Malware Analysis Report

2025-01-03 08:00

Sample ID 230501-yzyaeage58
Target tmprwm0tnp5.bin
SHA256 e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998
Tags
blustealer collection stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2c74cd730a858e1104119028b3d80e338900723485e5f8b6c02fd8eb459a998

Threat Level: Known bad

The file tmprwm0tnp5.bin was found to be: Known bad.

Malicious Activity Summary

blustealer collection stealer

BluStealer

Loads dropped DLL

Executes dropped EXE

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

outlook_win_path

outlook_office_path

Script User-Agent

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Checks processor information in registry

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 20:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 20:14

Reported

2023-05-01 20:17

Platform

win7-20230220-en

Max time kernel

132s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"

Signatures

BluStealer

stealer blustealer

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\7427ed2ba5fe7035.bin C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1972 set thread context of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 528 set thread context of 1784 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6560D828-C14C-493C-81D7-F207BC394949}.crmlog C:\Windows\system32\dllhost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\ehome\ehRecvr.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\ehome\ehsched.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6560D828-C14C-493C-81D7-F207BC394949}.crmlog C:\Windows\system32\dllhost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\ehome\ehRecvr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\ehome\ehRecvr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe N/A
Token: 33 N/A C:\Windows\eHome\EhTray.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\eHome\EhTray.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 1972 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 1972 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 1972 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 1972 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 1972 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 1972 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 1972 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 1972 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 528 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 528 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 528 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 528 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 528 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 528 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 528 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 528 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 528 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe

"C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"

C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe

"C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

C:\Windows\system32\dllhost.exe

C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehRecvr.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\ehome\ehsched.exe

C:\Windows\eHome\EhTray.exe

"C:\Windows\eHome\EhTray.exe" /nav:-2

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\IEEtwCollector.exe

C:\Windows\system32\IEEtwCollector.exe /V

C:\Windows\ehome\ehRec.exe

C:\Windows\ehome\ehRec.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 274 -NGENProcess 248 -Pipe 280 -Comment "NGen Worker Process"

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2d8 -NGENProcess 2e4 -Pipe 2f0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 304 -NGENProcess 2f4 -Pipe 300 -Comment "NGen Worker Process"

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp

Files

memory/1972-54-0x0000000001250000-0x00000000013E6000-memory.dmp

memory/1972-55-0x0000000000FD0000-0x0000000001010000-memory.dmp

memory/1972-56-0x00000000004A0000-0x00000000004B2000-memory.dmp

memory/1972-57-0x0000000000FD0000-0x0000000001010000-memory.dmp

memory/1972-58-0x00000000007B0000-0x00000000007BC000-memory.dmp

memory/1972-59-0x0000000005E40000-0x0000000005F78000-memory.dmp

memory/1972-60-0x000000000A600000-0x000000000A7B0000-memory.dmp

memory/528-61-0x0000000000400000-0x0000000000654000-memory.dmp

memory/528-62-0x0000000000400000-0x0000000000654000-memory.dmp

memory/528-63-0x0000000000400000-0x0000000000654000-memory.dmp

memory/528-66-0x0000000000400000-0x0000000000654000-memory.dmp

memory/528-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/528-68-0x0000000000400000-0x0000000000654000-memory.dmp

memory/528-69-0x00000000000F0000-0x0000000000156000-memory.dmp

memory/528-74-0x00000000000F0000-0x0000000000156000-memory.dmp

memory/528-80-0x0000000000400000-0x0000000000654000-memory.dmp

\Windows\System32\alg.exe

MD5 3c5ea9cbbafb46c8ab5d1f105805b864
SHA1 537cfabef02af5b8036135360eb55d3f19a920c4
SHA256 8e1e2366eeab2d0d9afcd01fc5e059e7ec7668dd026468fde0f2449a0d9b001f
SHA512 6187d69e24bcbcc16e3aa6ea9fa0451ac5755b01fc010cdf396a7b1c7040e1be4debca038b93465f0d334547a570011dc83243991ce2fb89747d21753c8784e4

C:\Windows\System32\alg.exe

MD5 3c5ea9cbbafb46c8ab5d1f105805b864
SHA1 537cfabef02af5b8036135360eb55d3f19a920c4
SHA256 8e1e2366eeab2d0d9afcd01fc5e059e7ec7668dd026468fde0f2449a0d9b001f
SHA512 6187d69e24bcbcc16e3aa6ea9fa0451ac5755b01fc010cdf396a7b1c7040e1be4debca038b93465f0d334547a570011dc83243991ce2fb89747d21753c8784e4

memory/1632-83-0x00000000002C0000-0x0000000000320000-memory.dmp

memory/1632-84-0x0000000100000000-0x00000001001FB000-memory.dmp

memory/1784-86-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/1784-87-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1784-88-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/1784-90-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/1784-92-0x0000000000090000-0x00000000000F6000-memory.dmp

memory/1784-93-0x0000000004C90000-0x0000000004D4C000-memory.dmp

memory/1784-94-0x0000000004C50000-0x0000000004C90000-memory.dmp

memory/1632-95-0x0000000100000000-0x00000001001FB000-memory.dmp

\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 5722c93047e2515f664bcd815098618a
SHA1 28bd05b90309af3e777227d4bfc557deda481c60
SHA256 d417303964d795bd7ddaaff7558d8bc82771dd8869c3fa321f645f57586d4f46
SHA512 be0150609f536164b294e89707da1be164b7cd6043022916a31e7a66d442a5eab25ffe309df269fb7f4812edb9a64381373d3810bb750cf33ec7efb090654531

