Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2023, 02:01

General

  • Target

    fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe

  • Size

    1.4MB

  • MD5

    d6d89eff8ae95f17795daf44ddc35389

  • SHA1

    a7cf42f11071fe319b4e73203ca8269fb38f008c

  • SHA256

    fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b

  • SHA512

    7228480e71aeca16edbfa221879c931090868eb95a59155520065785573994f201613460c6441861ac2ae575abe74717696fdfc2d14d484310ce723fea19fbc5

  • SSDEEP

    24576:4AETCN6fdDv7X8E7Rf/vj6ksjurjtBEmDUheyX7TFqktKOpnAxWB:Yw61XNxmkQismIhXNtZpAc

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 31 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe
    "C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4132
    • C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe
      "C:\Users\Admin\AppData\Local\Temp\fb71b9df885463cb148e10ddad2b81ca883ce2dcc0a7739808a3e5d203f9d00b.exe"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2400
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:3404
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:2524
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1228
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4020
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3544
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:1372
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:1900
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:980
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:4752
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:1136
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:3156
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:3748
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:4904
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:2772
    • C:\Windows\system32\spectrum.exe
      C:\Windows\system32\spectrum.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:3496
    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      C:\Windows\System32\OpenSSH\ssh-agent.exe
      1⤵
      • Executes dropped EXE
      PID:4144
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
      1⤵
        PID:1464
      • C:\Windows\system32\TieringEngineService.exe
        C:\Windows\system32\TieringEngineService.exe
        1⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:3040
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2752
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Executes dropped EXE
        PID:4516
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3024
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2440
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
        • Executes dropped EXE
        PID:4572
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:3708
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
          2⤵
          • Modifies data under HKEY_USERS
          PID:4104

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

              Filesize

              2.1MB

              MD5

              c0c8175acc4643130e5769dfc3f61ec0

              SHA1

              24da58e388a58d7f68f5a08ec42aa354cfc514b4

              SHA256

              08afa858581707989b947531a6b38336865b7bc4d744de873a74877ae1dcfb52

              SHA512

              8208aac09b7386ced833842e215eb760890c6da8a295addb6d97f832fca3c0be8bc66cbf97d45fd94fed4f999f3712510fafbcae028a9797827e7cbdbd2019a3

            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

              Filesize

              1.4MB

              MD5

              110007252e0a85cbc854cbb723beea5a

              SHA1

              e2bfaf1ae94951c571cea596045f5da0c8aec3b4

              SHA256

              69b69d0c47bb711c14474da4024e23cee2cf98edb56cd1c11a7b81037e2c250b

              SHA512

              118acc06f110d3a7f9a741fa765d972d6864903ae2511aa99e8a2d6b47a5d7ea7dd1b441b02f81519fd3ec8c8e2d2fff9862583c46f2b08469d49db7d6257884

            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

              Filesize

              1.4MB

              MD5

              110007252e0a85cbc854cbb723beea5a

              SHA1

              e2bfaf1ae94951c571cea596045f5da0c8aec3b4

              SHA256

              69b69d0c47bb711c14474da4024e23cee2cf98edb56cd1c11a7b81037e2c250b

              SHA512

              118acc06f110d3a7f9a741fa765d972d6864903ae2511aa99e8a2d6b47a5d7ea7dd1b441b02f81519fd3ec8c8e2d2fff9862583c46f2b08469d49db7d6257884

            • C:\Program Files\7-Zip\7z.exe

              Filesize

              1.7MB

              MD5

              30b06ccaeb15d70df990eeea2fc7e697

              SHA1

              7dd337a98fb9426051303237c4959428e8edf371

              SHA256

              aee2fc1e6fbdf6684048e60d5e19a4c648ed56748b7b3311df6252adab2770f8

              SHA512

              fbbb3e9806e6a20245e9e3466c9cb9eb91bb7c66af805c2a4fc458c06b42bca52008c7fc0c2a94ec313014819ae4002810c1a04867e4a04cadb95726136487cd

            • C:\Program Files\7-Zip\7zFM.exe

              Filesize

              1.4MB

              MD5

              cab60fb7cd648be9f92e1799baffd1d7

              SHA1

              d9e98bacfd5e7ce9270a6c911a593a1631a926bf

              SHA256

              ed7f9d3294358d84fcd9134fc887610a9c0fd96baa26405a451c9cb3a0b44144

              SHA512

              2394bcbbb6d50e806696663d88962b074ec17a9b93bcf67d18af0d63fc0299448b97379fe71d926224cb04ec6bc6884488b39eaf95890752b6f82280a2bf0f27

