Malware Analysis Report

2025-01-03 07:38

Sample ID 230501-res2mahd8y
Target Quote 1345 rev.3.exe
SHA256 dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205
Tags
blustealer collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dafbb2a0e6111947e20d5916eae5c2a56937dec2c6c4e1843ce29ceefd22f205

Threat Level: Known bad

The file Quote 1345 rev.3.exe was found to be: Known bad.

Malicious Activity Summary

blustealer collection spyware stealer

BluStealer

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

outlook_office_path

outlook_win_path

Suspicious behavior: LoadsDriver

Script User-Agent

Checks SCSI registry key(s)

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 14:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 14:06

Reported

2023-05-01 14:09

Platform

win7-20230220-en

Max time kernel

49s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 1304 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

Network

N/A

Files

memory/1304-54-0x0000000000320000-0x00000000004C0000-memory.dmp

memory/1304-55-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/1304-56-0x0000000000690000-0x00000000006A2000-memory.dmp

memory/1304-57-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/1304-58-0x0000000000770000-0x000000000077C000-memory.dmp

memory/1304-59-0x0000000007D00000-0x0000000007E38000-memory.dmp

memory/1304-60-0x0000000007F80000-0x0000000008130000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 14:06

Reported

2023-05-01 14:09

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

Signatures

BluStealer

stealer blustealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\4fd46398ea807a0f.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{A100221D-7AEF-402B-B05F-21D404F0BFBF}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d79f681f477cd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089bae01e477cd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000716f0d1d477cd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050a3841d477cd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000935a191d477cd901 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3348 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3348 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 3348 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe
PID 2168 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2168 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2168 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2168 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2168 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4736 wrote to memory of 2508 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 4736 wrote to memory of 2508 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 4736 wrote to memory of 3312 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 4736 wrote to memory of 3312 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe

"C:\Users\Admin\AppData\Local\Temp\Quote 1345 rev.3.exe"

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 52.168.112.67:443 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 173.231.184.122:80 pywolwnvd.biz tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 122.184.231.173.in-addr.arpa udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 58.152.191.206.in-addr.arpa udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 63.251.106.25:80 npukfztj.biz tcp
NL 8.253.208.113:80 tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 25.106.251.63.in-addr.arpa udp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 88.35.99.167.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 12.161.5.72.in-addr.arpa udp
US 8.8.8.8:53 ww25.uhxqin.biz udp
US 199.59.243.223:80 ww25.uhxqin.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 251.182.224.103.in-addr.arpa udp
US 8.8.8.8:53 223.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 ww25.anpmnmxo.biz udp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 40.125.122.176:443 tcp
US 206.191.152.58:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 63.251.106.25:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
NL 167.99.35.88:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 72.5.161.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
AU 103.224.182.251:80 uhxqin.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 uhxqin.biz tcp
US 8.8.8.8:53 anpmnmxo.biz udp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 199.59.243.223:80 ww25.anpmnmxo.biz tcp
AU 103.224.182.251:80 anpmnmxo.biz tcp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 40.125.122.176:443 tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 173.231.189.15:80 xlfhhhm.biz tcp

Files

memory/3348-133-0x0000000000BD0000-0x0000000000D70000-memory.dmp

memory/3348-134-0x0000000005C60000-0x0000000006204000-memory.dmp

memory/3348-135-0x0000000005750000-0x00000000057E2000-memory.dmp

memory/3348-136-0x0000000005710000-0x000000000571A000-memory.dmp

memory/3348-137-0x00000000059E0000-0x00000000059F0000-memory.dmp

memory/3348-138-0x00000000059E0000-0x00000000059F0000-memory.dmp

memory/3348-139-0x0000000007B80000-0x0000000007C1C000-memory.dmp

memory/2168-140-0x0000000000400000-0x0000000000654000-memory.dmp

memory/2168-143-0x0000000000400000-0x0000000000654000-memory.dmp

memory/2168-144-0x0000000002E30000-0x0000000002E96000-memory.dmp

memory/2168-149-0x0000000002E30000-0x0000000002E96000-memory.dmp

memory/2168-154-0x0000000000400000-0x0000000000654000-memory.dmp

C:\Windows\System32\alg.exe

MD5 1bd3ec27658acf27dbbcb2688c02884b
SHA1 f82e136a38c9be18e264546d38e32adc204db81b
SHA256 e23b66fbb3bf85cff298214d4e1bc96069195c6825b13901300140873c81a272
SHA512 75a6832c2800e4cea8ff46acda62b27331996fad02cea65f4128f63ef647d17b26bc4e1972d4545ac59e959f1f71e578b4d4bb73135a95004b4f8d95595480f6