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

MD5 5722c93047e2515f664bcd815098618a
SHA1 28bd05b90309af3e777227d4bfc557deda481c60
SHA256 d417303964d795bd7ddaaff7558d8bc82771dd8869c3fa321f645f57586d4f46
SHA512 be0150609f536164b294e89707da1be164b7cd6043022916a31e7a66d442a5eab25ffe309df269fb7f4812edb9a64381373d3810bb750cf33ec7efb090654531

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 6a6da84cdef0a84e9145e5a24c427263
SHA1 9c2f3f74de598e833f683fff20df5f2c4dc4d3b6
SHA256 b51343bf5a86f8d0d1c6eed10d64636faa46835d49a93d436fb71e34ffd124e4
SHA512 f6e35737328840e9d54310e713547d5ed33117d32e8f5d20e28c42a82ade691dbfb5885ff805d36c3cf9647665060248fd0fe9aae99ddb79a2087a5149c2c214

\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 c51ec514aade5e2687db46d1c82b6ca0
SHA1 463e1bf42056ccfbf5099332d17e0f1c3c697164
SHA256 63588d7d8a5aedd13a0fafcd1d1a445a94201d15ce0c4b6e81a2030928eba48a
SHA512 252794cd72703fed08c519f0d7bdb480b17afb19303f461380c2a739cb0f53359f36a9334b49676330f2ad74dc78bd7fd4d18b21b2803a5b4f55863ca5276167

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 c51ec514aade5e2687db46d1c82b6ca0
SHA1 463e1bf42056ccfbf5099332d17e0f1c3c697164
SHA256 63588d7d8a5aedd13a0fafcd1d1a445a94201d15ce0c4b6e81a2030928eba48a
SHA512 252794cd72703fed08c519f0d7bdb480b17afb19303f461380c2a739cb0f53359f36a9334b49676330f2ad74dc78bd7fd4d18b21b2803a5b4f55863ca5276167

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

MD5 6a6da84cdef0a84e9145e5a24c427263
SHA1 9c2f3f74de598e833f683fff20df5f2c4dc4d3b6
SHA256 b51343bf5a86f8d0d1c6eed10d64636faa46835d49a93d436fb71e34ffd124e4
SHA512 f6e35737328840e9d54310e713547d5ed33117d32e8f5d20e28c42a82ade691dbfb5885ff805d36c3cf9647665060248fd0fe9aae99ddb79a2087a5149c2c214

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

MD5 c51ec514aade5e2687db46d1c82b6ca0
SHA1 463e1bf42056ccfbf5099332d17e0f1c3c697164
SHA256 63588d7d8a5aedd13a0fafcd1d1a445a94201d15ce0c4b6e81a2030928eba48a
SHA512 252794cd72703fed08c519f0d7bdb480b17afb19303f461380c2a739cb0f53359f36a9334b49676330f2ad74dc78bd7fd4d18b21b2803a5b4f55863ca5276167

memory/1448-115-0x0000000140000000-0x00000001401F4000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

MD5 f99f97862293c358e16b8df91fca792b
SHA1 71891353608f83899a01777735d6b7540100f89a
SHA256 6a816098fe35666ac4fbdd16039757745243ee6cf4f3c5b5764cc29f2aa996e1
SHA512 df3db0adeac81a8f35e8d438e1f6c52a7557c46f9d91c3ef8d53222bc38b0ea985093e3fda7315e1e3bc1859e093f1947deec7735813916ee27153f1cee54202

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

MD5 761df8fff998b04da1a80a31acc3ce8f
SHA1 11691402134bf17b11fc57c867e5169fa41ed56a
SHA256 9e158d2fb39f21189e27d1e093b375a35fecd662cd367154caa2d3a7d93a38c7
SHA512 81d7e82168a0f6c165965c7feafdd2700ee96680f408ab3161e2e9b0c170af86ab78369ce4984e7cb9aacb9e7c16fdb562da0c23c21a7f1cbe2c254548624b73

memory/1404-118-0x0000000010000000-0x00000000101F6000-memory.dmp

memory/2016-119-0x0000000010000000-0x00000000101FE000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 a760fedbcec74e2f12c45cf776d0b65a
SHA1 bc64a93392da0e9ce2f28bb8928af8f107c9a130
SHA256 15ae760e2adea86b74aabbb8cb1308731af33a97855d0b3abc85086078e1cf84
SHA512 b16f626ddc995c624a4628cbaac177967da04102804281c1582499693f963bb5e8411e7399bc2d48459b5a6899e09f2b77bf3c329e0af9e91836911cffa0e83d

memory/1940-121-0x0000000000670000-0x00000000006D6000-memory.dmp

memory/1940-126-0x0000000000670000-0x00000000006D6000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 6c4a6f8e093277697401b55b9faed57d
SHA1 8a9d7b01ddf8b89bfbf97715dd7a4c4f730cae7e
SHA256 455726f56eea726a1a5645e1adb06ecda3d66476d8bc825e3e43883b8af6877e
SHA512 956c7d1ae527be8643c7c44d67ce2deb9d41621310944553bab64a4fc46db79d2d1fd650e8a4db861ffbbd0239b002bf3bb4dd4f2afebc62e3d4ce15baec5876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 a760fedbcec74e2f12c45cf776d0b65a
SHA1 bc64a93392da0e9ce2f28bb8928af8f107c9a130
SHA256 15ae760e2adea86b74aabbb8cb1308731af33a97855d0b3abc85086078e1cf84
SHA512 b16f626ddc995c624a4628cbaac177967da04102804281c1582499693f963bb5e8411e7399bc2d48459b5a6899e09f2b77bf3c329e0af9e91836911cffa0e83d

