Malware Analysis Report

2025-08-10 19:57

Sample ID 250630-v2xvwatm18
Target 8898bc75e849fb08b7573c43530a9a43-sample.zip
SHA256 bb06e763d7bbb1ea6b3718657167e468ff632c51c6aebcbcb4621f466a78a283
Tags
agenttesla discovery keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb06e763d7bbb1ea6b3718657167e468ff632c51c6aebcbcb4621f466a78a283

Threat Level: Known bad

The file 8898bc75e849fb08b7573c43530a9a43-sample.zip was found to be: Known bad.

Malicious Activity Summary

agenttesla discovery keylogger persistence spyware stealer trojan

AgentTesla

Agenttesla family

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious behavior: SetClipboardViewer

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-30 17:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-06-30 17:29

Reported

2025-06-30 17:31

Platform

win11-20250610-en

Max time kernel

101s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\concrt141.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\concrt141.dll,#1

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2025-06-30 17:29

Reported

2025-06-30 17:32

Platform

win10v2004-20250610-en

Max time kernel

123s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msedge_elf.dll,#1

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "cmd.exe /C start \"\" /D \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\" \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\\rundll32.exe\"" C:\Windows\system32\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2412 set thread context of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2412 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2412 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2412 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2412 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2412 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2412 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2412 wrote to memory of 2912 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 5000 wrote to memory of 5956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5000 wrote to memory of 5956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5956 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe
PID 5956 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msedge_elf.dll,#1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\system32\cmd.exe

cmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe

"C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\dpnhupnp.dll

MD5 ba32bb24b7da23bd7ee7ae4b576338cd
SHA1 17731367250361c6b1aaf24f988b8dd1150b1e92
SHA256 7cf4535e85ec02365c54bf460992344fe1e319381e794e51a7ce0f9cb0438929
SHA512 4317c083c491e74ef7e1ad30d79164b3d6ba360f3b83a88d220b21385837049a33c3023c5f9d10c42980c45fecc747d271263242976435abab7612c26e486be4

memory/2912-4423-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe

MD5 ef3179d498793bf4234f708d3be28633
SHA1 dd399ae46303343f9f0da189aee11c67bd868222
SHA256 b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
SHA512 02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

memory/2912-4426-0x0000000005A40000-0x0000000005FE4000-memory.dmp

memory/2912-4427-0x0000000005480000-0x0000000005490000-memory.dmp

memory/2912-4428-0x0000000005500000-0x0000000005566000-memory.dmp

memory/2912-4429-0x0000000006900000-0x0000000006950000-memory.dmp

memory/2912-4430-0x00000000069F0000-0x0000000006A82000-memory.dmp

memory/2912-4431-0x0000000006B80000-0x0000000006B8A000-memory.dmp

memory/2912-4432-0x0000000005480000-0x0000000005490000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2025-06-30 17:29

Reported

2025-06-30 17:32

Platform

win11-20250610-en

Max time kernel

125s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msedge_elf.dll,#1

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-903960561-1545645218-4290906778-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "cmd.exe /C start \"\" /D \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\" \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\\rundll32.exe\"" C:\Windows\system32\rundll32.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2872 set thread context of 4972 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2872 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2872 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2872 wrote to memory of 2304 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2872 wrote to memory of 5800 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2872 wrote to memory of 5800 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2872 wrote to memory of 5800 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2872 wrote to memory of 5800 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2872 wrote to memory of 4972 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2872 wrote to memory of 4972 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2872 wrote to memory of 4972 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2872 wrote to memory of 4972 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2872 wrote to memory of 4972 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2872 wrote to memory of 4972 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2872 wrote to memory of 4972 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2872 wrote to memory of 4972 N/A C:\Windows\system32\rundll32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2032 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 5932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe
PID 1868 wrote to memory of 5932 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msedge_elf.dll,#1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Windows\system32\cmd.exe

cmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe

"C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp

Files

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\dpnhupnp.dll

MD5 e750ca03b67b1b50dace1875cff645d6
SHA1 bfcb9780a6357e53c414d96d56291c4eba67cd88
SHA256 5cf4a8d9233ae1033788efe8f1296ffe64a314e1c38ccca33fbcbad8f3db4a7f
SHA512 e735db461bb583ef07f4a5c69c6b38cb4a6d5782cda587ba55ad3ccd49a048e29cf3dac53824db4c48ae95760b5fe8e841f5fb6430e5f6261d6a9ccf4bc6c318

memory/4972-4460-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\rundll32.exe

MD5 10f08638e7c04d15ba4b4a740087a826
SHA1 07888e33210b015c0a206c60826fd40d5c3b5508
SHA256 60517f898bfac156cd298fd0a45f2e06cecee232a54667213458b99dc8d80de7
SHA512 5c53d3ea3b622f2e1746411642966794e733be1859df085894c075d5bf77215aca6b707913b1d6dd6af76aa81860fa163cd847af215fb805e16ffaf2fc91836a

memory/4972-4463-0x0000000005A50000-0x0000000005FF6000-memory.dmp

memory/4972-4464-0x0000000005490000-0x00000000054A0000-memory.dmp

memory/4972-4465-0x0000000005310000-0x0000000005376000-memory.dmp

memory/4972-4466-0x0000000006600000-0x0000000006650000-memory.dmp

memory/4972-4467-0x00000000066F0000-0x0000000006782000-memory.dmp

memory/4972-4468-0x0000000006890000-0x000000000689A000-memory.dmp

memory/4972-4469-0x0000000005490000-0x00000000054A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-30 17:29