            • C:\Program Files\7-Zip\7zG.exe

              Filesize

              1.1MB

              MD5

              9b642207a0f29c4c65c60bf652509a7c

              SHA1

              1feeeba02df4b132857f25db7636f013f9c56cda

              SHA256

              ec91244ec367f08450fddbd6bea77edf474969b68abb581ed3c78facc64b897c

              SHA512

              69c7c3b8442adb66df3a7ff08b348a0a1d3a875b55259dafd40547c6505748dc41993d15c09d5498df7c05fd1bf478660d255a3c86ec16d517f950d01fd7bdb8

            • C:\Program Files\7-Zip\Uninstall.exe

              Filesize

              1.2MB

              MD5

              5b9788343474a11a06eec9671a7d0ba6

              SHA1

              a85915de3a34eaa31a03f5de194a7e96c90c5588

              SHA256

              f773cac14bfafcff95740046d02dc592e0709b1950f54d9b65e81dc21ef84645

              SHA512

              0cd409fd316eecb38b880d7849fc73bf8e90b1e114aee19719ad92621f6d8bb982a2995f0a686fcf0df18e006d6ee1e187ba0648893f0214ac365d4f05dfe0c5

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

              Filesize

              1.5MB

              MD5

              339abb06c24a589349cac6fc844812d1

              SHA1

              6dd354c8ea6ab62309b6d584084b9bfb0e02b391

              SHA256

              cfa1260c8da9df36b6c6a567bd927af3bc77fdd9a55875ea3e040e655a7c7d42

              SHA512

              8c5bfb96c892afd9e88c0b9994f93fe3afb0d7634fd13732d32940255ba8b892b40ffc3f4fe6b8343fd0b31142e5b673220177aeda9af0632d33c647b311b28d

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

              Filesize

              576KB

              MD5

              350e9f29803fa69c78a321b8c14ef3de

              SHA1

              92715b9350a5c0984430da97f8f2bfc683149b5f

              SHA256

              56d93a340a2685b0c4e5647a08b25f1f3c1093ca6eca81a214ebe18bb1006496

              SHA512

              54aa3842b80099b8a359986f1aeb95d9fae680409064563f59de9b57a9bfe201900f501afb1fc266bc38a3aa6f7ca41ebad5ecea3f740b0e5223afa597c22b95

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

              Filesize

              576KB

              MD5

              b2e0bb0ee89ac1cfbf0f7a826d08c38f

              SHA1

              a4f4950d0812adddc597f9b5ae824d2937a808b6

              SHA256

              89c513d67e19b648c515987dddc14a9837cab0bff0e2a397ba6c83a9ee472cbc

              SHA512

              3a1b67b0b25e2b9d834d2e0aca9576b2fc6047b0493e00f81dbe492ec9b5ec0d42d6d182040c38c913a4d49141262a86e349f7495dce97331fb496b5bd46c51e

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

              Filesize

              560KB

              MD5

              411acac59481d95e7208adece02adc20

              SHA1

              fd272b511a5e40eabb15dcfd2a0c1bf0cc2b885e

              SHA256

              96620b864601bfe9cdee3ee1f5eaf8faa839550a9a139f4066fb4bdc1a9623b4

              SHA512

              a5cc53ee28b566c0bfcab0e782ae4dd3c6dbb211d83833f19ab7fb636df92ac84f3b70ead63fcbe8dbe71aa6debbcaf8b4847265e30052f0c344c3ec04d1fd58

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

              Filesize

              2.7MB

              MD5

              d0bbf2405e35e0413afb89333e3e0989

              SHA1

              eca1a00664586c784425c5653f74c969df76840c

              SHA256

              552b1f3f2c70ff520a8d0266c0c0d51cfbd4494265f1eba0318394d314cc7009

              SHA512

              6dae008b1873d96b107c2bbe4d71b923dc78f961b89e09bf7c6a57d2c35f07b3913ef600f4a412394d8cc1fe4fd73929a9b1f93af23b70ddb772af57cd7cdc9a

            • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

              Filesize

              1.5MB

              MD5

              78a6d383b6ff24d1d56d4b80eaaac6b2

              SHA1

              c1f54f3db8d2720a9d2a360c5d0f8d114c1996c5

              SHA256

              1769c2585708be756d40d3be1f34b704b1c1e4fe8c076b89d30fcfd2384b6688

              SHA512

              25a842927efbf1e66971540ef107769fa3c19e963c95662d55384556f2563a8374ae675419d34a033bb54d2d63963ced2589ace2e7eb163fcfc6dc3a22034368