\Windows\System32\dllhost.exe

MD5 405f1749fda62e79802ae6d846e4be84
SHA1 6be7c80caeb77f17523b4e5a1f26f69363d1199f
SHA256 3287a5207e7c36f746ee52797b3491355b4db6cd1fd6a5baeff88892a978eed1
SHA512 eea83032e9416e7d9cafe0d977f79b08dc6071451e11a09c52064b622f54a2a6a7cff905ce7f6da133a25d4479a29c9bf9d19c2648fd2e8ec3d62eb631fec089

C:\Windows\System32\dllhost.exe

MD5 405f1749fda62e79802ae6d846e4be84
SHA1 6be7c80caeb77f17523b4e5a1f26f69363d1199f
SHA256 3287a5207e7c36f746ee52797b3491355b4db6cd1fd6a5baeff88892a978eed1
SHA512 eea83032e9416e7d9cafe0d977f79b08dc6071451e11a09c52064b622f54a2a6a7cff905ce7f6da133a25d4479a29c9bf9d19c2648fd2e8ec3d62eb631fec089

memory/1456-141-0x0000000140000000-0x0000000140205000-memory.dmp

memory/292-142-0x0000000100000000-0x00000001001EC000-memory.dmp

memory/1940-143-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

MD5 6c4a6f8e093277697401b55b9faed57d
SHA1 8a9d7b01ddf8b89bfbf97715dd7a4c4f730cae7e
SHA256 455726f56eea726a1a5645e1adb06ecda3d66476d8bc825e3e43883b8af6877e
SHA512 956c7d1ae527be8643c7c44d67ce2deb9d41621310944553bab64a4fc46db79d2d1fd650e8a4db861ffbbd0239b002bf3bb4dd4f2afebc62e3d4ce15baec5876

\Windows\ehome\ehrecvr.exe

MD5 8c18786efc4ca2b747c0d8891963985a
SHA1 6608162640c08567d127eacfd3464bef20491bd2
SHA256 1000a9731b6a028f7166d98b627d568cb0376db290e81d735aca0d0210f847a7
SHA512 873ffa9eb5ce6ebee90a95faef45e6bcc16678b863bc2b513ca905c20d1831f375684ada7f4a0b62e860383da1d795498e380ec7d51f1def491779140d6d1b53

C:\Windows\ehome\ehrecvr.exe

MD5 8c18786efc4ca2b747c0d8891963985a
SHA1 6608162640c08567d127eacfd3464bef20491bd2
SHA256 1000a9731b6a028f7166d98b627d568cb0376db290e81d735aca0d0210f847a7
SHA512 873ffa9eb5ce6ebee90a95faef45e6bcc16678b863bc2b513ca905c20d1831f375684ada7f4a0b62e860383da1d795498e380ec7d51f1def491779140d6d1b53

memory/1476-148-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/1476-154-0x0000000000890000-0x00000000008F0000-memory.dmp

\Windows\ehome\ehsched.exe

MD5 7259fa537e0b876010735862f3fe0928
SHA1 d124437e18dd4cd903a84da46a59d7a29ba43125
SHA256 841b6a99cdf730dce6a80fff6119e290710504371c756bdf51583476634847c2
SHA512 7131131c638230b7b1526ba60e46b1a7a6a002ee3c00e25e634ee891f1257f3319a76848cee4a7f49a32e9580b82139be6e501c896ec11fb30ffb2bbc968f1fc

C:\Windows\ehome\ehsched.exe

MD5 7259fa537e0b876010735862f3fe0928
SHA1 d124437e18dd4cd903a84da46a59d7a29ba43125
SHA256 841b6a99cdf730dce6a80fff6119e290710504371c756bdf51583476634847c2
SHA512 7131131c638230b7b1526ba60e46b1a7a6a002ee3c00e25e634ee891f1257f3319a76848cee4a7f49a32e9580b82139be6e501c896ec11fb30ffb2bbc968f1fc

memory/816-159-0x0000000000820000-0x0000000000880000-memory.dmp

memory/1476-161-0x0000000140000000-0x000000014013C000-memory.dmp

memory/816-164-0x0000000140000000-0x0000000140209000-memory.dmp

memory/816-167-0x0000000000820000-0x0000000000880000-memory.dmp

memory/1476-169-0x0000000001380000-0x0000000001390000-memory.dmp

memory/1476-170-0x0000000001390000-0x00000000013A0000-memory.dmp

memory/1476-174-0x0000000001430000-0x0000000001431000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 684b33850cd5e38eb21eef598d506fba
SHA1 d544ef8a80a139baddd146156d998cce7bc7b4d3
SHA256 ed1332d4a971c6245f564d864c7fd232f7a3e7a1521a8f23888a0aa8e554c90c
SHA512 1529f37b35ab11ab5bbc8e774c13ec9f56fc4c29138868d6862a7c8f999cb82673fe2ce08650047d1e37c96cc804e0377a600b2814325734799b6a7ae32a7bbc