memory/4188-157-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/4188-163-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/1868-169-0x00000000006D0000-0x0000000000730000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 58c0c92fa4bd9c33530b610cd1601490
SHA1 8f07174e25b8256cb6019fc70dafa8077c7943fa
SHA256 f4eea430d80ede7194845f065a74eb73d663f88ef81729de0cfc390ce055d9f9
SHA512 9743e767dfeede51dfe874908acabe438bb0fc84596a93d41eade9c3dc4f04885743aa8305eb7c41fd60160fff364853d356a957b9d46c232fa741d3e755b8e3

memory/1868-175-0x00000000006D0000-0x0000000000730000-memory.dmp

memory/4188-177-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1868-178-0x0000000140000000-0x0000000140200000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 213352ab3840ba62202e268dd69b5241
SHA1 a4f499a05cc7c084212182314c557d708c2efd42
SHA256 8914ba90833817f375b10b1624d2025e0d03cf74042b477a761fcc7fe5a79098
SHA512 01ffa1a424e07f329419c6e878751ce75163ef941726f0ab28eaa75b94d9b69a37f8ad3b082b44130d4e4e114b6a060a2ef62a134295715e6e41107b88f9c32b

memory/4088-181-0x0000000000500000-0x0000000000560000-memory.dmp

memory/4088-187-0x0000000000500000-0x0000000000560000-memory.dmp

memory/4836-190-0x0000000001020000-0x0000000001086000-memory.dmp

memory/1908-194-0x00000000007D0000-0x0000000000830000-memory.dmp

memory/4088-193-0x0000000000500000-0x0000000000560000-memory.dmp

memory/1908-196-0x0000000140000000-0x0000000140237000-memory.dmp

memory/4088-195-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 5caee5ac89446cccdfeb53d18104404f
SHA1 3db8a029f0f6240dc216348190dcfa2317c14b5c
SHA256 bb7d18cb9f0f92e6cccadb25a95581a669d9252b819436fdde9e552df52529f1
SHA512 301da8af3c968395a0f9ef03258e097ef0956598749a974adb3bd4e8d2d0b4ccb42c236d5dc7b78277ac138e6ad8ddf860d87bcc310433d2289d2c37c09c0bdf

memory/1908-202-0x00000000007D0000-0x0000000000830000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 cd4fcd0a8aeb8064722ad1f305a3141a
SHA1 2d1af5a53ebed94a5fd3ecaa9b094512099e4d1f
SHA256 e85f89296654cc4139e05c03b967ae480146bec005ae73bd57e3c72e1436e40b
SHA512 225412f70a4061d0dbbb569569ba6d2cbed014bcc7ba29a6f20f2a915686dc2b34a3c3fa7f6c78b7d232952f8db80dc429cdc72c30048c33761e1f381e7200a4

memory/3084-207-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/3084-213-0x0000000000190000-0x00000000001F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 2e3c19ac9d564e1070d409365537351a
SHA1 91507c5b0bfa2daa7ea7a0fcc9cee63a9d647e2c
SHA256 68951b227be136343b6bda3fa0a70e1110e655bc83fe4a8ef06d3342a71d2348
SHA512 44e6091797e68b6fcf33b6d5b383e042d41448d364247c4a7af8e74cf7eae4ebe26903a71df703bf2dba6540a06ae4c0d7385e48d9ac6a3ed42206ee80db9567

memory/4760-217-0x0000000002210000-0x0000000002270000-memory.dmp

memory/3084-218-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4760-220-0x0000000140000000-0x0000000140221000-memory.dmp

memory/4760-225-0x0000000002210000-0x0000000002270000-memory.dmp

memory/4760-229-0x0000000002210000-0x0000000002270000-memory.dmp

memory/4760-231-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 9428380fe7b53e3614751587079e7e36
SHA1 f6ca6ed69af2ba3d3b9bdae811e4dbdb0acbe29f
SHA256 94c25ba82786e6490d91018a5acc8104983c74c53f3aadad037a74b9f2fae521
SHA512 062415c8892d7f536656c79e7725d2899256b140706c040b769389e817af5f09293c3209839daee2850a96214125c10efda3f46b1ab8d146403d9c92e115cd88

