Overview

overview

10

Static

static

1

QUOTATION ...99.exe

windows7-x64

10

QUOTATION ...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTATION _RFQ# 1043999.exe

  • Size

    1.1MB

  • MD5

    e3b24ec113f20b978b0219371f76ccb3

  • SHA1

    fe3812e07afa7def4224a68a8a3d5db849997e94

  • SHA256

    d1a8dddd0be7a7932b576b395adf6c8a3ab4796420b0f967c39d6ffe65604807

  • SHA512

    aa0b97ad2db777fccb44e087fd986b4f0c3d00175315397c2cc343c45d169a031f0587c033aedcd14918cc1e6d6af41dec697771ac4ca36c517e23b860a67f1b

  • SSDEEP

    24576:DYpFDsStI/zStNEjHMjT9MVNRQSXnhRafrMO9RRH:s8+IutNEcARF+fTD9

Score
10/10
blustealercollectionspywarestealer

Malware Config

Extracted

Family

blustealer

C2

https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • Executes dropped EXE 24 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 24 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 13 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QUOTATION _RFQ# 1043999.exe
    "C:\Users\Admin\AppData\Local\Temp\QUOTATION _RFQ# 1043999.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Users\Admin\AppData\Local\Temp\mwmyjwne.exe
      "C:\Users\Admin\AppData\Local\Temp\mwmyjwne.exe" C:\Users\Admin\AppData\Local\Temp\hbgistyk.l
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Users\Admin\AppData\Local\Temp\mwmyjwne.exe
        "C:\Users\Admin\AppData\Local\Temp\mwmyjwne.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1288
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          4⤵
          • Accesses Microsoft Outlook profiles
          • outlook_office_path
          • outlook_win_path
          PID:4580
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:2080
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:4120
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:2344
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2768
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3108
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:2568
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:220
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:1820
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:2788
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:1128
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:2820
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:1272
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:2744
    • C:\Windows\system32\spectrum.exe
      C:\Windows\system32\spectrum.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:1132
    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      C:\Windows\System32\OpenSSH\ssh-agent.exe
      1⤵
      • Executes dropped EXE
      PID:2352
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
      1⤵
        PID:3248
      • C:\Windows\system32\TieringEngineService.exe
        C:\Windows\system32\TieringEngineService.exe
        1⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:4352
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Executes dropped EXE
        PID:4916
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:412
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4132
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
        • Executes dropped EXE
        PID:2124
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4148
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:3476
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
          2⤵
            PID:1556

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
          Filesize

          2.1MB

          MD5

          f2f9ece54c1b035227f30f72d24a5db1

          SHA1

          16918988e0c2b3c8e1f149a282bd829b5b7ebcd9

          SHA256

          4e5bf64c65ae519a305b91ee7e731a3ea269d4c4946413f22c7ac50e8a065491

          SHA512

          383ae7f883b660a7804c7288c737fb318c3bba2e81c4a1097662636541e3a0875a7fcfcba0bb1c2d8c2a3d76dd531f058a96ea3ffa1212e8017adf9287f21c19

          Download Submit

        • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
          Filesize

          1.4MB

          MD5

          eedb03aa944ce56d5d6f14659d5e1356

          SHA1

          262e515fb256256c376f505c2883b05a299b7c8a

          SHA256

          4480b66a02630c2bdb6c724f245ac3574033e68467157adfc2fe77b0de3618d9

          SHA512

          d2286402dd54f90a54876d8301eb4623dd920e3b7df1c0464a9438178fdd5b1bf454b81c3164367baf057d7f8b933fb73b8864b38878053b0d8e14370102f24b

          Download Submit

        • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
          Filesize

          1.5MB

          MD5

          577333da1fcac8b69a439b629b96b4d3

          SHA1

          ef0d49628b6ea6eef7764d5d8d11aeed443f4665

          SHA256

          3c100f441a039bf055397dbfaf91b812a26acf9bdd7dca1175b7196cdb354fd3

          SHA512

          e211cd905ab4f6603a1b4acb8f1078fb3cd2f67ed77bc3cf8b20e501df7928b42e46f2c3ae1afea9492c33562aa600d5e9fb936bc55f87a0be50ffaf02c6f572

          Download Submit

        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
          Filesize

          2.1MB

          MD5

          50319469586b65c8b4cdcd14a9f7f2d1

          SHA1

          611dacd6244184678376260dd2019a8a8a2c55f1

          SHA256

          ce066cff692b70d6eb72e28864bee031c4ae93c619fb3100ff9d68ebd4b84a5c

          SHA512

          76b6352188b40f3d0bf20c998c07ffbb38f7176bab13502cc242428df02f425918b7db2e7da44d4f70db7250e2b40e7a86a2ffc48e03ce6f3c7eac98bdeb0dde