memory/2016-177-0x00000000008C0000-0x0000000000920000-memory.dmp

memory/2016-183-0x00000000008C0000-0x0000000000920000-memory.dmp

C:\Windows\System32\ieetwcollector.exe

MD5 5215c208980b9c6324de50d2c28bc09f
SHA1 6fee050f584444fa6de5992fda151f76ae7662bb
SHA256 008c6a3f7134be927d931f6e58684809d7fa89622e58f26f76436e307361925f
SHA512 10cb3748bd0ff617e56aa99c1a301c8cf5b203770748ae553271b62d2476ac310adf0b35cd229a6b16276309d040dc10175a2ed114ec28ab6a0bd6ce2c0205b4

\Windows\System32\ieetwcollector.exe

MD5 5215c208980b9c6324de50d2c28bc09f
SHA1 6fee050f584444fa6de5992fda151f76ae7662bb
SHA256 008c6a3f7134be927d931f6e58684809d7fa89622e58f26f76436e307361925f
SHA512 10cb3748bd0ff617e56aa99c1a301c8cf5b203770748ae553271b62d2476ac310adf0b35cd229a6b16276309d040dc10175a2ed114ec28ab6a0bd6ce2c0205b4

memory/1712-188-0x00000000008A0000-0x0000000000900000-memory.dmp

memory/2016-190-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1712-193-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1712-196-0x00000000008A0000-0x0000000000900000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 a760fedbcec74e2f12c45cf776d0b65a
SHA1 bc64a93392da0e9ce2f28bb8928af8f107c9a130
SHA256 15ae760e2adea86b74aabbb8cb1308731af33a97855d0b3abc85086078e1cf84
SHA512 b16f626ddc995c624a4628cbaac177967da04102804281c1582499693f963bb5e8411e7399bc2d48459b5a6899e09f2b77bf3c329e0af9e91836911cffa0e83d

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

MD5 dc522afa5edd11984e087697cf6696e3
SHA1 5a87c86354f6d1987c4d974af75128bcf8b2db6a
SHA256 2918781697bf0b25c31af8effcba8a03fe425fefc95fc0ec380d001a57c94ce8
SHA512 34e4a9838412156a2c490b741a5a5d1d55f62361fb682a19a9ccf6a180de88e31ab4f27d2c5a9475eed46bc36bbdcbf142f61ee47df432b86627210bc17215ad

memory/920-216-0x00000000001C0000-0x0000000000240000-memory.dmp

memory/1688-217-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 da2bc1cb15fd88342158c66902145663
SHA1 29b939ea2439f8670bbaad504b027f1c8dd5f661
SHA256 974140c2017f9820fc0cf5922fb6c6790c79af56f96ada337d15903ac811207e
SHA512 753c8948ad964a6f63998cee8fd9519f44b9175a2e04d4813787d0c4947905047c7b467581bd7f5e7086a4c7a9145b65ff4c8da5168fafc75a0bbf146b1c77a0

memory/520-221-0x000000002E000000-0x000000002FE1E000-memory.dmp

\Windows\System32\msdtc.exe

MD5 4336c9287d9365c7ac7585ebc2b56b4d
SHA1 b3028a24617330b44b5264e4eec3cffae2e17ea1
SHA256 0ea93c2e3285bd0698a2d732dac536c5dfdc3c02613b0e38a51a57b4abb76f97
SHA512 3939eac5a64a5fa30a0ae713e52bd2ade5bc45ccd9eb10c385a93c8d18abe915a1a58524d408688d68d853d2e82f7b9aaca0abbad74e37abfaeb1810fe3948ad

memory/788-235-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 4336c9287d9365c7ac7585ebc2b56b4d
SHA1 b3028a24617330b44b5264e4eec3cffae2e17ea1
SHA256 0ea93c2e3285bd0698a2d732dac536c5dfdc3c02613b0e38a51a57b4abb76f97
SHA512 3939eac5a64a5fa30a0ae713e52bd2ade5bc45ccd9eb10c385a93c8d18abe915a1a58524d408688d68d853d2e82f7b9aaca0abbad74e37abfaeb1810fe3948ad

memory/1476-243-0x0000000140000000-0x000000014013C000-memory.dmp

memory/816-244-0x0000000140000000-0x0000000140209000-memory.dmp

memory/2092-245-0x0000000140000000-0x000000014020D000-memory.dmp

C:\Windows\system32\msiexec.exe

MD5 a5f12ffdf3e033586738f4a0956d25f6
SHA1 0ef24e99554137fde4ba90ea84af20af043e8ce5
SHA256 f00bc8897f85124590f62667e04110e006f4d492b039c4a46f73c1e381670658
SHA512 172202852792f358e4ee92538cf9050c4684fce3f34247ab20907d7fc607edf0aa79f73c62868b63fc4a4c4cf3c2c061c87e54ff1dc8acf8b5018ed2873da841