memory/2764-233-0x0000000000550000-0x00000000005B0000-memory.dmp

memory/2764-243-0x0000000140000000-0x0000000140210000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 503acf0273beca00b93828cf71dcb10e
SHA1 450af2247cdf0c8b3c96a39b4488117a5b6c978d
SHA256 a8e1049dcf6922870c89665bc9770f728601140d130a0de21c7ee50fbb87ff20
SHA512 6035e6bfc9c35d243e358cc81acaec5a80d42778731dcdabeb33893e3dc84c7d0f837f1acd6026c0911c475b98596f9125d4b27239d9a156c09fbac0ca9d159e

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 1cfd8ab4efb9ddeea6f56f83e9d33bba
SHA1 c1285f71b596444bf429bc362c5f3ce3e2493ad6
SHA256 ddd3554cd84c0d69a4404c7fc24ea0f2920b18f93f7266f02c9418cd0b86fd17
SHA512 19f40d8b3dec9e133dc51dc24d3ec9866f182b32960d37dd2413c5bf2e7dac1ab1bdec7515be14ae40d1a9e18b730125f42f90618e5c98d5bde8fddb94036b1b

C:\Windows\SysWOW64\perfhost.exe

MD5 5af2355cb9dd0bece398bf7a92339643
SHA1 0955d0f5b7c6f98fc4a9f6ac86899d081c79ac72
SHA256 ec5ecdebb78a3af050fdb3510535e3a9ed39201bb84dea6df515aa166657a83d
SHA512 2f0203b7b9398dd2237aaafeeacd0f0a2460bbbe1e16b5447ec503b3a8a7e1d7eb8944e5108df2edeae0501c79c6d872e05a092d33f53d5dcda8045127b6011c

memory/2140-276-0x0000000140000000-0x0000000140226000-memory.dmp

memory/1916-277-0x0000000140000000-0x0000000140202000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 bd80d8d0149574a8971805d92406a315
SHA1 9fb76fd175726b539c65e6b60d69ead5c95ea884
SHA256 da2a2e2a7600f4e54f4d0012c2dfed6ae56ebceee4e585c5481dec4689c1bb90
SHA512 7362f5d3cf7514ca45764e3c6049619f39716e633bb2d34949e5650913022f0a44ccc79a7b0d29fce4804adf97ef90e6148b57aa5a85e10167e1fcc5766b1e8d

memory/408-279-0x0000000000400000-0x00000000005EE000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 300288430788214de9610a1b4da4d546
SHA1 8d8091c4c9fd1cf3d02f9c6d93df8a2f4bfc109f
SHA256 2ae20c6cf9b4eb10f864cfc53775e53afbd3a96842ba1722d837b144a1359ca0
SHA512 f881d2001268b5c8355c0577823c9e598cec6478c30c53d77b4c6301b79a46c0f7871f3dcf862bc9b17d2a9fcd712e11c2773d3d4e0483f41f761390f384379e

C:\Windows\System32\snmptrap.exe

MD5 d65d946528a2b6079802eb09b81d3764
SHA1 422c4b5eb4f5619b9d6bac2a093ac5ec4a0ec3a9
SHA256 755717031e96df66ee5a1eca61a8ba4b0045c1b9b6e38939c9404e35d7f2fc68
SHA512 4eeebde056845461c2442863675d83c484610d24556969ed38f788a49b1f0bd937fbab7ff2eee3acffe2375633c7fba9e84999166c55b8c9151cf2f469abfcbe

C:\Windows\System32\Spectrum.exe

MD5 3cd7e59e1117288d383f2ea2bf5e6b7b
SHA1 cf8fe98b534f39ba320f976bc7d0369b97fb6443
SHA256 8145eec01cdc86bbd59ff03a520f6e6b36aedf2fb28d04db6598bf154bcce480
SHA512 f7b83e0adc914b93f3091ed3d3e7490b7fe2bda7d1c419bafb49ac9d604e60789f706737ff51ed4e05af452a348b61ef737f391777fb908d55c64f5ef9555af4

memory/1848-313-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/484-315-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/5116-317-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2836-319-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 e6fbc7b7f370eac9ef3ce920c808d44e
SHA1 38d7b2e504a05faa379310d491b74aea8e96929b
SHA256 10c7ac1fd5fd4112136f6127af313dba7652211d39416f4edfa9cebf57c64f93
SHA512 9c055363a0aa9cd969cf28128ce84c5cc547f3c10b9ba8302602ef78a01e746c382c36faaa01a09055df86199f6cc7c9eabf7cb889f35da520e86e0b694edf48