Reported

2025-06-30 17:31

Platform

win10v2004-20250610-en

Max time kernel

111s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bpl New Po-2000023038 = "cmd.exe /C start \"\" /D \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\" \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\\Bpl New Po-2000023038.exe\"" C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-815616237-4012932787-4224613991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bpl New Po-2000023038 = "cmd.exe /C start \"\" /D \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\" \"C:\\Users\\Admin\\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\\Bpl New Po-2000023038.exe\"" C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\91e4400431d09c2d.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86531\javaws.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\nmhproxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_HL-DT-ST_DVD+-RW\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e93f319be4e9db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066b5279be4e9db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053cebe9ae4e9db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031f5c59ae4e9db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076f0229be4e9db01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\alg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6116 wrote to memory of 4884 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 6116 wrote to memory of 4884 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 6116 wrote to memory of 4964 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 6116 wrote to memory of 4964 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 4640 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4640 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4640 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4640 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4640 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4640 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4640 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4640 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4640 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4640 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4640 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4640 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 3604 wrote to memory of 5620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3604 wrote to memory of 5620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5620 wrote to memory of 5832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe
PID 5620 wrote to memory of 5832 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe
PID 5832 wrote to memory of 4928 N/A C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 5832 wrote to memory of 4928 N/A C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 5832 wrote to memory of 4928 N/A C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 5832 wrote to memory of 4928 N/A C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 5832 wrote to memory of 4928 N/A C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 5832 wrote to memory of 4928 N/A C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 5832 wrote to memory of 4928 N/A C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 5832 wrote to memory of 4928 N/A C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe

"C:\Users\Admin\AppData\Local\Temp\Bpl New Po-2000023038.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\system32\cmd.exe

cmd.exe /C start "" /D "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName" "C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe"

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe

"C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 44.244.22.128:80 pywolwnvd.biz tcp
US 44.244.22.128:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 50.16.27.236:80 ssbzmoy.biz tcp
US 50.16.27.236:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 44.244.22.128:80 cvgrf.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 44.244.22.128:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 3.229.117.57:80 npukfztj.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 3.229.117.57:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.233.219.78:80 przvgke.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 172.233.219.123:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 zlenh.biz udp
US 50.16.27.236:80 knjghuig.biz tcp
US 8.8.8.8:53 knjghuig.biz udp
US 50.16.27.236:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 192.64.119.165:80 anpmnmxo.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
US 192.64.119.165:80 anpmnmxo.biz tcp
US 8.8.8.8:53 www.anpmnmxo.biz udp
DE 91.195.240.19:80 www.anpmnmxo.biz tcp
DE 91.195.240.19:80 www.anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 44.244.22.128:80 pywolwnvd.biz tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 104.26.12.205:443 api.ipify.org tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 54.146.6.253:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
US 3.238.30.69:80 ifsaia.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.229.117.57:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
US 50.16.27.236:80 vcddkls.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 172.233.219.49:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 3.250.92.156:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.229.166.50:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 104.156.155.94:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
US 3.238.30.69:80 qaynky.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 3.229.117.57:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 44.244.22.128:80 dwrqljrr.biz tcp

Files

memory/4640-0-0x0000000140000000-0x0000000140202000-memory.dmp

memory/4640-1-0x00000000008B0000-0x0000000000910000-memory.dmp

memory/4640-9-0x00000000008B0000-0x0000000000910000-memory.dmp

C:\Windows\System32\alg.exe

MD5 8c511fd0e1041606a5eac033736c83c2
SHA1 87b9a5fb17a98fd08b310fc1414386af90b7e3a9
SHA256 996603e75cd1c7cad97de4d3a963a6c261e1e6d69424b06a1f3283d2964fc734
SHA512 adebe92933ea01302771a8a5105e659f2e3b9bbb3af8d07fdbec54a213e938f5b40efdbaa4f74b21cd783c8c4bbb90d1684df48f108dcb05f827eef47c0f4342

memory/3408-13-0x0000000140000000-0x0000000140130000-memory.dmp

memory/3408-22-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/3408-14-0x00000000006F0000-0x0000000000750000-memory.dmp

memory/1060-27-0x00000000004C0000-0x0000000000520000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 e051d12b0a5c4cfb4f17aeeb72f393bb
SHA1 0a0befcb78fac5136c0f46eced6e9ca52e07d04e
SHA256 cce26acf90d32c83995c1941ecacdef7241cfcbbfc13e5353d015935cc10f10f
SHA512 2d1f1dbccb03669178f542665028549604a12c95d82cf74b734c31dbaadb431fa15d780aea6d125e6f07dd3e9e8f3fa223f1aafbe4a68e3b21cdf64ef07694b4

memory/1060-35-0x0000000140000000-0x000000014012F000-memory.dmp

memory/1060-36-0x00000000004C0000-0x0000000000520000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 f1373238b31735782737d8dc01d8a501
SHA1 46575b95886e417b5284e474fed687a88853949b
SHA256 f5c3858a703e7e37774c573fe4ab68ad9157b195c729961c13d968b696d5d5b1
SHA512 f1f38279fe3b51672ffbac1e349d7ff6b6fc92b344753d1c6603b3473eb887c096bdce0ca54e15f3f00a83cb0be31042a5e43caa7255f98f7468d978374053bd

memory/3452-39-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3452-40-0x0000000000E80000-0x0000000000EE0000-memory.dmp

memory/3452-46-0x0000000000E80000-0x0000000000EE0000-memory.dmp

memory/5092-56-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5092-50-0x0000000000760000-0x00000000007C0000-memory.dmp

memory/5092-58-0x0000000140000000-0x000000014025F000-memory.dmp

memory/3452-59-0x0000000000E80000-0x0000000000EE0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