C:\Windows\System32\msiexec.exe

MD5 a5f12ffdf3e033586738f4a0956d25f6
SHA1 0ef24e99554137fde4ba90ea84af20af043e8ce5
SHA256 f00bc8897f85124590f62667e04110e006f4d492b039c4a46f73c1e381670658
SHA512 172202852792f358e4ee92538cf9050c4684fce3f34247ab20907d7fc607edf0aa79f73c62868b63fc4a4c4cf3c2c061c87e54ff1dc8acf8b5018ed2873da841

\Windows\System32\msiexec.exe

MD5 a5f12ffdf3e033586738f4a0956d25f6
SHA1 0ef24e99554137fde4ba90ea84af20af043e8ce5
SHA256 f00bc8897f85124590f62667e04110e006f4d492b039c4a46f73c1e381670658
SHA512 172202852792f358e4ee92538cf9050c4684fce3f34247ab20907d7fc607edf0aa79f73c62868b63fc4a4c4cf3c2c061c87e54ff1dc8acf8b5018ed2873da841

memory/2180-250-0x0000000100000000-0x0000000100209000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 a760fedbcec74e2f12c45cf776d0b65a
SHA1 bc64a93392da0e9ce2f28bb8928af8f107c9a130
SHA256 15ae760e2adea86b74aabbb8cb1308731af33a97855d0b3abc85086078e1cf84
SHA512 b16f626ddc995c624a4628cbaac177967da04102804281c1582499693f963bb5e8411e7399bc2d48459b5a6899e09f2b77bf3c329e0af9e91836911cffa0e83d

\Windows\System32\msiexec.exe

MD5 a5f12ffdf3e033586738f4a0956d25f6
SHA1 0ef24e99554137fde4ba90ea84af20af043e8ce5
SHA256 f00bc8897f85124590f62667e04110e006f4d492b039c4a46f73c1e381670658
SHA512 172202852792f358e4ee92538cf9050c4684fce3f34247ab20907d7fc607edf0aa79f73c62868b63fc4a4c4cf3c2c061c87e54ff1dc8acf8b5018ed2873da841

memory/1688-265-0x0000000000400000-0x00000000005FF000-memory.dmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

MD5 a760fedbcec74e2f12c45cf776d0b65a
SHA1 bc64a93392da0e9ce2f28bb8928af8f107c9a130
SHA256 15ae760e2adea86b74aabbb8cb1308731af33a97855d0b3abc85086078e1cf84
SHA512 b16f626ddc995c624a4628cbaac177967da04102804281c1582499693f963bb5e8411e7399bc2d48459b5a6899e09f2b77bf3c329e0af9e91836911cffa0e83d

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 f291657fce4834221c2d0ec58acc4050
SHA1 f1e6b05d71bf61b689d685964fb40ae3409774fe
SHA256 01830de2902c3d2a620343d08aa2d5a8903cecbf3c417fb6fdec5be724ea196a
SHA512 2ee0f646197b0ed87ee99068a1d64e6498d8a3857cf03a47c6846b532cb62a33266c9d1484676724667f2b86cc2356f69e666b28e40c1e432531d0f1f3350e8e

memory/2428-278-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2216-282-0x0000000000400000-0x00000000005FF000-memory.dmp

memory/2180-283-0x0000000000630000-0x0000000000839000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

MD5 9038c8e9b0dbe88347ddf1c809610ff6
SHA1 402b60b203d849e1bef87c8d7e687a4018af1e45
SHA256 f6b89d2dde9a71b14de9c84d69c2314f71d3e5d9a923e7313bf741b0f11a4742
SHA512 f5a100a69b18d5abd532b42a66056845c8a9a38290a2ad6cca32060af4cbe0fa6cf8bd6198d76dda96e088d6c3d4eb2e073fb6027730d68c58df44ff3c3f21d0

memory/2464-295-0x000000002E000000-0x000000002E20C000-memory.dmp

memory/920-296-0x00000000001C0000-0x0000000000240000-memory.dmp

memory/2548-297-0x0000000100000000-0x0000000100542000-memory.dmp

memory/1476-298-0x0000000001430000-0x0000000001431000-memory.dmp

memory/2016-299-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1712-300-0x0000000140000000-0x0000000140205000-memory.dmp

memory/520-301-0x000000002E000000-0x000000002FE1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 20:14

Reported

2023-05-01 20:18

Platform

win10v2004-20230220-en

Max time kernel

153s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"

Signatures

BluStealer

stealer blustealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f6d516a250d0d086.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3956 set thread context of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 4900 set thread context of 4072 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 3956 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe
PID 4900 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4900 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4900 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4900 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4900 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 536 wrote to memory of 4956 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 536 wrote to memory of 4956 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 536 wrote to memory of 4276 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 536 wrote to memory of 4276 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe

"C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"

C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe

"C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"

C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe

"C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"