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 e6fbc7b7f370eac9ef3ce920c808d44e
SHA1 38d7b2e504a05faa379310d491b74aea8e96929b
SHA256 10c7ac1fd5fd4112136f6127af313dba7652211d39416f4edfa9cebf57c64f93
SHA512 9c055363a0aa9cd969cf28128ce84c5cc547f3c10b9ba8302602ef78a01e746c382c36faaa01a09055df86199f6cc7c9eabf7cb889f35da520e86e0b694edf48

C:\Windows\System32\TieringEngineService.exe

MD5 f82d9be39a28e40842da26dc199059d5
SHA1 fb2bf94c8a843f16e66c0130d5ec726ad32d3bf6
SHA256 1a84d6362e0c584151785277c05b9a00e75c62d9128f9bf51bd78f2a7d2ef2e3
SHA512 78c635e79a05152c6d097a9f52105b251fef2847bf0c311e421c8c64730201536bb35df145b36ca9d6a850a0fc92d6afb8f20595c1608725869d2123e3086720

memory/5060-338-0x0000000140000000-0x0000000140259000-memory.dmp

memory/1516-340-0x0000000140000000-0x0000000140239000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 69a8381a3d8c9a5cfa8ff20990d10ef6
SHA1 e40b4f605bd40e6324fafd60cf3b67ee2778abdf
SHA256 ca926966a245fe35e2b0efd3a5ca5dccb9bb7315adbc0d9022cc2e5dc4afe2d0
SHA512 cc52375313a444fe76b591e8f815d9fd76f21134298bdccedfc2cee907e98449da552c307f5fd856a0fa9aa7b92df66395eb455bfae5555061b4390e424a4886

memory/1520-359-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 95011912a72494bc7b4184da53b0abac
SHA1 3b382ad9ff307e54f3987090445a832e84a6fe79
SHA256 ee67cd56c752443ddc3f2bdb1e5e84c8ef1118cc1de653dede1264cecc61e7e9
SHA512 819051bc3e45cfbc6ad65cd745a2a114b23ab453400f88585e7cfeb23c38b75b6c6931c15fc54763d727fbb458ac8fe4d21d2d2314d0ce21060e1fedc917c32d

memory/4496-362-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 a8eab434e1c50d648b065d0886a58109
SHA1 50370bc71821ed679d9503e3abfcd10184ea0e8b
SHA256 58b8b6b99b83d50afc565975ce5353d92bf063979a331f7cf96024e6709bec35
SHA512 a866a64f29b821dedb989b076b7d46c885c725a9444a2ee03520079509f82739c783e2c6c9540baa3f874d5f9beb00feb1bcbd671608e56ba679fd448a889bff

C:\Windows\System32\wbengine.exe

MD5 502b57d0f3ac903dd2797853043a6ea6
SHA1 35e625b3b420575eddb4a5f4f097da4cca380fd0
SHA256 49a4c50c4ecda0476bcfd604f774dc609ec7d6208bcf7cf79d06051812363364
SHA512 d6e2c9bb2eeced9e47c52c93a77cd145911d63bbf0b998840c4490a092b1abe21cac0b1505b6e194879a14f2368c172f9ef1c329b0580af8be6087e100a57d03

memory/3520-390-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1684-392-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 02523c499287198c21be98b8a2b6ad4e
SHA1 593f5dd1869bdc25c5cb9fc615b0e63175006fe5
SHA256 feafccd472d610594d928aa93a85f1a3f8d1356f6290c7d5902423e527955611
SHA512 76efb153f0ce400c36d0c7db6dcaa56fe704028fb5d1db6fa00e05f3eb8c06da3ee37a534d75045999d4280ed49af9951535ea4bc63a9a366e3eabfe5814a296

