Malware Analysis Report

2025-01-03 07:38

Sample ID 230501-redxpshd8w
Target Quote 1345 rev.3.exe
SHA256 dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205
Tags
blustealer collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205

Threat Level: Known bad

The file Quote 1345 rev.3.exe was found to be: Known bad.

Malicious Activity Summary

blustealer collection spyware stealer

BluStealer

Reads user/profile data of web browsers

Executes dropped EXE

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Script User-Agent

outlook_win_path

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 14:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 14:06

Reported

2023-05-01 14:08

Platform

win7-20230220-en

Max time kernel

48s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1148 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

Network

N/A

Files

memory/1148-54-0x0000000000330000-0x00000000004D0000-memory.dmp

memory/1148-55-0x0000000004F00000-0x0000000004F40000-memory.dmp

memory/1148-56-0x0000000000250000-0x0000000000262000-memory.dmp

memory/1148-57-0x0000000004F00000-0x0000000004F40000-memory.dmp

memory/1148-58-0x0000000000310000-0x000000000031C000-memory.dmp

memory/1148-59-0x0000000005E50000-0x0000000005F88000-memory.dmp

memory/1148-60-0x0000000007FB0000-0x0000000008160000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 14:06

Reported

2023-05-01 14:08

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

Signatures

BluStealer

stealer blustealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\b61f4b86c4600f4c.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3f23211477cd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cdcb70f477cd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f927c14477cd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087e93815477cd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000041bc112477cd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3056 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3056 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3056 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3056 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3056 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3056 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3056 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3340 wrote to memory of 3760 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 3340 wrote to memory of 3760 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 3340 wrote to memory of 1612 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 3340 wrote to memory of 1612 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 4828 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4828 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4828 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4828 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4828 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 104.208.16.90:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 122.184.231.173.in-addr.arpa udp
US 206.191.152.58:80 cvgrf.biz tcp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 58.152.191.206.in-addr.arpa udp
US 63.251.106.25:80 npukfztj.biz tcp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 25.106.251.63.in-addr.arpa udp
US 8.8.8.8:53 88.35.99.167.in-addr.arpa udp
SG 72.5.161.12:80 knjghuig.biz tcp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 12.161.5.72.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 251.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
US 8.8.8.8:53 223.243.59.199.in-addr.arpa udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 13.107.4.50:80 tcp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 173.231.189.15:80 xlfhhhm.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 ifsaia.biz udp
SG 63.251.126.10:80 ifsaia.biz tcp
US 173.231.189.15:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 63.251.126.10:80 ifsaia.biz tcp
US 8.8.8.8:53 15.189.231.173.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 173.231.184.124:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
US 8.8.8.8:53 saytjshyf.biz udp
US 173.231.184.124:80 saytjshyf.biz tcp
SG 72.5.161.12:80 vcddkls.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 72.5.161.12:80 vcddkls.biz tcp
US 8.8.8.8:53 10.126.251.63.in-addr.arpa udp
US 8.8.8.8:53 124.184.231.173.in-addr.arpa udp

Files

memory/3056-133-0x0000000000310000-0x00000000004B0000-memory.dmp

memory/3056-134-0x0000000005320000-0x00000000058C4000-memory.dmp

memory/3056-135-0x0000000004E50000-0x0000000004EE2000-memory.dmp

memory/3056-136-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/3056-137-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

memory/3056-138-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/3056-139-0x0000000006E70000-0x0000000006F0C000-memory.dmp

memory/4828-140-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4828-143-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4828-144-0x0000000003180000-0x00000000031E6000-memory.dmp

memory/4828-149-0x0000000003180000-0x00000000031E6000-memory.dmp

memory/4828-154-0x0000000000400000-0x0000000000654000-memory.dmp

C:\Windows\System32\alg.exe

MD5 91e78df94b973f2adb3630a733281114
SHA1 96fa1ecbc96451f0acf85de8f0ec87100b395778
SHA256 a429aa440f22db9019da6907f91d15ee7a85ddad1babce238df342b70bbae22b
SHA512 cc4d21dd5677cbfdf547480f7ce1a3846517da93c1fe471095dc783837fa96d723f9080d8d9aada63bbcbc020410830a2f58636d48680769d7ff071427a0f940