MD5 d0cf8e434a4fba1591f79547aad70d95
SHA1 837b9db355ca73881b2bbb4aca10a7b29e21ef66
SHA256 8ed8a100ae949f4667d4c968641db39910e60ca2efd943b7e3a626669537dce6
SHA512 c0174e17bedbfaad8b4da55475f8af35af23840f047b587f746208ce5db65e460d6e3cc0df168cb607338b8f08dca86045e94fd4a00d2fff74895df1fae32072

memory/4736-70-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/4736-64-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/4592-84-0x0000000001A70000-0x0000000001AD0000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 cb5a11624155438bd37eb748818474b7
SHA1 7aa56ef786a39cebff87215282223acbb5a09154
SHA256 907bd8eb6340f502fcc64a9599a5da7ac082d00ef1514e73123c498f00570697
SHA512 7485fb8b8530a991a6c6eab406731eca0a0554bcc3de82163e2f66e603e75825c9db9458039f59adf88d3f9d06b6c2d34be02b7a818fc059df02e4d31df59223

memory/2452-94-0x00000000007D0000-0x0000000000830000-memory.dmp

memory/4868-105-0x0000000000510000-0x0000000000570000-memory.dmp

memory/4368-118-0x0000000000B40000-0x0000000000BA0000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 640bd0668bc9885646747b95f3dfa270
SHA1 dee807471fe5f3dd34e78a0c914ccc9db258ca8a
SHA256 a9cdadb984746297a74036bf751f7b215838976b241d86e68e716d1f00c3840e
SHA512 f5fee7c98d6b5daac903beb07108aaf4c46691ed9f1a9d4634ea621d70cc4531fb78907b7920c0280e5c22941945fe4996eeb88cfe54609e6fbd780f11d2cadc

memory/3140-130-0x0000000000520000-0x0000000000580000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 08d4e5118bba016a8d84dc3b1ff532ee
SHA1 1cd0198f651038ff933a695d4033f089af7c9b2b
SHA256 fed1eb1df0025f866a31c7b0a41fa7857fae7645eaec6c2a5e1583151b11740b
SHA512 f85648660296d033bf7942a5c2b1a214acf4048a705e5bb451e610ad1524ef9d2467c02532ec1c2a357d522657618236968ad40052a79130a96c5c1ca8859217

C:\Windows\System32\snmptrap.exe

MD5 95c475d49403e32ae01ebda6fd220e4b
SHA1 84b16845c2e4c6ffcf40bb39d624544d7e9dab11
SHA256 0fb084a9aa302f6d5cccef701dad773704ad30e2ec1314b8e1a1227ed095c30a
SHA512 8007f3c74192c9ccd089fab29b5255273225507d3cf11024cacb3d6f41b47d6a3a212d61947141fccba6bd164f219699e6ed3a5547ac629320f1ff93ebe1f09d

memory/5220-161-0x0000000000780000-0x00000000007E0000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 a9c4ffb1ef7cb801df10acdd3a36943d
SHA1 913a35bdc2ee80cf5f6124a674234ec3d0b971ab
SHA256 2b155ecb950c22bcc57c970dd0e62537af85c6102f2ab7f2dd37ad53739fdcaf
SHA512 b838b9bfe6b10ca96ee7a0c04f4143180754ef0a111b70ef30d0b74554dc11cda2b68d81d344e726dc600ca2c4a1c8ffe08909d2c800abdb89585f5eee89788b

memory/1844-182-0x0000000000500000-0x0000000000560000-memory.dmp

memory/5056-197-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/3572-205-0x0000000000580000-0x00000000005E0000-memory.dmp

memory/4000-225-0x00000000006D0000-0x0000000000730000-memory.dmp

memory/1072-235-0x00000000006A0000-0x0000000000700000-memory.dmp

memory/6116-246-0x0000000000500000-0x0000000000560000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 bc332ac3b8ed440b2c58df1353f3be50
SHA1 62bd2227029057d4065f8e09901f508504e92508
SHA256 d309988875ed3f832893c7cee35934286e49aa91a573ab5673dab64a29173224
SHA512 f766423e64710b5b0f4484895bc2f3d47a49de8e93cecd3ee1c412709a1b5b490844d7f0c43c0be2b72b7e82d0eed601802729acda70a11a831f826a88029f47

memory/6116-272-0x0000000001DB0000-0x0000000001DC0000-memory.dmp

memory/6116-288-0x000000000A1F0000-0x000000000A1F8000-memory.dmp

memory/6116-256-0x0000000001B00000-0x0000000001B10000-memory.dmp

memory/1072-229-0x00000000006A0000-0x0000000000700000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 6b50eb5a6993e7e86a70420deefa3bd7
SHA1 779a755aa9120e1378a594e465f1dcc5a52214f4
SHA256 35b487ceba390d98a6f4a1a0fa7d0e80407484b88d9b06767639dbc0c18e5790
SHA512 b2145510b4d1deb3a64c98954da801c553091bc8f99fd2709ad66ef337602ce82ee1e04f9f9b9f8eb0fb8cc47d2a40b997facb023ac8cdd3e4b7398f1b5e2762