            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

              Filesize

              2.1MB

              MD5

              c49ac6f59fea4a11810c8d0a0dea8dba

              SHA1

              ca4ef3ea370e6ca63fb542dc5241a8c6999bc0d2

              SHA256

              da918f6ebc1efec6478397f24b0ddc4daf6231296a773acdf9ce49fea7652a10

              SHA512

              a97970eedb3afda0c3917b89f4d0ceaa4b173e55b08f90e4f3ad5129bfac51d239b5b5c987af5bbd6398d685677ef5550e4ed7f773bbfde524c3d6948ed6890b

            • C:\Program Files\Windows Media Player\wmpnetwk.exe

              Filesize

              1.5MB

              MD5

              be9bf1e43ef89a082c02bcd3f0c206c8

              SHA1

              703485da8294a1e9c9bab2663ec33f8b579d08b9

              SHA256

              bcdbc17793534a9c284c03c3628f4621c449ab87c80b7f5f25d41eec20830b23

              SHA512

              e72645d889ffded0953d8e48792f34ed9322d193bc967f4c526e1d89e104d330d5181f57eb565252474479399762d85c3e7971690220e05884ebefee33a0f658

            • C:\Windows\SysWOW64\perfhost.exe

              Filesize

              1.2MB

              MD5

              fec8989bcdd04cae387d47d191de9c04

              SHA1

              ffb463c796cb51404dbcc75c957dd2094abedb6e

              SHA256

              d8c391844ace2b5091d3cee9608607ded5de27d1104d74ed1477abeb09efa40e

              SHA512

              642fd1c7fb9831a1a95dc6d92269c841e9a9508a689968ea9bdd02407e7a0ad24b270748ee1a0b0aac6a5f9443fb567595a572cb19c78ae35853de0b8eb7214d

            • C:\Windows\System32\AgentService.exe

              Filesize

              1.7MB

              MD5

              2f7fb887849b03c8d18036b9055d0bfc

              SHA1

              5859fee50e09dbf8f72fa31f7317aef5b1e1d07d

              SHA256

              a12190bc6f1ff4a5be7976f890a89f9023b004083993e8402b90b55df8789720

              SHA512

              725565f5c81dbe9282ec656acbacb97411b9174364b4ec6d3b8ab5959e90b227b617fec3f6a0f819c8daa31f7f124daabf868cec570a541a24cc2d09ddb9585d

            • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

              Filesize

              1.3MB

              MD5

              33253f02ad4139e8e032071f44d29394

              SHA1

              700ccd60a9d35655bef84e8b24b48323a2d1404a

              SHA256

              83500f570a810a4c2fa18b2bcd85e00fd05a2f3416ff8ad449a3757f044a67e8

              SHA512

              5a8a0f541f1d78e2096b95d5a50d2f99172356f083ddb5c5a68064a9f4815cb0c28ca9fc0de8ca4b6658447b21ed41eb9f67f63f0d0ec3f58fe6c774cb456290

            • C:\Windows\System32\FXSSVC.exe

              Filesize

              1.2MB

              MD5

              fbec95ef08b1e195d204e4bfedf68b5a

              SHA1

              ae0ac62027a23ae0b9ab906c682c9e6d89a8c0c0

              SHA256

              d62eae19d6d2e20fbedb2ef159ccd125886a6c63b65f61801bbf9be8f937fbdb

              SHA512

              60615d369821ca6d4085383cb34a9bce53a290bfe95462a25041d431b439ae09213cacc76ac9525cb1db04c8805be83be3f89c1969446c010543331a547d9b1d

            • C:\Windows\System32\Locator.exe

              Filesize

              1.2MB

              MD5

              0742159e80955356510e4c2fa6569202

              SHA1

              029a4c62796bd95bb539801f4ed949ad30ea5325

              SHA256

              22357f51c457cc778014b05ad6ce932832ddfd990be2698097fd3ea84c07b45b

              SHA512

              a8b449be4254c079352726e9c777e909ff6c20f1f4c3e22d1d7876c512e5c5a8eb28ae23204513cdb2bf6701ddfe6debaa9cc12c1aa9373ed26a8408bb67b9cb