memory/4196-157-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/4196-163-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/4196-167-0x0000000140000000-0x0000000140201000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 b39d6e4a32910f45233e32b7289bca5e
SHA1 378aef10a56d882717e56d84930114e0e43b368f
SHA256 021a8c9e8734c72aec07d707ed49121b47fdfc2e79f31f89392fa8e8f05e8265
SHA512 3ec68665170b8c94fba57b9498cc82c480ccaddb5675ddff4bfac02e5eb8674b55526a5af291b0a867294ecb20ffbdb36abe565e0257b2fe6611484e598cac98

memory/4468-170-0x0000000000670000-0x00000000006D0000-memory.dmp

memory/4468-176-0x0000000000670000-0x00000000006D0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 40923603148c18cab2db16ede80be2b6
SHA1 746bc6c1998bf4fe66659d406cf248bae79ae1ca
SHA256 fcc10449b7d38d713a2d642b8c8523643f29776d7ff6845368425836f0cf214f
SHA512 94b5360917b6902792c51e3d92ae778816877a13af47680d538aee6214e97f703c19c875db9f1507ce4e910974782158e6f1bdf5244d660675c22b354934842b

memory/4696-180-0x0000000000EC0000-0x0000000000F20000-memory.dmp

memory/4468-182-0x0000000140000000-0x0000000140200000-memory.dmp

memory/4696-184-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4696-188-0x0000000000EC0000-0x0000000000F20000-memory.dmp

memory/4696-191-0x0000000000EC0000-0x0000000000F20000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 0a2e7802bb81d72b0c658929eaefa3c2
SHA1 c0f4c8f7d4ac3e4bb9cdc75bfad8410c4e53654e
SHA256 db7edad870552fe8bff6b4e87382c68c9aafcb7001b34607be848106039dd650
SHA512 b28be4c1535460d29a36854f1ddc7d5abc275ac42b321f9416d18f8e80a2b1ceee15515a67e00b5d52bbbb5faa29e7c146e60d1b521ceebb3d2765fcadec546a

memory/4696-195-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2800-194-0x0000000000C80000-0x0000000000CE0000-memory.dmp

memory/2800-201-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2800-202-0x0000000000C80000-0x0000000000CE0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 674e5e5ca3a4de955a3204b7e05f776a
SHA1 4d7c0eb14d7e57fd9766205a2eb0b1830e8392c0
SHA256 587e9303bbc74a694ed5264b034e775f83420c96ec5a6adfb87c9c8e4100d873
SHA512 d23c807961506cbc0890274c3d75787c0ee555994a66b828887eaa88d33e04533fc91d27cac7e2c6004d4a2117fe65a718f4eecb2d075a4e7cabb7857cab5219

memory/2144-206-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/2144-212-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/2144-214-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 4055f7593959764cb6dd4d4bd1bd422f
SHA1 457f44a21b7dac19451cacdad3648b350b7ee531
SHA256 fd2f23c12d13fd86340e83fe1fb8de38aaca8dac2ab560d86872ca7bb82ab701
SHA512 3229a4c39788ec092a8ea956434d26c772b18b094aa6c8617d3160f7cf49ec00214cbe75c9b527c16ef67f2802983f455c33778c6e7a1b09b14bd8073b80fe3a

memory/3752-217-0x0000000001E60000-0x0000000001EC0000-memory.dmp

memory/3752-223-0x0000000001E60000-0x0000000001EC0000-memory.dmp

memory/3752-227-0x0000000001E60000-0x0000000001EC0000-memory.dmp

memory/3752-229-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 64be19caffae0b3959afd329e7d76bf8
SHA1 02e215ebbbb407c24707f6b729fa59fb0d8901d4
SHA256 b3950201bebb38f122d137194504a8bc1f08dd0aec10f381eb3972b65218d565
SHA512 4f819d2cb1389d00f7b704f7020cb283b8795fb874f60102c2337282ab6a0b8bc55c74322bbd053c0b0af21c0d5c7547a12b07cbda28f05ae58bb6975bb575ab

memory/1296-231-0x0000000000D00000-0x0000000000D60000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 fb3eebfb9230283dde76d755f679a2d5
SHA1 a4d6a10a4d28580feff95a10e82052ced0a12271
SHA256 937bdf8f93c95584500aa2ed00aadb55244cb6d64207247b75f71b99ab3b7534
SHA512 8595beb0298b1776538dd3bf10b67190a969342fb6c788e13d74baf3ee4bf10209c82008b0f4ad6c6bb6b05c5180ff8536c577fd21603d20e3c58c707d959ef6