memory/4000-219-0x00000000006D0000-0x0000000000730000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 f0577b6d735f41a268ce42a82ac47f29
SHA1 302de92b219627e4363396e83a7f96ced53b0ba4
SHA256 42c04bbce965f69996bcb55b790b1be66bf688c408cc34ed9b149c97bb166570
SHA512 897ec8ec0051c43bfb064baea8454a409fe031cb5e1e17fb723a476d4caf331a8e981e648542fdc300e0b16f179bae939464bbb0e5a6155a97aa5c6acab477fb

memory/1356-215-0x00000000006F0000-0x0000000000750000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 1ad8546a67b825df4974e412983f3523
SHA1 60013e68e15cd559105bab98da60113219594ce2
SHA256 582724375d21f2b529a2f826dba23557f3c242ded234aee902687cde846cb162
SHA512 75fe15893b08967813a37cea618ecd318ac63e2b01a36a9b49f88ff8f7ab29dd130bd6b3625b712f2070d5de70bee8479244576c4609e21b5b7330af4cb671ff

memory/3572-199-0x0000000000580000-0x00000000005E0000-memory.dmp

memory/1996-340-0x0000000000400000-0x000000000051D000-memory.dmp

memory/3140-341-0x0000000140000000-0x000000014011B000-memory.dmp

memory/4368-338-0x0000000140000000-0x0000000140131000-memory.dmp

memory/3572-355-0x0000000140000000-0x0000000140147000-memory.dmp

memory/1844-354-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1356-361-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3428-353-0x0000000140000000-0x0000000140188000-memory.dmp

memory/4640-374-0x0000000140000000-0x0000000140202000-memory.dmp

memory/2452-384-0x0000000140000000-0x000000014013F000-memory.dmp

memory/6116-373-0x0000000140000000-0x0000000140179000-memory.dmp

memory/1072-372-0x0000000140000000-0x000000014014C000-memory.dmp

memory/4000-371-0x0000000140000000-0x0000000140216000-memory.dmp

memory/5220-352-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4300-351-0x0000000140000000-0x000000014011C000-memory.dmp

memory/2624-349-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4868-336-0x0000000140000000-0x0000000140155000-memory.dmp

memory/4736-329-0x0000000140000000-0x0000000140266000-memory.dmp

C:\Windows\System32\vds.exe

MD5 ec6696ad2e49a311b1dd6169407a1387
SHA1 627c3e9bf226d0a75fa2b24e332d50e68b6af30a
SHA256 a0c294dc4847cfdabffdd4e955bfe120b3889e0ff265c1c23af83aa03be23452
SHA512 7d5c45c2f2d837760cdac4b38fca4ae3fa80ced126c3a7cb2b8e3e1b6661201e4840bf7035cbb55cc0a0c34e5cfc773017d0cccbc91958472584cbd577c9f66b

memory/5056-195-0x00000000007A0000-0x0000000000800000-memory.dmp

memory/5056-192-0x00000000007A0000-0x0000000000800000-memory.dmp

memory/5056-186-0x00000000007A0000-0x0000000000800000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 772518813250d7681f079c70314243aa
SHA1 abe19e135b6ad228aca623148d907b3300a06f6d
SHA256 d990dcd12056ff729d64f480cd0d2983c2dc515fcdadc7575669bd8467e06e1b
SHA512 86b5f726e2034907ca120e29795a8590b27dffd537a38985590857522b2402ba69d518e67cb25aea4b85184e0e9202700e087a41e9879d83cd4875642cfb2020

memory/1844-176-0x0000000000500000-0x0000000000560000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 8d6a01b01921aa4f4a055a2f734746f5
SHA1 5acbe7323a405f83ffba346a7df707b96aa14e0e
SHA256 6b2567cb247c7fbadefacdbbfe729725dd5dc175ffb3e3aa7ba71ffb54bb55fc
SHA512 afc24e26198076209a3bd0e26015556177379a3de14cd24d3c6681f34dec2159050f67cd05b5aa45963925e78b7805c77a742f5e204c6b36424a399a795ce9e4

memory/3428-172-0x00000000007F0000-0x0000000000850000-memory.dmp

memory/3428-166-0x00000000007F0000-0x0000000000850000-memory.dmp

memory/5220-155-0x0000000000780000-0x00000000007E0000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 23cd4d5e72f4e5c34b63d5ebceee2070
SHA1 1fd73023fc1b7200ca33cfe2f477ba03a7c8211f
SHA256 e6a8d3d02f9f68783bc3aa88ced3ca9ce194538aeb9561cb5a3fd246c499be15
SHA512 3badcee8145aa5209e0f1cc419e61924945ca3bc1b04e9597bb7265b0405cb41964bea80a747e104036ffcf3094830d9cba41c32c882f9aaeac4611eb3d2292c

memory/4300-151-0x0000000000620000-0x0000000000680000-memory.dmp

memory/4300-145-0x0000000000620000-0x0000000000680000-memory.dmp

memory/2624-140-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/2624-134-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/3140-124-0x0000000000520000-0x0000000000580000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 3e16a75567d99cccfa68bde1f875bff1
SHA1 737ce4ed791077129f8904793cceec03f2228f72
SHA256 ad0e8a0f4f8871f1901aac7bb18d3fcfec04b088d5119c6b886f6c8c94791318
SHA512 96194f6372bb3ad814994694eb1c898133870d0828343f706cc059f12df850e58593f78c2108a4e3be00b29fb65ada747dbd369aa76c3a0765bbca4119a8db61