C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe

"C:\Users\Admin\AppData\Local\Temp\tmprwm0tnp5.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 20.189.173.15:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 122.184.231.173.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 58.152.191.206.in-addr.arpa udp
US 8.8.8.8:53 25.106.251.63.in-addr.arpa udp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 88.35.99.167.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 12.161.5.72.in-addr.arpa udp
US 8.8.8.8:53 251.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 223.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 173.231.189.15:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 173.231.189.15:80 xlfhhhm.biz tcp
SG 63.251.126.10:80 ifsaia.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
US 8.8.8.8:53 15.189.231.173.in-addr.arpa udp
SG 63.251.126.10:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 173.231.184.124:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
US 8.8.8.8:53 124.184.231.173.in-addr.arpa udp
US 8.8.8.8:53 10.126.251.63.in-addr.arpa udp
SG 72.5.161.12:80 vcddkls.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 173.231.184.124:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 72.5.161.12:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 99.83.154.118:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 63.251.235.76:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 8.8.8.8:53 fwiwk.biz udp
US 99.83.154.118:80 fwiwk.biz tcp
US 199.21.76.77:80 deoci.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 qaynky.biz udp
NL 63.251.235.76:80 tbjrpv.biz tcp
SG 63.251.126.10:80 qaynky.biz tcp
US 8.8.8.8:53 118.154.83.99.in-addr.arpa udp
US 8.8.8.8:53 76.235.251.63.in-addr.arpa udp
US 8.8.8.8:53 77.76.21.199.in-addr.arpa udp
US 8.8.8.8:53 deoci.biz udp
US 199.21.76.77:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 qaynky.biz udp
SG 63.251.126.10:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp

Files

memory/3956-133-0x0000000000650000-0x00000000007E6000-memory.dmp

memory/3956-134-0x0000000005560000-0x0000000005B04000-memory.dmp

memory/3956-135-0x0000000005050000-0x00000000050E2000-memory.dmp

memory/3956-136-0x00000000050F0000-0x00000000050FA000-memory.dmp

memory/3956-137-0x0000000005280000-0x0000000005290000-memory.dmp

memory/3956-138-0x0000000005280000-0x0000000005290000-memory.dmp

memory/3956-139-0x0000000006EB0000-0x0000000006F4C000-memory.dmp

memory/4900-140-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4900-143-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4900-144-0x0000000002A20000-0x0000000002A86000-memory.dmp

memory/4900-149-0x0000000002A20000-0x0000000002A86000-memory.dmp

C:\Windows\System32\alg.exe

MD5 2116d400d3b7faf23c2d104584eab934
SHA1 2e14bb60e58477a168c047aa10a3130c3ba4556e
SHA256 7cc96c0bf747761544226b7443c90b08e87a6515fac28cca8972f914320fd388
SHA512 0a7ee3fa0f6a16dbe77ce8eee6f2be029d904d25a2673f299673e27cde61b26bf20d8afe83c03f30ecb4d6ad1b80ce99ed11f63edb3e48745f8297a31ce0f1a2

memory/3628-156-0x00000000004A0000-0x0000000000500000-memory.dmp

memory/4900-159-0x0000000000400000-0x0000000000654000-memory.dmp

memory/3628-161-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3628-164-0x00000000004A0000-0x0000000000500000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 08998cd0707912d9d0c1abdce0bbf553
SHA1 0722101f27955a6871e443cc3d2cae625662dc85
SHA256 80535ee741805fdf7158ef369e45d23df564fdf4dfdae74e098954ab05adf24b
SHA512 c4a98f1236ad7187a6290d7bd115959e8d0d9a863f7fc2d6acfc18b1dd1e226979dae6eedeb3b4eb9c0f5b83866db2678a9411622bbfa43785357fac2399dc11

memory/4080-170-0x0000000000680000-0x00000000006E0000-memory.dmp

memory/4080-176-0x0000000000680000-0x00000000006E0000-memory.dmp

memory/4080-178-0x0000000140000000-0x0000000140200000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 3b782cf039f32ec6632aa4036e84961b
SHA1 f2aac2b221cad33867cd918eef3732ccc65ce149
SHA256 e35225787e01c2c32178d2e5969ca5f565f86499a186f7f4f2f75c888ebd0f61
SHA512 194914ccdac398a717980e7d79ca711735b48a03097e01d68e0aa5588b03cb24dc0af93e8100d8aa55a4da8ad9926d9537119f297b0d4478936a02815bf72053

memory/2820-181-0x0000000000D50000-0x0000000000DB0000-memory.dmp

memory/4072-184-0x0000000000980000-0x00000000009E6000-memory.dmp

memory/2820-188-0x0000000000D50000-0x0000000000DB0000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 48c1d5d33ec3de51a69b0182a3ed7721
SHA1 579cf5653890c156dfc3dd33f43a1e2613183e6f
SHA256 17a7d462c60b06793ee2ba8114bfa9334e0fbc7ff9b65bcd0631deb6ad4bd84b
SHA512 c4d8d6a64618eb04e9c50b062309a3a429af74dbafc521c7e60e8d9c8445d3230c5f2f1537fe0d52482babc7140eba7c44bd04702218d643cbd2e8301f8bee03

memory/2820-191-0x0000000000D50000-0x0000000000DB0000-memory.dmp

memory/2820-195-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4072-197-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/3248-194-0x00000000007D0000-0x0000000000830000-memory.dmp

memory/3248-200-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3248-204-0x00000000007D0000-0x0000000000830000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 8967097571d288604cc8a27d3b3a1efd
SHA1 86e303cc6978a9f4f7938ddabba2544cbd1cc40d
SHA256 b41574115fdd682ad0e39ebcffbad412a4c3cf7332c4c8de0196997b2663d51e
SHA512 7a461573d4772d85366d0429ed146d38b752bae7adf177cbd8cea746ba415fafb49e2584221ea29bcd204250083ed12138e7047b3934ccb66d724612206b61f5