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\hbgistyk.l
          Filesize

          5KB

          MD5

          f7aa6aa562eed72f57dae51a4600bd15

          SHA1

          83c485c9f87dad98e674c2367edde4bdb634ad99

          SHA256

          e88095aa3ad132af63e6217c5ae27b90e03eb8b5bb895bd25a30eb3b7c8495cf

          SHA512

          df14b0f46a566c805714d91b117791e5b0cec8dbc5ca5096488621fcc162d02eea21f9be8c6cbfcd9f54ce3f15472ee683e4ae060ca6892ba1dc5d5a703c40c0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\mwmyjwne.exe
          Filesize

          85KB

          MD5

          ecc112538fbc387407826a46bd7f840b

          SHA1

          6118b642fa60a2136f63a4357e224063287ba0ae

          SHA256

          deeac2f4df3fefb53950790f5a89178691f4397683a1470a0663d7d33a56b9ed

          SHA512

          c1cc27e1e93398074d845a0da9df2eec8a00c46dc529191c7821556b21002e642b75aec14a6ae056e6fcbb996190eccd9795e11d47005235e7d2204d008ea5f2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\mwmyjwne.exe
          Filesize

          85KB

          MD5

          ecc112538fbc387407826a46bd7f840b

          SHA1

          6118b642fa60a2136f63a4357e224063287ba0ae

          SHA256

          deeac2f4df3fefb53950790f5a89178691f4397683a1470a0663d7d33a56b9ed

          SHA512

          c1cc27e1e93398074d845a0da9df2eec8a00c46dc529191c7821556b21002e642b75aec14a6ae056e6fcbb996190eccd9795e11d47005235e7d2204d008ea5f2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\mwmyjwne.exe
          Filesize

          85KB

          MD5

          ecc112538fbc387407826a46bd7f840b

          SHA1

          6118b642fa60a2136f63a4357e224063287ba0ae

          SHA256

          deeac2f4df3fefb53950790f5a89178691f4397683a1470a0663d7d33a56b9ed

          SHA512

          c1cc27e1e93398074d845a0da9df2eec8a00c46dc529191c7821556b21002e642b75aec14a6ae056e6fcbb996190eccd9795e11d47005235e7d2204d008ea5f2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wrfjwztu.aq
          Filesize

          1.7MB

          MD5

          1150bbc219a67bd8998f8e853649eda7

          SHA1

          9e9b53fd8b25217cd3cdac31ccf2ece1c5101304

          SHA256

          ddc00b80b46094456c327e3706744b194e32c308d47b159724762fae9b00ad0e

          SHA512

          dde58a0d446922b4777d4b5faad58c3698dcdadff04fdfd7ea7250534d73eae2fc08d0202af3bd5dd91787f782ab46b67ebcbb1fa15e23d2bbb807b6668a49c8

          Download Submit

        • C:\Windows\SysWOW64\perfhost.exe
          Filesize

          1.2MB

          MD5

          34c8cd73171b75bce878125a41696260

          SHA1

          acd5bd85188921165e6c60432484ea22db61db47

          SHA256

          cc176422c4584aa144588d51e643bae57d8f373f10f47ea10a23ff494a86f1bd

          SHA512

          921ff16064360a415ed969edcd31cea1864a2562a17e0e44c9b8ddb1fa72381cb37cc532dde0668e5554158d951db5d2da0d587b32b56516d7ceacc00128ef7e

          Download Submit

        • C:\Windows\System32\AgentService.exe
          Filesize

          1.7MB

          MD5

          598fd1a3d1240fa9ae96cbfe11177295

          SHA1

          ec1d7f70cf4d1d2ef9ac02333bc8087f6b422b3c

          SHA256

          87f3e70838c26e1405d3a5f6e572f7eb377d7527de7a96294d020de9412e13f5

          SHA512

          458c7651a0158b4751af6ea76f141337039f2cbf283ff4bf9eecc9e55e1e6b459c8c5d46ca13b008368862f8ef2abbc3e2af39fa5e5ba2143395e0435aa87ae1