            • C:\Windows\System32\OpenSSH\ssh-agent.exe

              Filesize

              1.6MB

              MD5

              d61decc5f84096bf5698f0eb4bee0698

              SHA1

              8e3e1bff2ff3b32df738b4c81e7baf413e0ad9a3

              SHA256

              9b110fce71149fd9a5d5e7bd06e53e824d4dd5ed1d8a5ea4d60d51ac51a4e082

              SHA512

              2efa9e316c686289fd519c970cf0b1ac8332a35b776224987aac660aecfb9325a1602b4b291fc2d9f155c189e90bc013fe2edf6507688794e048d7d4ff30da7e

            • C:\Windows\System32\OpenSSH\ssh-agent.exe

              Filesize

              1.6MB

              MD5

              d61decc5f84096bf5698f0eb4bee0698

              SHA1

              8e3e1bff2ff3b32df738b4c81e7baf413e0ad9a3

              SHA256

              9b110fce71149fd9a5d5e7bd06e53e824d4dd5ed1d8a5ea4d60d51ac51a4e082

              SHA512

              2efa9e316c686289fd519c970cf0b1ac8332a35b776224987aac660aecfb9325a1602b4b291fc2d9f155c189e90bc013fe2edf6507688794e048d7d4ff30da7e

            • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

              Filesize

              1.3MB

              MD5

              2a393415ccda8d9f9584e8926eec4500

              SHA1

              894e8b39a6373f9b60341dbce72d9f77007410e9

              SHA256

              6e768baf1edcef7ab6b24304ca5aa0291c456f8e8ad7792d87c75dbd58e6a058

              SHA512

              eecd660a79dfa2d0c4cbb96926b70a9c302ee179105230ad8b870b91e62f6af9d4038e7b34db8aa68b7d68c9be41b2aa5fecd115197b6bd36b66f77923adf89a

            • C:\Windows\System32\SearchIndexer.exe

              Filesize

              1.4MB

              MD5

              a51981d7af4b1a4ff444e8cd13496949

              SHA1

              3f9d0fa9773f6d71063eb14c81660112d12c9154

              SHA256

              f063339e1aa36b52478be3e13aad0455167f126a5d640fef9f66cd8f0afc9f64

              SHA512

              2bfeab540f28e59743bca75b72b037f80a98c047628a27ce56ebb285fc34de54a8ee1a8ff26cfc987038e1dc867f6ec56ae574efcfcf361d84bf625c47298eca

            • C:\Windows\System32\SensorDataService.exe

              Filesize

              1.8MB

              MD5

              51e444f469bdf6b6001ea187837b4278

              SHA1

              48d5e2a3c0e7012dda483c8cdb3b8f813df848ba

              SHA256

              856f81be4bbd670bf73d79ae6af3dc675a146cc460a06d347fbf4f5360fad41e

              SHA512

              2f0eca835f40d03f94e878bc52896ae9a8274cc90b6bef5c81deeb15b1d8232141b59a2b6bbbfb8e639cd2e25512008f4fcf46097d27dbee7a884a543f114698

            • C:\Windows\System32\SensorDataService.exe

              Filesize

              1.8MB

              MD5

              51e444f469bdf6b6001ea187837b4278

              SHA1

              48d5e2a3c0e7012dda483c8cdb3b8f813df848ba

              SHA256

              856f81be4bbd670bf73d79ae6af3dc675a146cc460a06d347fbf4f5360fad41e

              SHA512

              2f0eca835f40d03f94e878bc52896ae9a8274cc90b6bef5c81deeb15b1d8232141b59a2b6bbbfb8e639cd2e25512008f4fcf46097d27dbee7a884a543f114698

            • C:\Windows\System32\Spectrum.exe

              Filesize

              1.4MB

              MD5

              de74cd25688585fd446009fddab7061a

              SHA1

              22a4c1f906fd2af5048f2ecf6e10802f4a2862e2

              SHA256

              7697f60e89a99676a87343838e1a8cb62c0de0dfe750ca59136a4a0dca84898d

              SHA512

              3b24373e8ded8c6c64ba4810219c662d880d1ad814029c308a6ffba2803bf444ea734988f001d2670bcc02ff209563b2b10515b5de1df2d0da3d45c0135bcfef

            • C:\Windows\System32\TieringEngineService.exe

              Filesize

              1.5MB

              MD5

              21a27e8980905d0520340a371b9d08b7

              SHA1

              6de9afae4a8ae1ce11f070d06b26fcf3f3618393

              SHA256

              9707ee6e2f6e2b5d21497f84e9a4f14a51c182992914bc0f338401a18a5344ff

              SHA512

              66c395fed46b536547433b1c2003ef4165b98af7bc0b99e6479ab5d2849ea614600266e51c658a838abb2440b57f71dc32f9a30a2ecbe987002fd17cf16172a5