memory/3604-208-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/3604-214-0x0000000000190000-0x00000000001F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 0839a308b061edb7d8b8d6895076c07f
SHA1 9f949fbc6a16be3b27d6444150dc55f5e6ebf003
SHA256 d44d0eb777721152dd10f0d1b10d33ad50c688fdc4f75e6d6fb5d87c0f14ab2d
SHA512 c9d14ba6ebc400bb2e38ba4be6472bd4efca88d5af42998be9c69f0e7d0045b1e4e463016e0ea0cc07dc6fab5d3db08cb2af555a0165869ef7174094d5e47833

memory/4424-218-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/3604-223-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4424-225-0x0000000140000000-0x0000000140221000-memory.dmp

memory/4424-226-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/4424-230-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/4200-234-0x0000000140000000-0x0000000140210000-memory.dmp

memory/4424-233-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 74eeac9050aa063b9ed419810095cfde
SHA1 44e324ce19aac911676cab517869ac4db67533ab
SHA256 ded170cb901faa19e95a2b67c51824a7b6c808ba5fc695103ec0688b40867287
SHA512 5f39e17ad7eb55ef3763207ff05d1e186e28d4edd1092f40d77a4a9efb48ef39cd138e99ddf018a71ca4fa4ba62bdec9fb90ddf61ece87e0c7fb15e066a3b5eb

memory/4200-235-0x00000000007A0000-0x0000000000800000-memory.dmp

memory/4900-243-0x0000000000400000-0x0000000000654000-memory.dmp

memory/3628-244-0x0000000140000000-0x0000000140201000-memory.dmp

memory/4080-246-0x0000000140000000-0x0000000140200000-memory.dmp

memory/3248-247-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3604-248-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 b657e33f0855b7ce102444ad932d1129
SHA1 95f4230a082d1e869480ebf8ea9b960cd0da0dae
SHA256 0997718d8d26b8bb6cf9af2a3fe2c9122985bb6b2e513bd684026b7d23ea9dd8
SHA512 7490f5ec4e924620ce9d761b17e80180f3b9cc6a95dda02a76ed517c20bd1805907f8dbba435ae089e434e5f88f52c2bd092dfea756f6d4d95de8ca0d49dd81b

memory/1708-260-0x0000000140000000-0x0000000140226000-memory.dmp

memory/4200-261-0x0000000140000000-0x0000000140210000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 c4812b4d033a0d5f8258b02c6d202ab8
SHA1 bcf10b582b4192e71329a1ce0e505f1a6303a732
SHA256 2b2654c924b303eea1931c771a08ac8c244d304611e4b676cab46d1c33c7d31a
SHA512 3eb620fbad647161ba40dc9eee4314dfb32606c8fa236901f7dc5f89c86d3dd8907820ecd5b3aff893528d19a6b3642ea355d68259e76f9c3b1a6ea6a024643b

C:\Windows\SysWOW64\perfhost.exe

MD5 1ebadf65d907ec6b959df6197ea99b68
SHA1 47f586d9e140d6cb5e71257072b8ee3c03f836f0
SHA256 22da944d17538eda1c3267435390e863133d30c747b7e66170af12d9370b0a30
SHA512 039b6510532c9c51e1ef3060fa95d7b31e636b3a352683ae300a6a1a6a077b4d3256bcffc6b7e5b32177efca551cc0c414f1129f186dfade9f3fefa7b3fcac94

memory/2020-279-0x0000000140000000-0x0000000140202000-memory.dmp

memory/4288-281-0x0000000000400000-0x00000000005EE000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 671606556a23007e08184cb2622eed93
SHA1 41aca8f4b58e3d84637ad342b475da4ae572c118
SHA256 8daf2d393e88c93fa22d604bb14d6a8dd1333a2bb40d91f043c1356c43727cd1
SHA512 ca09f114d959359a177f74ff20dac602de8aada729450911a0188c9332215bdd23ff7759dca50331e34ba1800b4898e2aa060ce32d9b8f8b1ea53ca31a37375c

C:\Windows\System32\SensorDataService.exe

MD5 47160ecb9be7aed19f7c20378081c5db
SHA1 1248308c1d367d3d2cc8aceefca70d37a5cb7add
SHA256 0e5dea696864defdf4b94671bfbb06c96b1af179fbfb5452b5ea39fc1bd7dbb4
SHA512 cb6223257939926e0b0b3d7b4a3bd9ea4a34e72cd94294842bb601d21d2a1c295add7b8a55f82bb7e96c593f1256da48a0fb258a2a568eacb857b21f96610199

memory/4404-316-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/1900-317-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 a4496bb54b1ce8cb956222779608c8d4
SHA1 cb03545502d3d9c8d53da0660d6f9ae6ab6f57fe
SHA256 9475dee739d6ee39b7965133338e71ea4b7fa379522e8c0d1a64f21b32070499
SHA512 38bc1033c9de507b7620b1ca8007b2fbd1de3ed3f383e09b90daeb5711be4f894514250e85732ec949d822a35591ced2e113d608abb70326a24c8b5b6840e36d

memory/4304-327-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1900-330-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 2d55fdfc0c07f38a1d06f4035d9811f7
SHA1 33915bb95dae8e77dd46112a182dd45a56ebd48e
SHA256 35393218311012d8e2478142ed24a92f71cd8a08ed01d4753639b343fd27bf9c
SHA512 e45d5cd0fa5c8a9b76dd2aca7bf0512b47af1327bf08ffd617c936b85974882d6feb4436b2a4cf9490cdb3fce15736296656db07e353fe1e96e8f9a96f27d9de