memory/4368-112-0x0000000000B40000-0x0000000000BA0000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 18b8b5193ae3fb121521a1aeb126dd3a
SHA1 fa046719c871dceb1c778e57d75989d194d54108
SHA256 6729474bfc1ef92719acfa51b3a3c48bbe5ddf6746447f8a313425738c3c8eba
SHA512 b62cb24a2f1886a63811338d328d672d8f98cd65669c41a0a1f647b5d3fdd63ead98a93657388853e9df08171e31a2a95020223a9924ba4c11109f88214b56d6

memory/4868-99-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 0ba1cfce14321390a1e930507f2eff9c
SHA1 2dfb26fc07d639e0f61f7e58650c56faa53701e2
SHA256 bc5a07c33468a89975281440dc733c19bd8e7a9ce73dcfad896797303429a4fb
SHA512 41b4ef83066b43d20ec712f720ce7d5d60db01233efec9b40bba15c32d3347ddabbd6e3f67a8aa36ba15c07683c474d303b9e79cdf730e71addf789ab8a8181b

memory/2452-88-0x00000000007D0000-0x0000000000830000-memory.dmp

memory/4592-86-0x0000000140000000-0x000000014015B000-memory.dmp

memory/4592-80-0x0000000001A70000-0x0000000001AD0000-memory.dmp

memory/4592-74-0x0000000001A70000-0x0000000001AD0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 172a53fa49434d63f7ca0c8c346c41dd
SHA1 7821c13c7cc91f90a4e92dfa2002e2e61b14e817
SHA256 0bec3b2388763a2cf04bb182fd85e48cbd5dcf26375311a486fe6ba5e22a9099
SHA512 cd4476c96b06e2f2a95f0ce3fe81f016640be36349d60bc74aa19ce8a279cdad279f334bd2a42e00685fd9b11c20057f7401ab0e143ba3b758c51890238eef23

memory/3452-61-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

MD5 0b8c374cd9afb293fa20d4e17485c097
SHA1 a8eb955c2e7ac8c6e5933739d303901d5ad6ed26
SHA256 321d073a251602e7fdec90b1f651473cd694ed5614c72c0c29b17b1c320e0b04
SHA512 d8e5d95a7463d752006769b9abd9861ced9fee9ec8b2cae6821be69049f4acdbb6bca66404d492e02b1b96b347bf93eddf1fc408476e1a6f0afec448dc77b78d

memory/3408-450-0x0000000140000000-0x0000000140130000-memory.dmp

memory/6116-451-0x000000000D1D0000-0x000000000D1D8000-memory.dmp

memory/1060-453-0x0000000140000000-0x000000014012F000-memory.dmp

memory/4964-454-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-455-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-456-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-457-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-459-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-458-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-460-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-461-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-464-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-465-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-463-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-468-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-467-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-466-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-462-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-469-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-470-0x000001E298720000-0x000001E298730000-memory.dmp

memory/4964-471-0x000001E298720000-0x000001E298730000-memory.dmp

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\BITB2C6.tmp

MD5 0fbb10ce5afb1ff94fedede78949462d
SHA1 54122d36621b253bea96de9126577ec4d546579a
SHA256 3d22756c17a551c5e3a840325b8944050638f6a420fe55167fc95d4915a8a72b
SHA512 d923b6f1c524a8f41cfe0c0122b6b4638b9cb5c0c1fa24fd0705c3ad3fadb7cff1fdd24e491a1442f922948f956c5a53f47336cac575579400a83dcc091064b2

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\aria-debug-4312.log

MD5 46c824b66fc796463c1b5c27b2d929c2
SHA1 83aca8c9c93ff13c5e5cbed21339a75e33610652
SHA256 612c1aa6b5eee780333d6fb9af32445faeb44657e235a6c7cd39aa4777db73bf
SHA512 18efd5e53d1debdef96f7675050211d92854958cd2dc60cc81574b4dec27877c2c29b0b70970710028a6b5f2eea47b989f2ab61c07916c022d582a46badaaabe

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\AdobeSFX.log

MD5 828e880b5cf9d88da90e491cface1522
SHA1 68e07662dc6305ab9241ad608f67a6952894f1b6
SHA256 5b0ecf924207854cba26a04fc6c8cd9512125d70ad451c2dd34baa39fc7f1782
SHA512 3254d781e941ac4fabe9c333fb66bf74484d6e58aaade4154bfde6d1e6f2bdfe62bf352ea407c75ae1af8348132acdfbdaa7788ef575b7dc08c28fd3f2e14a8f

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\19cb64e3-596c-4ad8-a280-22e5560f4070.tmp

MD5 78e47dda17341bed7be45dccfd89ac87
SHA1 1afde30e46997452d11e4a2adbbf35cce7a1404f
SHA256 67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA512 9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\aria-debug-4064.log

MD5 60a8384bdbd853ec5bbe2abf8e4291a0
SHA1 b58f08064a8fd9884d3b11adee42c02c04ad25b6
SHA256 839c90f6afba97cf58532fcd0067942f45152c9c173bb267c1cfae69c3d007e9
SHA512 60955a00ef3409359d090530bcf89e72adc19a9ce66cd89ec395be08818f65e58097d6df2c3466875940fad02ac087492d5a99a332bb8098a5117db091a468b8

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\18e190413af045db88dfbd29609eb877.db.session64

MD5 b27bce4892c45d05009dd0e93ec48d06
SHA1 4314e62eef7c4235b76fdf74e4a774ccd8690d9b
SHA256 a2f4d06e13baec2de5801a2ad4f5020c606a76297e323362220a3749a72db52b
SHA512 2805ecb22783177b6f7835dc413fc720251d0835f146c4018b8896f76aa37b4fa92017df63a3d2943c6ef1c8f5ac612cee3d3b04c8194ef026a27ce631f0ba6e