          Download Submit

        • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
          Filesize

          1.3MB

          MD5

          fb52d8ea6a3ff538c9835026b513504a

          SHA1

          1e6f4846740b58eab575654219af9a6aa2f4a61e

          SHA256

          03f3080b3bb8efdd7df650286ef5fb86a731f4b1a418459ac7c93fa699417e60

          SHA512

          14c2c875a4cb8a40183faadc2d98be757a0ca238973e3fcee7efb32cd797db83e385425469db6fe3b473c87e7416a247d06fffb1d7d880cc8f57e810fadc9f14

          Download Submit

        • C:\Windows\System32\FXSSVC.exe
          Filesize

          1.2MB

          MD5

          33a5c10d29dce48f02322722585c22f0

          SHA1

          d6db06788cb595b21a8b4b30f7966ac8d27eb987

          SHA256

          474fbc6c3f5a50ce469908f1ec89797cf4d90da8fd4bd05660712ebf1eb8790a

          SHA512

          96b8c79ff7128f94e9aeb978af74a02bc1e3546a59eb094ce5a87e2bd2ce50fa01ce8cd51df0ee17316db2a8ca8c21bc7d0dd6cbbcbee59d33dd528ac3b9ee2c

          Download Submit

        • C:\Windows\System32\Locator.exe
          Filesize

          1.2MB

          MD5

          5a7c5388257cba856da99302927f688e

          SHA1

          aa7cdcf731f907e2d96462a24e444407f964193e

          SHA256

          c1f2e17086bce79ad32484e3bbfcfc8cb8db3b753bd12b89dceea33fb2ed954b

          SHA512

          2583490180e06717913c21ec4d38f168446b519c42d2c0cae6acb1157ebb06a339f1e0235b5e71906ac078ddf572f3259b255478f5aa64afa48c8064cc22b919

          Download Submit

        • C:\Windows\System32\OpenSSH\ssh-agent.exe
          Filesize

          1.6MB

          MD5

          1e4410d2de1243dd8e3cbd8169b48181

          SHA1

          8107a46af1594f14a861b7afd7c248a7e5bf7c2d

          SHA256

          c6cd7e587ca945acce6e44e144327e628e9a43935ca270a03424ed7b6f8dd751

          SHA512

          995edf97a171a7796d45d8d1d89d974411b26511c267726821be40d384cf51388cd6e938c93a81494cc6bf364612de3a356f1716462792f012bedbe3c1c00d2b

          Download Submit

        • C:\Windows\System32\OpenSSH\ssh-agent.exe
          Filesize

          1.6MB

          MD5

          1e4410d2de1243dd8e3cbd8169b48181

          SHA1

          8107a46af1594f14a861b7afd7c248a7e5bf7c2d

          SHA256

          c6cd7e587ca945acce6e44e144327e628e9a43935ca270a03424ed7b6f8dd751

          SHA512

          995edf97a171a7796d45d8d1d89d974411b26511c267726821be40d384cf51388cd6e938c93a81494cc6bf364612de3a356f1716462792f012bedbe3c1c00d2b

          Download Submit

        • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
          Filesize

          1.3MB

          MD5

          6af2fe1f313efc11f1b38498aaf97bee

          SHA1

          edd8573e4b6494bb531d5cb6505c798efe7669df

          SHA256

          5820e78287a951236769ec91007e4cc4b61090346034609dc19f3b716db9ddf9

          SHA512

          23e8b9a79bbb9adbb4c66161e986f537c91ba9a577a946830c5f6385ef6d4767abc55c162df66f1bea55513e344c68c4ce2a014d00d19a18b930598c45b68b53

          Download Submit

        • C:\Windows\System32\SearchIndexer.exe
          Filesize

          1.4MB

          MD5

          45ccb59ea7784263ca2fb424904ea2c8

          SHA1

          aa69de86f858d17a6a48177cdf10acfb676d7f82

          SHA256

          cf4279132c0a43d2669f8e46d3f380d92301ac33144f0bbce377b6204f3c9733

          SHA512

          3ff4bde01483c83be221d1aeac378289bb0f93624912d369c6fd97380f6cea99c8eeae9bcf13429d416bd87f9a8d2af43e9bcdebf2f042be1644b6e7b98ec4bb

          Download Submit

        • C:\Windows\System32\SensorDataService.exe
          Filesize

          1.8MB

          MD5

          f327899632d3cc15de7e4b6dc94bb249

          SHA1

          d5297dc3b5f79c0df2f65c49a6f8e61e6a1beb5d

          SHA256

          a4345ab03f0b4cb662729450d0460ceb38c8b0b012744ebb7c465ba9b03f4a05

          SHA512

          f859b1f5d362811dfe94db57412185871926dd3ffdcaf0f409199e58491bcb5608895344ca6a6b9b3a2d2530827da7b96a1d8dc8e639e5f897ffcb87f043a591