memory/4288-341-0x0000000000400000-0x00000000005EE000-memory.dmp

memory/2972-342-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 47b4e43bb5e27d7509e1a721223f7a28
SHA1 147f9a8b62d9f2f0094da2c34bd608284dded47a
SHA256 588abd29950b1b4823fea33f29bee3e8d9818ff83c7e3a1794b891e8fddc71a1
SHA512 8f131cce393a6e532b8ee46d59ccaa53236e9105f4f5217f6f6cdc8fac04ddab60427aa5b09e83ef204f97f0bfab7f487b4934a5de7738c17170a71d15ed124c

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 47b4e43bb5e27d7509e1a721223f7a28
SHA1 147f9a8b62d9f2f0094da2c34bd608284dded47a
SHA256 588abd29950b1b4823fea33f29bee3e8d9818ff83c7e3a1794b891e8fddc71a1
SHA512 8f131cce393a6e532b8ee46d59ccaa53236e9105f4f5217f6f6cdc8fac04ddab60427aa5b09e83ef204f97f0bfab7f487b4934a5de7738c17170a71d15ed124c

C:\Windows\System32\TieringEngineService.exe

MD5 becd83b35f45a8f41e0187e15c099bcf
SHA1 2d956c8b7813c1c7379ba609a5646c4a272916cc
SHA256 82b77d9edc3ed03c86beef2239f3cfb5a773028affa70b4efee422ff6936c9fa
SHA512 1e1b14b78ad56d109f4bd51dab84efa6a9efa47b1452077b4220b40d54b98dc5d72dde082dc912acab080772222e2663251170efb195714fccf298ce982eb54b

memory/1500-364-0x0000000140000000-0x0000000140259000-memory.dmp

memory/3668-366-0x0000000140000000-0x0000000140239000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 19cbb3cfa9452f1e5aff5ab57e0cfa5b
SHA1 f40877be5735382c82db6339b543ad5438d0f710
SHA256 313f7b1316406d4681adb4859683138adafa32f15931da18015f3afef4131ecf
SHA512 502ac502142f9948723b0ec43adf60599afc17991db641ca330723f4553d795fffff6af6655b50e1fbb19117067a65cbece92c95ee302e7ce84c9aeaaceb0490

C:\Windows\System32\vds.exe

MD5 276fb13f2e695f7dbfbb31fdea3addd2
SHA1 d0ef9c220d167b2744e46abadb8fc7fe8ecf29e8
SHA256 925d095b43278380e7d12a2f4e7e3a42886ab3b6a7b3635ccae48d6c1b3fc69e
SHA512 0ad68ff5e9466f5b6cdc11c897fde5cb325cf58f7893ad1f604aa3d0a5d5ef8bf61dd37a63652fc355ad6431b96a7fedc6222d59155f2476f2959525a0ceb28f

memory/2820-380-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 07de899cd670a663f8d489c903448796
SHA1 9603a63b356121c0390ed512f52c96960ef22765
SHA256 c6ae33957a5b6a0a568434adcf8458f595bedb314fd73937910b0aa17219d5e2
SHA512 d7376843c1a71c7979b7661eb2daa136fe2bdad1e50bc99cd203c40c28baabbe697d379176b93c18dc4f0010424bfb9616644c47b768031e684aa06da5ce6637

memory/3376-391-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4236-401-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 5f97eb29c5f3ff13ef2e2843cbb6d508
SHA1 2718d89897d609deacc06dcae6b630f89db71303
SHA256 2ffadef006b731f968c117ce5474a6ed4f96bdb75d99ec3fb312ab1da0796448
SHA512 5860e0baa88cbdec191177138f0b08b689a2749adddcbeeb3359530b26b3d206f4fc23cebbaab7ce8be135245a437829d500893bd7b142351e745d6f3f91df18

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 e1e79ef1ded7cbaffd4dd1e3792ed479
SHA1 6a8737e9c346f22b72abbd3f05c737f2610d2d19
SHA256 56b0982bd25c3004e5deb21cec28d1ccc3890364c31c8f790a09293f57ad1183
SHA512 9f0249aeab3c3315dd8ef103f441b3219e9da0742773845d23e73e91ad836550dfd088f9843661a03e959f61643df27b724c2c52c5f54aa90d6223c3b373c1ca

C:\Windows\System32\SearchIndexer.exe

MD5 11977c08354332f40171281aadd50d7b
SHA1 95190c84e28ca4daffc0f3b83fdfded045c5d67d
SHA256 1c560e900fe02de08816749264657f77dcbc723a8f0ca36f746334d4e21aa59f
SHA512 54fc0f384b32db510d77fb4d8544788fb845a3b42023de20d24613a0d4e744cbd7596696d3629871b472c66261caf2b37566b2d1637efa705cd3b8f6ad7b38c4

memory/2960-424-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3236-425-0x0000000140000000-0x000000014021D000-memory.dmp

memory/536-427-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2972-478-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3376-479-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4236-480-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3236-481-0x0000000140000000-0x000000014021D000-memory.dmp

memory/536-482-0x0000000140000000-0x0000000140179000-memory.dmp