windows\System32\alg.exe

MD5 6f893b998c46300b3f741635eb0f93cb
SHA1 22fb13752811d811621b2fcc14aac3fa937088e3
SHA256 a94b43326c8e2cf4233bec58b81586ac30e014823db4d6aeb54bcb042b9b155d
SHA512 3781d657cba738a5abb799c98f3940ad8372089ad2970ac56fdd63bd9e3cabf2c1accfa8c2e267f500528d75b76629eb0766608a112c363510a56f65d8b77714

memory/1440-157-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/1440-163-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/1440-167-0x0000000140000000-0x0000000140201000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 bdc754bc527d699d24ef81ac12027cff
SHA1 b87735c0203abc9e20c016a73aec07f1cdc9cd2a
SHA256 e1da2bec8eefc246df93a6cb8e2690ab659ad516a92ce9a3d4e27eadb47ee9bd
SHA512 1a23f59b6f07af2790c5f8281c5e2177f42ba447316570ccb3e6cab445c60d5deb17f32a8a66e2456a88ad6e7f7cc7d69a283e68bcb68a4fa0bc5a29cd5addca

memory/4092-170-0x0000000000670000-0x00000000006D0000-memory.dmp

memory/4092-176-0x0000000000670000-0x00000000006D0000-memory.dmp

memory/4092-179-0x0000000140000000-0x0000000140200000-memory.dmp

memory/2712-180-0x0000000000620000-0x0000000000686000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 0450350651cd6047ddcc90a8796a53ae
SHA1 64326d6c5ea13723fb897434cb350c5f5877b9b6
SHA256 8a0d44a7895255abb047f6f929eb742a45f5962b0055a7401a5d295362f0617e
SHA512 13945d934144b1a626bb60a32f90caec1c642c1ac55a84c03ca40482897ac1070a7d8da894e892074095e5ef2933ce74ca30c642ecba002ac15c02f09663dc19

memory/4468-182-0x00000000009C0000-0x0000000000A20000-memory.dmp

memory/4468-188-0x00000000009C0000-0x0000000000A20000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 e976e538b18118d0a4c9d76e5b70d658
SHA1 afc34e2c8fe27985d78ea0fab8b21be9cf48e0d7
SHA256 33b14736384bf460758ae15213398f8aa0fbd2b9dcb7a66118cc1c41cc4eb39c
SHA512 9de6118eae36d51be2c4a76cd509799f6b8f4a7e59b45fb7821e6f6b69b7084b71f33f1d549fe6db8d5269f0fcb82fb0d26e228bd923af942e5281455a148239

memory/4468-196-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2256-200-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2712-197-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/2256-193-0x00000000008E0000-0x0000000000940000-memory.dmp

memory/4468-192-0x00000000009C0000-0x0000000000A20000-memory.dmp

memory/2256-203-0x00000000008E0000-0x0000000000940000-memory.dmp

memory/2212-207-0x0000000000400000-0x0000000000654000-memory.dmp

memory/2256-208-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 bfb67838184ba36335e7c53cc49e7e59
SHA1 520a820485b3077483fef7d86032040d9e577e46
SHA256 b6a0a621b444818908878044a119e71f4d6a6d2b2e816928bf7ea6a516d2c5fb
SHA512 65a822f7f80275fccffd5aad884af90a1f6cb8b5626296bc7efb1b2716dc78f3ca8ff9f3b89cf689912ed5c55c7ad07ab09a6cfc1a25ba3d2254cebb54cb0ada

memory/2328-210-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2328-211-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/2328-217-0x0000000000190000-0x00000000001F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 42e3435770957bfa67b4b291ce09b8bd
SHA1 a3136fd2818f2e98213c3863e6ca52533027cbbf
SHA256 6a292ef1ab75c669e7541788e8125524b52b1b2c370c18cfef27002983b4ecd8
SHA512 ccc5f7153b4d3b298790b02619418598d06355f7dcab932b839a3305638b043403250c3a5b93f48aa2b2594468eced9e3494169b3943738ac5bdbff91b4be9c8