            • C:\Windows\System32\VSSVC.exe

              Filesize

              2.0MB

              MD5

              b9651570d44e1411997ee693f9f425fc

              SHA1

              3533716b620f6d64927324f054641aea2116c6fd

              SHA256

              e174055dea24831562525834a80d548a0f3f2e4bc516882acafa46ad0d2723f9

              SHA512

              a68f1544d134bcfd4906bd17c35e86d56020cd71a53ab034bd42ff7ac1c17ac9af2740e559d02974d2cc8e690196313f0d9a403ec5588f704b779019de81d85a

            • C:\Windows\System32\alg.exe

              Filesize

              1.3MB

              MD5

              6d6e98d06a0522c68b8d241ca00dc6af

              SHA1

              e202d5a811c0eb71c116a1914702b84eb5c0c7c3

              SHA256

              577f406d4a755078b06d5d47408df6c234a499263df2f789a04531cfd7287b59

              SHA512

              0148e56821a0fec07d15ec8618e4b1e4da90b1843ec61744f67aa915cd7bb723919d0273d23374a7976c0dc836ab5f5fd7196d69d557f9541664104c28745ce9

            • C:\Windows\System32\msdtc.exe

              Filesize

              1.4MB

              MD5

              86b70572cd6f5ae32cb873cce0f5a886

              SHA1

              f70f6a22b5e7a166315d9e7743b75c84293f564e

              SHA256

              3bbf1b234a76e5227aee8493a285c652f6a3f665730f80026012911a3ab4caf7

              SHA512

              d9e1da7e982f3ea141f7f8cc4b82b641cd6f8a8ea9f720171c14c8c749917497566120a946a5c28730049183329b7fbb33db54255364735bd016082ebcc0e7cd

            • C:\Windows\System32\snmptrap.exe

              Filesize

              1.2MB

              MD5

              abba9002a7174eba7a7f592b96379a7c

              SHA1

              3c440a323b196919855a9a0f1895df892f375af1

              SHA256

              d0187d6f15b62deb67a2acf04c6c94607bf55da60adc39f161b35d344070cb29

              SHA512

              088c6ad4b000bbbcb9a0edc5070356daec674bdc86ecbba8327f1a6ba2b788fea592d06020391fd3b502e5539ea928916a8034e544b6122e1dea6ebcbc6691c0

            • C:\Windows\System32\vds.exe

              Filesize

              1.3MB

              MD5

              70bdbc7f0f7ce2421f0044ed2e1f39f2

              SHA1

              683eb3a01cb34102769afe260c11ebae43c2b388

              SHA256

              742c5ddd1cce1996ba68e87675b1ff02d330ea9d7e5b4b6497eb4f0d45b495cd

              SHA512

              33b3aaf01aa7e8d08c9b6dad2a2617b3f83aae21ce90185671d9ef63b178dacaf5a4e52260c079d8085556aa09b5528bcdb1ed08dc607dc03cf4ea8f2d097fed

            • C:\Windows\System32\wbem\WmiApSrv.exe

              Filesize

              1.4MB

              MD5

              b981a24cd0d870259045213f345e97e6

              SHA1

              0b2275f2dc40eab85e8fcd0e407f6d1454a33ab5

              SHA256

              6673fdfbd24b8158851ab3a746456d261594e09fe5ebb7f4f5caef79e9e78b5b

              SHA512

              cad9d1f814cd10362ddb4bd956569dc2c17f3bbce4e85be4b13d639601e913b9b511f13f658f452a67d33ac541f5cb1bacffcd7b2c9827e009fb19866835dd10

            • C:\Windows\System32\wbengine.exe

              Filesize

              2.1MB

              MD5

              8710a5dc0550fce4aa1f43d6d2b6363a

              SHA1

              7dae2ffefdfd723254d459663d1db1f27c829844

              SHA256

              f258d179b7e6ffe85e089ceb97775bbedf918c0c0f447ed7fb8d15e0498a9703

              SHA512

              369c1ae39fbb2bcced8159c639d9336bd0671d5cee32e4cb6b35b3403cd1603f58d43a5d50426e1739638797ccaac302fa79b99390dcfd7021dd8a94ac0abe0a