C:\Windows\System32\SearchIndexer.exe

MD5 3008670df09a13297fa15a4d3625681d
SHA1 d356db9ec079055ba1a247c32039f74861bfd625
SHA256 a8ba144bf565a6535cfa43cb71f069a6b29fccd5c95ae08b15f8cdef0b6da8f3
SHA512 76c6013998e9c6f6d9f7d070ef331147fd44cf926fbdd16830de36afbf247f255e13ba9d823d4e3bd8febc67069b115a1bb52a0eaf968e879d75c7e24da145ec

memory/2168-426-0x0000000000400000-0x0000000000654000-memory.dmp

memory/4224-430-0x0000000140000000-0x000000014021D000-memory.dmp

memory/4736-433-0x0000000140000000-0x0000000140179000-memory.dmp

memory/1908-539-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3084-551-0x0000000140000000-0x000000014022B000-memory.dmp

memory/484-580-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2836-594-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1516-602-0x0000000140000000-0x0000000140239000-memory.dmp

memory/4496-603-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3520-612-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1684-614-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4224-619-0x0000000140000000-0x000000014021D000-memory.dmp

memory/4736-620-0x0000000140000000-0x0000000140179000-memory.dmp

memory/3312-675-0x0000023FDE4E0000-0x0000023FDE4F0000-memory.dmp

memory/3312-676-0x0000023FDE4F0000-0x0000023FDE500000-memory.dmp

memory/3312-681-0x0000023FDE4F0000-0x0000023FDE4F1000-memory.dmp

memory/3312-702-0x0000023FDE4F0000-0x0000023FDE500000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 5e9a78ca74c64c104514905c7718e056
SHA1 4ad26a142b9df3416e09636eb815263b46648c44
SHA256 bec9ade883088fd08261f1545009e675f88485c431d2f59de0b9f86b16935e97
SHA512 9f82f370663c85f7708e61dbc638fa2cb8a7dddac88f4aa9eee55cfba562f1aa6e9eb067ff1f7486cd64fe93bc529a026fe511a70e8cd1b4028eddc6aced0ea4

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 2e3c19ac9d564e1070d409365537351a
SHA1 91507c5b0bfa2daa7ea7a0fcc9cee63a9d647e2c
SHA256 68951b227be136343b6bda3fa0a70e1110e655bc83fe4a8ef06d3342a71d2348
SHA512 44e6091797e68b6fcf33b6d5b383e042d41448d364247c4a7af8e74cf7eae4ebe26903a71df703bf2dba6540a06ae4c0d7385e48d9ac6a3ed42206ee80db9567

C:\Windows\system32\fxssvc.exe

MD5 213352ab3840ba62202e268dd69b5241
SHA1 a4f499a05cc7c084212182314c557d708c2efd42
SHA256 8914ba90833817f375b10b1624d2025e0d03cf74042b477a761fcc7fe5a79098
SHA512 01ffa1a424e07f329419c6e878751ce75163ef941726f0ab28eaa75b94d9b69a37f8ad3b082b44130d4e4e114b6a060a2ef62a134295715e6e41107b88f9c32b

C:\Windows\System32\SensorDataService.exe

MD5 300288430788214de9610a1b4da4d546
SHA1 8d8091c4c9fd1cf3d02f9c6d93df8a2f4bfc109f
SHA256 2ae20c6cf9b4eb10f864cfc53775e53afbd3a96842ba1722d837b144a1359ca0
SHA512 f881d2001268b5c8355c0577823c9e598cec6478c30c53d77b4c6301b79a46c0f7871f3dcf862bc9b17d2a9fcd712e11c2773d3d4e0483f41f761390f384379e

C:\Windows\system32\msiexec.exe

MD5 779534b7debcc2a33f9888afbac097e6
SHA1 42796748e9e31432daed52cf55262a805bd84c35
SHA256 5a206aea76e0d02cdb5c271024b88059e29fa71188c30c9fab90b86b98dee44a
SHA512 e3dc96f8a03e0f902df4c9dcb9bb865f172d721227bf87980f77eec888cd15bce8be7e22c3caabb5c23cbf5f25dbd5c158665fb687437269b69ccad273158ea0

C:\Windows\system32\AgentService.exe

MD5 69a8381a3d8c9a5cfa8ff20990d10ef6
SHA1 e40b4f605bd40e6324fafd60cf3b67ee2778abdf
SHA256 ca926966a245fe35e2b0efd3a5ca5dccb9bb7315adbc0d9022cc2e5dc4afe2d0
SHA512 cc52375313a444fe76b591e8f815d9fd76f21134298bdccedfc2cee907e98449da552c307f5fd856a0fa9aa7b92df66395eb455bfae5555061b4390e424a4886