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\18e190413af045db88dfbd29609eb877.db

MD5 c8af23f6595c55bd138d3bcd90aa79f6
SHA1 970c6084b07060bdb96db23eb78499b80d7d7c6e
SHA256 9a246983c857fe55f0aa3e21e75ae9b6cb19930a7b1dc4102be4fc91fb4be39e
SHA512 509b05f04d4776f57f30f794b837fd37b19ac6d5e99ed91c74ff46d1609ce26b9ee482011367248ccb3b347ec97b1c62c1a876230154b087fe08d5baeaf9c519

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_8.0.15_(x64)_20250611000229_001_dotnet_hostfxr_8.0.15_win_x64.msi.log

MD5 f5ca1b0a44d18fa0709f227a2cc775e8
SHA1 85884b17359cc111726dced4a44c90222b7d6410
SHA256 9e947dba473405aa35ee0348fa11f72cab33d2a72bbe4e442c8dd6af9a72e197
SHA512 ca16dd9d8514019dadf60d6c3673aa0049ecbabc2ebcddc1de6e894bc46f8d5c66490aa467238b39ce6846f97af09f2428221dfda79b84caee6e3ca52a026487

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_8.0.15_(x64)_20250611000229_000_dotnet_runtime_8.0.15_win_x64.msi.log

MD5 01f806188730021bc8aa71532293d6c9
SHA1 e2a2033c3ffb505dde99ce641a9668cff5f243fb
SHA256 3f32b2774ef7aed29231d52547449e6f2ff8f80969a7ea75d05c9a7c0e300ce4
SHA512 7da7361cb459093377430288124b436bebe7ad9f128b79b2bbbd6f00c2a9c6c47eb8e669961d828c2e242edc27bd66e0ad8a1798ce13d3098b36d53195636205

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_8.0.15_(x64)_20250611000229.log

MD5 4994d8898af2caa1dc72368175812943
SHA1 b654502bfa0f7f6d31424981e069c660347fc926
SHA256 070394372c3511800173ea2148a2fdb8621ce3a30a968cd3c57b811c77167d37
SHA512 df9a348605395216ac71b1b4c8cfd003eeb289a4a93b7c2bab41136596c49d5c442605e6d0d1def47c1ef2e428e19b742dff1cfb2a1cf871f6f1639d506114ab

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250611000207_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log

MD5 ba83966d0ae66321fb569bf49642752d
SHA1 7b3b310ee3bd19589f6c7f4c54c5368e1d22a2a3
SHA256 aa3223e4c3d74b760cb0b5c3e3ac55094582e2707401e3e316b9e76c0010da58
SHA512 e92f6c366bc2d70d4ffab42516ecd129ac99eb54a42a253ecca50ecdce448398fce83075876a236fa8559a252f21e3143b17cbf546c5cf26b5dd2ec0f61e63b7

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250611000207_002_dotnet_host_7.0.16_win_x64.msi.log

MD5 225a3b371ecb85d3d94917a6abd0bf0b
SHA1 f3276888128a6acf00ff563023226ff8322543c1
SHA256 7b76e857b8cfc6aac39f72bb94e19f87ad25f34d0fe7721f8258ae2e8b1d5c69
SHA512 801a785357877b591a89348f8bb6ef093cea348eed6c27fdcd8e1ae0ac43f7aedb75707183c95a861876cd35fb8bacd26fadb571b177050ee6f4963e0f55b678

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250611000207_001_dotnet_hostfxr_7.0.16_win_x64.msi.log

MD5 2f95cc4e87af987b59211a2f83cdb1fb
SHA1 9411b9f5aaf7a2806381397a3affeffd746bd805
SHA256 1625551abdbaf32fd0a54a2702a4cd4a89f0c09b70d0ce4834c6ec6a40db1d72
SHA512 09bd07d1917ebffb77966ca31574452538493d10e4e21273fc28dced5dd1596368a96986c4f25abead5e707ef8c9a7cacb7c849bbdfca484d7684c2c01667c40

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250611000207_000_dotnet_runtime_7.0.16_win_x64.msi.log

MD5 d3bf2cfba04501b7b0a8099f423602b6
SHA1 1bea34d50f2c2623cf93983ef400ca6e28cc79bf
SHA256 2a38738c13eec259eb5774e78d964895578be2907fd215dc62a3f8391c36a9ee
SHA512 1d31e8c6fe423a0313954cfffd247a0bda2932804f20f633692d5247e8828cd36a5631b26c27291eda42fcad1ca9ad1cd8fdc0fa09c650c58abba670a983214f

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250611000145_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log

MD5 0d284d14fdff4606b75e4a1d63ebdda7
SHA1 63809939dfdcc6fe96f07b62e55011679f28b70e
SHA256 290c2f5ea24a286e6ef3b63884b7303ca8593c586e386de8ab04b70a52d61537
SHA512 e06a179094657e960969925658f47019fbf558451c1f84b7b41b42a2efdc3bd9d7b9310bebb274a00154b7b7f44d0708072c4001cdb967f93a644a50a2154ffa

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250611000145_002_dotnet_host_6.0.27_win_x64.msi.log

MD5 de0e8d4adedb42ed4f5f9318b909c0c7
SHA1 931bd4f8b30eb362c11169a1a6107d6f6ac53166
SHA256 bb66bc920199db00c64e6998b6c050948dc29fe7873544be13c2f8036e490690
SHA512 2226465f152eaa91acdc531036d89a80f887740bf0bdf96a583789c079c452bcb9c649099eb3e42c40e56a6b7649c45a5fa33bea518604af0a2114792e8343f2