memory/652-221-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/652-227-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/652-230-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/652-233-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 6fced6377f76c96bf2d5bafc81a67614
SHA1 4420ce905d899b06a2de57e2585b71ba1bcd9446
SHA256 10608a459dc48f6b01c835d001ffb6ba8d566fbf7bfb9dc642f92d91bdfe7035
SHA512 3ac687921bb84abec42c37a3983d6b13b4eb6182cad083c8c1b9078f5f9ab43ffa4d4dfc1e2657531f8dc54a3651a2cbea1349304fc7a1d857cec4099a7678b6

memory/1120-244-0x0000000000D30000-0x0000000000D90000-memory.dmp

memory/1120-252-0x0000000140000000-0x0000000140210000-memory.dmp

memory/2328-254-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 25a96874fae92ba565fe330499565679
SHA1 21337f85dcc5b201e6e0ba6c0183a621405102be
SHA256 13a08881b0255db630391d848dc717e482e989d4129d79e8ad2b588d6f923924
SHA512 1f4cd14752b082a375ee70b34c6fb4859cc5508cd33a230caa51bcc7bdf5d648996a47435fb23522499077980547f0c830fe43adfb83a0077c396734f56f940f

memory/1412-265-0x0000000140000000-0x0000000140226000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 c34a0c53a439ac48c966a6dc2b8c2512
SHA1 16c435783417b24bb4ce0a513ac916076748cf0c
SHA256 4534d6eeee6ded33792ef3ffbc7ff1c843d9c19dc6e6c9aa760d8f5f3d86a91b
SHA512 dd2baf86bf7ef1a7c7a2ca95dc2d48b1c991f5fbe887d9b0029b1e8ecc5529399155e8523c0fbb4d8fb3c06e9e2a2b561b8510eef99c96a8e59f808e79382d76

memory/4536-279-0x0000000140000000-0x0000000140202000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 49a491fab941e820a347e2b107af42ad
SHA1 81277eb1782d1749eed230f1db92f34ab2351085
SHA256 e073ac098ca713691b83a0d38e802585a4c4d5e91e8315609e1351cd58d2f327
SHA512 3524062177bf10e93b684834e94fa00894b93c6a921472cc31f2ce6d6fa8f18aa53fd2b268ce9f55d40f7281ad06367a0c3ea03984eca3d9f4bc9c7c89f9a86b

memory/4952-290-0x0000000000400000-0x00000000005EE000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 1216417971c31b8ae93bed905700a9b7
SHA1 e411369a82d025411c6aa94286bf0513830ed0ec
SHA256 ea910825a88dbe57b9ae6eedf1d9d1cab91970c331d3a52e0b0d4b9e1e96c509
SHA512 019a1bad94bc2c93719b7db38d16b660cb0fe46cc44d05bdb75b711cbb0bd0e416f3a038b2894e98ca014dafbea074468fbca3a62bbe978635a5b01cf2fb1fcc

C:\Windows\System32\SensorDataService.exe

MD5 f9405ed6a7db647a71cbf0713fce7a72
SHA1 a3b5ad5dabbf520b9e4fd8ebc076df6ec1e686f4
SHA256 a3375fafda67beb68023f5f6e9db72700d7a9afc8887e46ea21b831b4566ca55
SHA512 157fa148513ffc559788029128a6736b7457d70eb4dcd4a44f1a37ad72d146fa135b484482f2c6881e829e9fd52bd91b08f00230c1a4b7f4a2e44d445ded0f7c

memory/888-306-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3192-309-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 c184b5bc314d66bb821a8e7b8962d001
SHA1 853c32c64e1118c639036bea4b349a529bc2c6bc
SHA256 6090ed48d86f85d3a16a63fd5e915d1db4671058cf3c317b4cf740b86a6a7c56
SHA512 fe6ba93335ed2e31176fa74a02905bd13f6382abd47c4a1f45bcc2cde74b2503887628efbc7b4fbfd065c7b9ae055601d26e79620633c1b48e442ad9f92897f4

C:\Windows\System32\Spectrum.exe

MD5 0fcc0ff7221848576399a54893ca11ee
SHA1 8b00e003c3c7ca68d005d9add966a581c0e9257e
SHA256 03c721c67930479ff1489530075a58b04f698901f221a64379466de5160e4cac
SHA512 46613e08fa245c3d5a0cad41c01f887278b97988deb9fbb60da59a21a69f435feb37d8e9872616523174a29436ec09d0b2b7f48621511a9ebb3f72ce51af9bfc

memory/4836-325-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1496-328-0x0000000140000000-0x0000000140169000-memory.dmp