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 b19d72aeb031826df1bd3656652a5008
SHA1 9165c3c3d08009997e34f0b139589cdfe2bac8c4
SHA256 5750b83323eb71d8eff46a438786b070d0d0514f446dd19145b9d756712edba1
SHA512 dc6c039424d36f5f44e2c5f3568ca79ca2808fc31e15b2c76eb8e4f3cbc03ef8803d2f185d45bdb346b07b8a0a419a9e8b9e343e6c3b7987e7068e40d502a993

C:\Windows\system32\SgrmBroker.exe

MD5 e27929f6c3cd76a5357dd739ac75b001
SHA1 0f7764f409889a1c5b01c12effec317cefb8f6df
SHA256 43b63a3e1d7091cc885eb48026f4b4189190dd22116bf5306ac78f24566fccdb
SHA512 4c8d8d957eecf5fd87e764a406b6081c9e8fc4b8b827de4a3a35e1db269bc7846ca7ff7f8141b7e8e5ab029090cd4d4765e16b5a5b8c82161b986770fbe2bfda

C:\odt\office2016setup.exe

MD5 6204674ad26226ce78da7785b9ff8af0
SHA1 b4f095a9e79372946036ea565a7b124409f39d10
SHA256 cea4e92031f8e2bf72c3a029090966746812c85000afa4e5e7e7ada0a2b12237
SHA512 c4ac511c02e50244e52e5f4d0cc1a24278f2d1579b8963fb2000af4d8e8853c76048bc7dbb5c6cc47558d8d703a3c455d20ac1f63dbaa8987093ec1de1f919f9

C:\Program Files\7-Zip\7zG.exe

MD5 86de3882e136d83a912fe81681391044
SHA1 36c4de52f4899a984bcab1fad6d5cda8d10b1546
SHA256 7f220d255b1a3137c1600095e00593a80b692662b10737bc023fa224a9669a5c
SHA512 60f11805d05ed92ab56f24bbe95002e9ae49118eee53575ea98f285e9c8cc89c5541ad5e6ebab2a17bf2d23e885ea7cd182bbe833be2e2b5e6fe0571890b5cad

C:\Program Files\7-Zip\7zFM.exe

MD5 8d1d89b734cb08040a33e654cb4c882f
SHA1 bd826f9953d6df49fba6263d021ede012a452101
SHA256 8fd753364f4ce1205a0365d0b726829fe91f2dc80757ea84f554e70f812efd14
SHA512 869fe0ef55ce182a11bb946150e10e32d6e690a9d3e1dfdc55f9875da632a2a82a24a8e56835fe28e39955bf92bf8b7b840231661b0f81fb9464ab4b5631e193

C:\Program Files\7-Zip\7z.exe

MD5 16ddb39de0b7abf64f9f7698467680db
SHA1 e617f9aebfde1061101c466875bd98a039ab3403
SHA256 54ef188c8ce25564cfefcee6afa64c0e125219148cdf73a5d968d0b719dec2fe
SHA512 72d56412cc699cbf3772c9a1d9f71e9e0e6f9a7a2506d3515b70a00cdc88f397537c9722318da3b21cd17552b50adf4c0fcbecac1858ddc95f7fbe8ba85104bf

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 65a82f9bdb59b9b87275d404ac87b9f4
SHA1 58ee282a007e44f208b86301d6c6b292f4734a4e
SHA256 698dd2f4e6fe6426672dff5df50d3a07a5213086f33d850e6c080f8e98edd673
SHA512 018a867e772b10df6aea9b1d7805a4b0091779118961d165cb6005eb7c40cce3293c9c0de1d2628355e89516c7586383ad1b44bdb03d4f79fe0fed108ebb7b6a

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 ea598c79bc90a2fb32aeca801cde6501
SHA1 632282d72b712d648f0be9daa4977fcca6815646
SHA256 b30929b5c6237c4e83d7c2ada0ca6ab7531fc22f7e5e04a6e885ac022809b818
SHA512 b9fe853ca60c0201e5cd076c326a7390b55e6279cbf2911ff6a4517454f3e34ce6766ca857ed233a9b6d16b838cbc3e5c52fd3eaf31137189ecacc49898eb938