          Download Submit

        • C:\Windows\System32\Spectrum.exe
          Filesize

          1.4MB

          MD5

          d9aae314fddaafeee49b6db6c7101986

          SHA1

          c75e0d67b5d4f4b32cac69fe27ce331f1397ee4a

          SHA256

          88d00f4ef7c1d1f764e777aceab94e328fb174ded6acd826b60aa90846387564

          SHA512

          256210a457770f3fceb4445f4a07c277cb1c3efbc614f4c6e0f852acdcf8119fc2043ceebe55684400ffdbab2a5532ca767d1745bb462eb503f99fded0090a65

          Download Submit

        • C:\Windows\System32\TieringEngineService.exe
          Filesize

          1.5MB

          MD5

          4788dfbde1810398f5507e1cc5e427bd

          SHA1

          11ca7448686fac2b6f13cd4a91a739079ca98f03

          SHA256

          495cdd9e6a92ff5b0ee104829658525507e665d429215e8b8dbb0cbf96ef1f8c

          SHA512

          087835439f86d294618176bdb88d269a5b2bb368443aaea513f2eb553b5770922590503f01cadd35518754d63f62fdf4e4780a2c40e5b87c14d8f3b870dc4739

          Download Submit

        • C:\Windows\System32\VSSVC.exe
          Filesize

          2.0MB

          MD5

          8f03e644aaa05c054f43c3c9004b4d69

          SHA1

          ca74467f0daa720afac485f390bd5adc4306f36e

          SHA256

          ebc810c970c46a859f40f015bff94d2d27320d9684402bd7f1449d10da05f81c

          SHA512

          80f192d7d938dc074ae8450b4b573e8832d829ba044ff76e383ddf11f68f346b263923bad2c77e4b9b83f9b75888a4a9a28e4a580687b2ecd99df8bd01d4121a

          Download Submit

        • C:\Windows\System32\alg.exe
          Filesize

          1.3MB

          MD5

          75c5c658cbae9fe11cd7e2e3ee17da30

          SHA1

          8757c12370ea07cc4c482760b4e0b17139aed221

          SHA256

          466b9a46634e5878db975150110051c3d60c372b010d0f14dda69a15517a5f0a

          SHA512

          85fa67b94791d943f89a1c7edf02056e9eb7f326482713ebd7d259ce0fe0d339b2863539c93841613a5dffde37e7056b4353aef8cfde042efea53c8e5f465214

          Download Submit

        • C:\Windows\System32\msdtc.exe
          Filesize

          1.4MB

          MD5

          b0b5a3d62add3f9d1e8da9d8e0418f4a

          SHA1

          7c44b327e53b7c4cacd223d6b79cf5141fa72322

          SHA256

          aff4a42b0545e8e9fadcaf93f476c2bf334eb9041b18aa3a7a3a0b0f9469322d

          SHA512

          7070a31ffa0959ce628e5799d850136b556320b15fc11345ce20777342588f88347fadc381aa3726ab4c59915c5e14f1c02beef999e4542bc10e5b24ef9df158

          Download Submit

        • C:\Windows\System32\snmptrap.exe
          Filesize

          1.2MB

          MD5

          bf7a6660efcf6b4312d380025eca909f

          SHA1

          5c6ac473278038e543831688ffd23f6089de2ede

          SHA256

          1ba062e6e56b11b1ce8e76cd4c18453f6104a198fff618e8b42cce45653a2e38

          SHA512

          b58f0c7d3a26ccec8102d1c78054ae3e1998e32fb2eca2547c50abeb209a7409d7f4cdfae5359c3c27a19727e9c73afe80f18685bbea31b8c67eb39dfaed5c59

          Download Submit

        • C:\Windows\System32\vds.exe
          Filesize

          1.3MB

          MD5

          4c4fa4cfe62084b17273df3ee3674679

          SHA1

          81b8bacae0df2186f1e028811df53f6428a7199f

          SHA256

          c333b04e51d34e3295cd2e3da7e76326d3822f17a67643e09492700c1c86ccc2

          SHA512

          34e491240b3370cb34b867773e83dcced70c89a458ef02d4fd95a748d9877eec542411130fa85590001c6bb01ddfeb4b22c4cd59c745c8c08c431c5af2ce4033