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250611000145.log

MD5 8b71d3794c06f7a81993926b1b36a573
SHA1 d472dd421f1137122b38b02353cbe7131c78bff7
SHA256 c5d02ccca21f457030a01bb7abd7c453ad1de975d5066fd93c155e29d7b2e1b8
SHA512 9c9fd55f8babf8aa3ba326f1c7d60173762ee63c8752b7f87f2c0b3f48d6f46707c4f5d31ac92aacd49d11ac9634ff551aa862cda589ead8f8e3072dd913edc9

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft .NET Framework 4.7.2 Setup_20250611_000120170.html

MD5 35e95b678a5d0214d4a90913e5bb5f76
SHA1 6f3dc3c838bc9c362b235420842ac34f2c08d6de
SHA256 9111051032efddd47e7aa0239bfaf9fd878b8b33d566208d8e0c32454a735b56
SHA512 a5dd3d9e6b484eaf79dc9364ea211b9146b11c876f081445d6547d138f6e1dcc78b1e5f5c3018434d9c85c3e53c9e68455f3817a4b6f0314b054d9ff8298f278

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250611000145_000_dotnet_runtime_6.0.27_win_x64.msi.log

MD5 860a58bfbfbbf354ba7cdd974d3ad554
SHA1 5f90c1012beba0d70b9322711b63e3d27250f529
SHA256 d3f5b69d8794d2a4419d9df1e8730c8992b71962edd5bc0cb1fe2c15625d90df
SHA512 18bb086210d824b1b572088e150415693f6a32bcf881027ee908fac5a142f04b5f18ee55b87fc7f17f78bc647f684c238de62e5ad6f6456edf60bdff00d3e3bf

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250611000145_001_dotnet_hostfxr_6.0.27_win_x64.msi.log

MD5 29e0d5f7acb997606e1d89601f611343
SHA1 801946e5f10b47bcf8d6b49e76879fb70e733bdc
SHA256 4285387e19373168dcb7826909637fcce26fdc4e650503242ba307d6e85cf73c
SHA512 f2856c08859f08ed79098e78ff84457d1b8fb18d0bea417aac9dd0074a7e286e2302880bcdfe1bfe23fd0a315edf3cf3ba53ce7ecbfe03ecdc76cde4b30db5fb

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\mapping.csv

MD5 d3186aada63877a1fe1c2ed4b2e2b77d
SHA1 f66d9307be6cbbb22941c724d2cf6954b41d7bb0
SHA256 2684d360ec473113d922a2738c5c6f6702975e6ac7ee4023258a12ed26c9fefe
SHA512 c94e8aa368a44f1df9f0318ca266f5a6a9140945d55a579dee2fd10aff3d4704a72a216718b35e44429012d68c2bb30a92d5179fbc9fb4b222456a017d8981c0

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\jusched.log

MD5 2ead5242c5fafb22a07547dd2407fb45
SHA1 ee248b38c9206f479b902527ef9da1556debfae0
SHA256 5e80d97b5565836681176aec69e2cbb068378f7c75fc3f248d64c3eb08c88afc
SHA512 304f08bc52a2dbd28b118e2bad367ba6e1b00d2070b5d188a6004e31cccc113cf475d5ef626772e28223a5d6608a990ba0a86d7052759ed3fc8950bc9be7f90e

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250611000207.log

MD5 2efab208271db0c2b0b74aa476fca72b
SHA1 53a21e23f7a926d7ca3230ebbb9e0fd091c72c26
SHA256 32fb46072266ec2c9ee8b7733bffd3d85ac55291ec292f981d673094008d0849
SHA512 a848e7c3031499fabb8c855753f0a2729be165357dfb5eb05a0d5fa0719ee98d1110c2b7130d633d0548e0f207d736d61543a93f426204eb24632cb80a5ab948

memory/2624-664-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\wctA150.tmp

MD5 e516a60bc980095e8d156b1a99ab5eee
SHA1 238e243ffc12d4e012fd020c9822703109b987f6
SHA256 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA512 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

memory/4460-667-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\StructuredQuery.log

MD5 afc1326429778de7a4eff3d3da68c192
SHA1 5595a7ec66eb75dacf84ec638c0e7380e0d3c6c4
SHA256 a4f2ea636c65e2d4cf7f9c10288d418c9f744e5be67567bd9e9e77b9961a5674
SHA512 bb1fdb5afe7e36d7829641ff342b3609e030bef14fd856893285dcd2c5f637367542004a9146efec6c86618b2da3f83839cea7ae85ecc6008f9119a2bd2435e1

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\offline.session64

MD5 e48fcffdebfcf6ed2a4da3bfd0ebbf06
SHA1 6d12df9ca38b69494308702f7ffb9bb6e1f7aa35
SHA256 e0ef347bc15f83b6a11af1a9ca8487db8cfc26f64eb5e49897a967e21732a263
SHA512 cf33805ca49cf18d577e58f060795f1bbea5bc516032f1864eaa083a8becda62e6c6ad53092754c2e4f7f615541cf83ce787fd74d3f09b1bd8cd3fafbfe644c4

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\offline

MD5 6c1a7e606ab22f129a4b38e1efd0912d
SHA1 4381471b9e8bbcb5fb9332a0a7efec4fce4181ac
SHA256 61715eb988d4ba36a32d90e54ff265019dd8c988d2784dc06b70c0285d62e368
SHA512 28c6ef4a29420ad97804e92b5313cd69affa1f5a6d4bac832ced7a54527d2a4c040480c5efe0c3a3256150ad0a77dece584ddff39e57b7b2b0bf9bd75165f321