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 e12adfb15adc532ff6638e13bee34cfd
SHA1 909c01fad72ebbef20da3697325298d4d9d074cb
SHA256 827509c6d9e0656a4d0caa582cc71982c2fa750cbef70a768b474973ec2716cc
SHA512 af162ae7bcfb991431e9f374702690d76698a8707ecd2552c575e8ba6091bb205ceb95a5b56002040c850ca34f593b0fc43a5eb2dc05db783c96698d9baf75cc

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 a9c2935218beda217cb60b48c7813990
SHA1 03870624425297e786faba8bf0d2ad4a75e87295
SHA256 4b68a228a18dc2b8f164d935fed32f010a60f73e7764c2f2d24cb94792b6fd84
SHA512 4da7e360d6bba3c57a2b469a4df63c7c556c2ff013447759a96258fc36b58786eb74cfd17ce68b6dd57d00f1743bc153544828e13f98a1cc0947d8a609525eac

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 7ab65eded95a85b670f1d4b1ce8871e3
SHA1 94b706746ec40a3896fb3861591efd7bf5e04f5b
SHA256 99ceae7688eeedf810efbdf4875ce08255d0eb7ad4a7c15d8b81dee9ce59eb31
SHA512 95f4cd3bdd9fb5de9338585fdd9ca78c071fdb10905ef13d1e217a646713ec29702234644d7b88b0ded650104b46fb75c82111945009a4d12de428a73e1d6817

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 f79f5a5d88aa1421e0d9f05719b64c77
SHA1 3f8db6ea67550da02f14ebc4e76f5dbc158a1cc7
SHA256 b37db93252516acced58f9991576d8e72a64750bbcad85ac2511fd69f20a7ac8
SHA512 40e9f6788038aa75458631c82bfeba8b1ffbd2ee8e043f6918b1116961b900548a7b1f5f0a5c3afae5a310a93fa9eb5a1358c93202cbce190bef496cfd0f4293

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 0114e88327cf8b8feba763465f24a804
SHA1 1aa06c40e3a4dcebfaf34be5e4d0b4989eac2dfa
SHA256 98208bbc1e8b8209ea6cfa034acd750d3371145dbd6e83c9e598c68805bc6049
SHA512 e2ccd479ec570870cbc46fee80fdad7d7d4359d9d7e2731052fffbbbe7282a6081fad693dbfdbe9e18c703fbd8ef3504c820b0089a35ad843b9aeae0eb74cdd3

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 62b1ff570cf0d70c45cb8687d5bb77d3
SHA1 c9792f15f0e4b0180b71e33238e15c91852ee46c
SHA256 5abbaecdc078ea3b08a9ccc0617b8b6c04088599b485835a142593f4250654e0
SHA512 6de0a03ca13d5040ba454a0b21b1ab474f7825cfa3b21619bed073bde144ea15f62fa4bc520baa8f9d8184616500fba3152ab32b3dcf7bac0699f80ea3e6db33

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 8ab715fa8f3b76761c0ffb141929b979
SHA1 5ada496e803a1d1b514bb295262c7e74438b7f5d
SHA256 953033e918f9bb8c0d4251f6f42ee19b9c571a5d1644d5ea60cbe6e9170c207b
SHA512 c45614980dd49c45a139268650e756f429b50674dbb3e498aaf4afe8408e8ed44d23709e157ad69afead5a00c17693493d1af77915990ede8dd9fbeaf99e9ecc

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 c3e366badb5be19a72c5de2687f9b5f3
SHA1 798ed99cfe8167e2b6444c9119975692c0157313
SHA256 1b37d5fef1d77d885b7601b987b231a973d7ba8510e1586da1d1605ade74a0fc
SHA512 384409c6c20f37cfd98f07b263b91a83e4de1a60ed4f692903893d95ac3377b0fd8cdd119c33b5ba5a6e33309aaf4d6a842f312b511bd5fdf422e230f8389296

C:\Program Files\7-Zip\Uninstall.exe

MD5 36adbc39ab88c1141d9cae76aa2b4081
SHA1 bf80aeee723478eee06144c2f80aa014f18e988c
SHA256 deea595a88d30c59837fdc73064e06d51887fd052781c344826b8eec41f17e2f
SHA512 7dfdab84c046e3e047cbc93020c0ee81dbbf7a7931cff5d3cb54d1cd5ee95357de6cd408bc63563992f7e4e130e3d69e6a16f456be8a6a5cfe2216fa01a003a2