memory/1296-247-0x0000000140000000-0x0000000140210000-memory.dmp

memory/5072-248-0x0000000140000000-0x0000000140226000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 fdd56eb649e8d8d1252af69838e4d8f0
SHA1 ad80a1dc2b016600a315c6c5c9630f258b99cb2a
SHA256 0a0743c13c06140927891bb963f05f268c3e7c15682502e3acbc1ad49f1d9bac
SHA512 1038dfd5e9134879e5c97a59b56a256973193d44abc88e2059c7b98220ea2ba230181e449f6b05c7a7375ce53ae42d72ca153403cc4ab3f72526674643c10f72

memory/1016-266-0x0000000140000000-0x0000000140202000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 760a42803f108fa7d6772f2b4befce6d
SHA1 1ba5c9d7c15bd6a4c44a5cf015205bde6dc8c21c
SHA256 a881c824d2b179bbb42a0bb362de74bcd09d2911dc2a6bed93b0ad05773e0cd7
SHA512 837a2d46c045f2d4889eaa2e5096d9627fa8f71d8943f8a1768a2c4bf56e69c394be436a1dd37a3bc7b9a82959fe8c316488ca11859a66d61aa8a7537849fedc

C:\Windows\System32\Locator.exe

MD5 9e76e4bc6404a1f3f9c17c9b1ed7ac9e
SHA1 cb4f5a2c085f128425444e96c138b72d6ec8f969
SHA256 aefa0df51ac4867dbf1d1ec35bf766588c0438ca17bd29800f1ee0b1ea0a5c1f
SHA512 ef2256c99024678a083d4fb1712085a2f141bcaabfeaac11e226d82d1170a843d89f0e32a1027967e53044d43f03406349ced713b69a6d1e060b22bb49e455dc

memory/4232-283-0x0000000000400000-0x00000000005EE000-memory.dmp

memory/3828-285-0x0000000140000000-0x00000001401EC000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 9acc3ce16ea12a74b38e50a61bb7398c
SHA1 29a7b35268e5f52ae0aea847e88b8dbe4b22e343
SHA256 0610459085c9efc16c8f20edbd9c8cafb53d2edc82e0b2a5cc3214f38025dfb5
SHA512 3fff06596267892cf85dce53f7c00933d5b7d9cd63bf28a515984a039a328cb21a70b954da04e73fb4f47373463720a15b40a4233c37c0aecb76d5b2e954ec41

memory/4204-299-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 05f5dd3dabf68398f72c48edbd76c3c3
SHA1 ef337f18b04482edfd85e57c2f1aa09b1324b691
SHA256 6f02931835493e6e6034e5a8edd13daaccbfaadc1452b39faa44ec0102d6faa3
SHA512 d91158d63c0800779c9966418c325ae0e009dd3a6ed6131a7cc62c6edd3ce2e2a217306228cc520cbf9bc41622c14c71f79e10e4b08be6fa12194bf7d853389a

C:\Windows\System32\Spectrum.exe

MD5 b29668dea3e64161bcbb0f01104026ae
SHA1 546a8f2a12ce66fab4f6e1642c3d2e3f1add0089
SHA256 d05c18fdd2af0b53eecd7a7ee7d2b4d514b115b1501be4fa51c741f39e4ab261
SHA512 69a0645e935db337609c65789681cf489e0f0e5db8da6fc5fe5bc8bb0e3c2912438afb2156fd55a7e023f50f934163801d824582fec1a42f07bdc9883f8469ef

memory/1156-318-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/4460-320-0x0000000140000000-0x0000000140169000-memory.dmp

memory/4828-316-0x0000000000400000-0x0000000000654000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 77d2608105b8bc0e7f7cbf5871e304d6
SHA1 ee483979dd7256c08b84f27ce3bef4a9d6accc00
SHA256 8a09c2146a20e42b716c04dc061ae16f1ff972802783cc7b5654912253e5efbb
SHA512 081d4d71a24273ef3575afde10838ff7095564142d978ba7406c0853b7d77784695f73163d9fad42dcf86fb9f7557567495eda80437b827aa72408c66ab485c0