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\msedge_installer.log

MD5 e346b2fc29b1749a79716d7b30e29422
SHA1 23c2c5f3ed7d8de1acb9ab548a857eff7f6cdeb5
SHA256 c76226c58611011a18e6de8c8eb701bed23bf1595c4e2fb5107485706dd2b3a1
SHA512 2b70113bf6e425d1738e2bd9b3ed631c7b6f4ba93a00428fa2e29dcc1ba204696afc6e1381bbe812ff2659c46b6049793937db4db72d4fa3d694aa7af77ec153

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_8.0.15_(x64)_20250611000229_002_dotnet_host_8.0.15_win_x64.msi.log

MD5 09cdba74a804e79c6dfdaa0c0cfa751a
SHA1 9315a46b731ba5c33f151338663559fd383f286a
SHA256 05bfd9555d3111480dcbd48e27080b6b57b3875133b28d1891531e27824a9dfc
SHA512 7ee5f220c5e68270349090edaf68850556653fc6b29b8b40bebd48cd1439d832f1dfa7b2f88c73f0f9a273f41b31062ae0f3b339ba817ea2d4bfb8dc836dbfd1

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Microsoft_Windows_Desktop_Runtime_-_8.0.15_(x64)_20250611000229_003_windowsdesktop_runtime_8.0.15_win_x64.msi.log

MD5 c28fb007a7251b79944d7cbb68023346
SHA1 b50472f2dae4880b86884a30999d68d18bc1c016
SHA256 75ec57036e7b6654f8a2d9f71d69db3c7dc69a36d5ec440c0572a5a1b50659f0
SHA512 5532545491cd378faddfa10b9fc61688e0888e109b8e0fe7a39db5da16b395599806fda30141bd5ccee26d0964492c472d15d0b3cec205095089178607dd2102

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\JBEFPFUV-20250611-0006a.log

MD5 aae40201f6f3adc8f285a426174bef08
SHA1 bcb31185a27426ba1ab16d16eb8e638cf45e38fe
SHA256 10b10b3a8664a933f8a03541d0d27f627906c12c5cb3fb8eb961dbe1884818c1
SHA512 58fe642ec9c1d29e716d53f76ea81733ba12f0d8d9707d1a8d028079d6d3aec9de9680880172c794845f6363a089a88405f5e6f2dea37a15acfe472cb4b8549f

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\Bpl New Po-2000023038.exe

MD5 b1dbcb99c22cef6d94cf220a53339c18
SHA1 4220c42c8cbafb533b3a99b18fa73fc35aeacf30
SHA256 ce24c20670a87388411fc3fcb1cc3db347876237555f93027b5c75a76a513576
SHA512 8fa98064f64a75a17565fe8e8f1e7b2c36b6078dc097b2300e21c288c81d8a4efd233df101e4bcca2163368767dc77d3bd95028990ad635247aa2e5008ea38f5

memory/5092-682-0x0000000140000000-0x000000014025F000-memory.dmp

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\data

MD5 fed7f614d44923829292868f1ada05f4
SHA1 8680eb7e2f0a76bcadd99556809dd08a605f24bf
SHA256 b920c464147f96b7ec9f1601857435f24b567d905b1be947a18e25ab2cdd87f9
SHA512 124171a65251cc029dc49bfd790f18d695d60e6898a8be861d261833da3c9aaa9b7746ea4a77be7f19cc0a3eff8db94461588612198c343b9e59cc3e3d2415ee

memory/5832-693-0x0000000140000000-0x0000000140202000-memory.dmp

memory/4736-694-0x0000000140000000-0x0000000140266000-memory.dmp

C:\Users\Admin\AppData\Roaming\91e4400431d09c2d.bin

MD5 b70e9430b2345f8428286598a9325fe2
SHA1 8000f8c3690d797741b72a12d7fde9395323cb70
SHA256 824242432aa7b76ae0f6abfc9eb9b2ec91f018a51b96ac1f03f1fb71d8e4acc5
SHA512 174ac51a5ee975d7ae7f7d6b026f1d8392f5fb63d34434fb2ce17e75289844d6975395c455d392302d4feaf67321b1957c8bd59f991f62c6b97ed62eaa362334

memory/4460-681-0x0000000005AB0000-0x0000000006054000-memory.dmp

C:\Users\Admin\DivideByZeroExceptionIProducerConsumerQueue1GetShortestDayName\msedge_elf.dll

MD5 b64096bcd104cc44ac58ccefee86e1bc
SHA1 3fc620ea06262fba34432db67a37ebde21c421a7
SHA256 5c1c18608cdd8918648425cc85a29f254ca981c7c5a48b245686a47c0391ce5f
SHA512 54e84c8f5768a2b23b307686397203d3813116a105b16a864bc10793d5edd6f189b0fd12c9acaa772aab486cfa39339c61d467dee5639715c0be5ddd6feb6d0b

memory/4460-695-0x0000000005600000-0x0000000005666000-memory.dmp

memory/6116-702-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4460-703-0x0000000006910000-0x0000000006960000-memory.dmp

memory/4460-704-0x0000000006A00000-0x0000000006A92000-memory.dmp

memory/4460-705-0x0000000006B90000-0x0000000006B9A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-30 17:29

Reported

2025-06-30 17:31

Platform

win10v2004-20250619-en

Max time kernel

103s

Max time network

111s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\concrt141.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\concrt141.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

N/A