          Download Submit

        • C:\Windows\System32\wbem\WmiApSrv.exe
          Filesize

          1.4MB

          MD5

          ca2ad9ed5b0afd41174b04fa681e829a

          SHA1

          9d014b0dae1730b7db9f2c749a6ad113746ce3a9

          SHA256

          f8bcc144dab5a6c429d1ac930bdcdeaadc063e58da5bef575f8023bfb3ff3dbf

          SHA512

          bbb842a190eb6e44ddeb3a1bdf820d5345bf153f1de23f0f6ce42353afa5e2db6221ff497c2c02b24210474fa10aba5a5342225ec3233f9a3a0291b97ec3bb89

          Download Submit

        • C:\Windows\System32\wbengine.exe
          Filesize

          2.1MB

          MD5

          ac7393b6900992647110ece12c6492c3

          SHA1

          49ae8261cdbdfd1480910168fe60ed0a1848f45c

          SHA256

          ba2a79933f592387b4314452fa68bfd8a63a2680229f4024d759e72c1ffad7f3

          SHA512

          b11b4de5c921ff05fc6fc29a0cd681cd0e98c77129eb026b638fdabd0b62c5d10b6d9753ab82062a143e1d5f36ee470c68293cd2c466817cb760c2147a56eb22

          Download Submit

        • memory/220-234-0x0000000140000000-0x0000000140210000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/220-433-0x0000000140000000-0x0000000140210000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/412-377-0x0000000140000000-0x00000001401FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/412-605-0x0000000140000000-0x00000001401FC000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1128-280-0x0000000000400000-0x00000000005EE000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/1132-320-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1132-552-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1272-457-0x0000000140000000-0x00000001401D7000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1272-299-0x0000000140000000-0x00000001401D7000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1288-146-0x0000000002BC0000-0x0000000002C26000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1288-355-0x0000000000400000-0x0000000000654000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/1288-147-0x0000000000400000-0x0000000000654000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/1288-152-0x0000000002BC0000-0x0000000002C26000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1288-144-0x0000000000400000-0x0000000000654000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/1288-141-0x0000000000400000-0x0000000000654000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/1700-189-0x0000000000D20000-0x0000000000D80000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1700-205-0x0000000140000000-0x0000000140135000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1700-183-0x0000000000D20000-0x0000000000D80000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1700-190-0x0000000140000000-0x0000000140135000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1700-202-0x0000000000D20000-0x0000000000D80000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1820-256-0x0000000140000000-0x0000000140226000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/1820-450-0x0000000140000000-0x0000000140226000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2080-159-0x00000000005A0000-0x0000000000600000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2080-172-0x0000000140000000-0x0000000140201000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2080-165-0x00000000005A0000-0x0000000000600000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2124-414-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2124-620-0x0000000140000000-0x000000014021D000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2200-359-0x0000000140000000-0x00000001401C0000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2200-367-0x0000000140000000-0x00000001401C0000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2352-338-0x0000000140000000-0x0000000140259000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2568-229-0x0000000000C00000-0x0000000000C60000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2568-231-0x0000000140000000-0x0000000140221000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2568-219-0x0000000000C00000-0x0000000000C60000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2568-225-0x0000000000C00000-0x0000000000C60000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2744-318-0x0000000140000000-0x00000001401ED000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/2768-200-0x0000000000960000-0x00000000009C0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2768-194-0x0000000000960000-0x00000000009C0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2768-411-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/2768-215-0x0000000140000000-0x0000000140237000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/2788-277-0x0000000140000000-0x0000000140202000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2820-298-0x0000000140000000-0x00000001401EC000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3108-207-0x0000000000190000-0x00000000001F0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3108-214-0x0000000000190000-0x00000000001F0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3108-408-0x0000000140000000-0x000000014022B000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/3108-213-0x0000000140000000-0x000000014022B000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/4120-375-0x0000000140000000-0x0000000140200000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4120-174-0x0000000140000000-0x0000000140200000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4120-179-0x0000000000680000-0x00000000006E0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/4120-171-0x0000000000680000-0x00000000006E0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/4132-606-0x0000000140000000-0x0000000140216000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4132-393-0x0000000140000000-0x0000000140216000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4148-621-0x0000000140000000-0x0000000140179000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4148-430-0x0000000140000000-0x0000000140179000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4352-341-0x0000000140000000-0x0000000140239000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/4352-582-0x0000000140000000-0x0000000140239000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/4580-553-0x0000000005250000-0x0000000005260000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4580-556-0x0000000005260000-0x00000000052FC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4580-546-0x0000000000770000-0x00000000007D6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4916-379-0x0000000140000000-0x0000000140147000-memory.dmp

          Filesize

          1.3MB

          Download