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 77d2608105b8bc0e7f7cbf5871e304d6
SHA1 ee483979dd7256c08b84f27ce3bef4a9d6accc00
SHA256 8a09c2146a20e42b716c04dc061ae16f1ff972802783cc7b5654912253e5efbb
SHA512 081d4d71a24273ef3575afde10838ff7095564142d978ba7406c0853b7d77784695f73163d9fad42dcf86fb9f7557567495eda80437b827aa72408c66ab485c0

memory/4196-331-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1092-334-0x0000000140000000-0x0000000140259000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 3500ffd625cc54aa8080241a237ad04e
SHA1 c8ee3d23dcc9ce1186a0858a1f7cc00a60270dd3
SHA256 3714653bf18573be52618bc2b96edb10f4116d10a3536ed0a53bf61a78eb93f9
SHA512 3446397801d8b9be92e3555af3ba6ed39c8503a0ca6a617f87ef3b68b5f98505549bda429de720373132941213baede56ed46f4c245e8579e4eb576307902df3

memory/1880-346-0x0000000140000000-0x0000000140239000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 9a6c8d96c523a773ce55074a9a561da7
SHA1 eda24be820517ca457022a5a2b436197f88893cc
SHA256 6929ef389fe775a0b66fc5c0d307417da3463a3e304269e515dc65f0001932d3
SHA512 c3230194a12a3d46e36cb97b2d2d262d41d8f5f415388eef618a4f71cf92b6a086418840fb5ce57c76b4242819023a47c77044dbc17078c0c4869463d2fa13c4

memory/860-359-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 3cefda5d259b6909c279f2f97ef568eb
SHA1 7a498d05d6b7bc215f3bdbbb85cfaf5e81d2d6b8
SHA256 a2dcf286d56ce47a0e89a72574f570f3ffc7e949a8ea04b4ec32e48c1437fdbb
SHA512 b1126a44bdf6f9dc809758f5e85d8310963edd19feef1fafba1f74164fe3534f46d17475b77326dff8022db4d030924053c04c7c370b0d5cddb952ea24c7f0e2

memory/2800-361-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3560-364-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 5cb62d122ab9037b4400cc5af59b3b0a
SHA1 9dc8bde9465a6f64fe17427e190157afcbf1340c
SHA256 82877888b80586989ca408abeecb5a4ff6da23a162c57a68463f0dc2cd51391c
SHA512 f4b9345e70cba2ca07b7cf30fc1ab35aa48c1fbb265d77bcdbe33e79bec295d44c8122df9abb069befcf7d142d380f58f2ea837add02d948fa50a047065cb729

memory/2788-382-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/2144-381-0x0000000140000000-0x000000014022B000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 fe279be0bc7f79f3f972672bbc314e13
SHA1 35cd31a5e0e619b42eadd84be5b9cd22cb6c8568
SHA256 75d067d21e9094742851f43fd10611fae0344e2b1db7079f956bb0f5ccf861ee
SHA512 4036cf417530949c131346653b2e9a4e36340e3e35a547a5474848c05e56e8a1381235aa3d2b288a867d81b2738a59683bbc4d973d271d67f573155d63417f0d

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 5ffcdfe93688708e873930a3616c29ec
SHA1 d4060193a71abffd6d9b82cdd2d295c2bbaa5b72
SHA256 e5f5cd4b8f4f8bb79bcae918b02f3712ee66f73f981dfb059a9018a7eb3cb4e8
SHA512 1a619ddd9132b142544533a87331a63512506f3be8890306035b38e245f34fe86023d35cc18fcfac64e91ab551979211bd26b33ff2d1e925a71482bc0a0fec33

memory/4964-398-0x0000000140000000-0x000000014021D000-memory.dmp

memory/4632-396-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 eb63887bc6c8080eac0c0aba1d5eb4d5
SHA1 52011302bdeadaf1743903f3bdb9cad70284584b
SHA256 3ad5715b076a278b5358ef372bd528c853a05f570878928be2c5b480d0a01c10
SHA512 6f18d2637870a5225e68ae111191efcabb1962de122fbef92eda2381c89e853f0c1ced50d33238fbbaeaf735aca282a0107a8d9509a7e18763e7ebf965568650

memory/5072-416-0x0000000140000000-0x0000000140226000-memory.dmp

memory/3340-417-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4204-429-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3828-447-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/4460-495-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1092-513-0x0000000140000000-0x0000000140259000-memory.dmp

memory/3560-549-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2788-568-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4964-580-0x0000000140000000-0x000000014021D000-memory.dmp

memory/2376-583-0x0000000000B50000-0x0000000000BB6000-memory.dmp

memory/3340-584-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2376-585-0x0000000005160000-0x0000000005170000-memory.dmp

memory/1612-668-0x0000019C48E10000-0x0000019C48E20000-memory.dmp

memory/1612-669-0x0000019C49940000-0x0000019C49941000-memory.dmp

memory/1612-686-0x0000019C49940000-0x0000019C49941000-memory.dmp