            • C:\Windows\system32\AgentService.exe

              Filesize

              1.7MB

              MD5

              2f7fb887849b03c8d18036b9055d0bfc

              SHA1

              5859fee50e09dbf8f72fa31f7317aef5b1e1d07d

              SHA256

              a12190bc6f1ff4a5be7976f890a89f9023b004083993e8402b90b55df8789720

              SHA512

              725565f5c81dbe9282ec656acbacb97411b9174364b4ec6d3b8ab5959e90b227b617fec3f6a0f819c8daa31f7f124daabf868cec570a541a24cc2d09ddb9585d

            • C:\Windows\system32\AppVClient.exe

              Filesize

              1.3MB

              MD5

              68e8f50081422f0ea26f86a56ec5186a

              SHA1

              44079a8108f2af6cfc0461ea9562010ecea4dd58

              SHA256

              09f62a7cd924891d7d633c71582665ffb408707ed4560b8c151201b47dc12889

              SHA512

              d1d257b3564dcea220a2b6f6a1235d53a917431fef8094e3ceab99ea3d91696e44a2cd421fc341046777844750a88976b536eae92c6d9846952bf53e7ed8c8c7

            • C:\Windows\system32\SgrmBroker.exe

              Filesize

              1.5MB

              MD5

              f1e6d84868e4aea27f5da7d270c0362f

              SHA1

              a4111b4399f42d38224d5525b6a79df4807e4955

              SHA256

              c52cb1a23b1e44410de2e24a28560d5b611eb268e93164a2733edd6ea68c763d

              SHA512

              5d78d77b53e8e354839912a9d418a55ee257c327449e3bee793b57342e6d50e1d52b2b9fd78960c69ceb72060691ac3481d66f7269431acdf1ef1256f24edad9

            • C:\Windows\system32\fxssvc.exe

              Filesize

              1.2MB

              MD5

              fbec95ef08b1e195d204e4bfedf68b5a

              SHA1

              ae0ac62027a23ae0b9ab906c682c9e6d89a8c0c0

              SHA256

              d62eae19d6d2e20fbedb2ef159ccd125886a6c63b65f61801bbf9be8f937fbdb

              SHA512

              60615d369821ca6d4085383cb34a9bce53a290bfe95462a25041d431b439ae09213cacc76ac9525cb1db04c8805be83be3f89c1969446c010543331a547d9b1d

            • C:\Windows\system32\msiexec.exe

              Filesize

              1.3MB

              MD5

              231bdf04f4b6c395dc5119341dfb96b5

              SHA1

              c2543c5458b4b0df0fb02e271462666f4f46f4cd

              SHA256

              4c52e6e350d8b5385acce3c431167d78daa91a5626fbe98fc1505f637db2c940

              SHA512

              a7588caba4221b7242030de0612920a6d316e84d85e1c1612760de37d00bfc5eab832f4e9dbb42de2de2f7682f65094e3bc8bdae7e9ba2e612d881d64ec9d2a0

            • C:\odt\office2016setup.exe

              Filesize

              5.6MB

              MD5

              a000d794641913f8f5e19369954b7f56

              SHA1

              5acbf42199f1d39aec1e43237cd4a878b8edcfa9

              SHA256

              958188161cc8280971577383b8d838f012da3d1400326430ad7b925b60565289

              SHA512

              7e9fd27dadd0cfc24fd5b894bf82b8ca23b51595a1d2572dea2ef4f1e34f656a05727687fdf87f54bbc47bea6b60bb6e5fc7adf74abd569a7e6a50c0526299b1

            • memory/980-254-0x0000000140000000-0x0000000140210000-memory.dmp

              Filesize

              2.1MB

            • memory/1136-553-0x0000000140000000-0x0000000140202000-memory.dmp

              Filesize

              2.0MB

            • memory/1136-259-0x0000000140000000-0x0000000140202000-memory.dmp

              Filesize

              2.0MB

            • memory/1372-211-0x0000000000190000-0x00000000001F0000-memory.dmp

              Filesize

              384KB

            • memory/1372-227-0x0000000140000000-0x000000014022B000-memory.dmp

              Filesize

              2.2MB

            • memory/1372-205-0x0000000000190000-0x00000000001F0000-memory.dmp

              Filesize

              384KB

            • memory/1372-537-0x0000000140000000-0x000000014022B000-memory.dmp

              Filesize

              2.2MB

            • memory/1900-228-0x0000000140000000-0x0000000140221000-memory.dmp

              Filesize

              2.1MB

            • memory/1900-224-0x0000000000C00000-0x0000000000C60000-memory.dmp

              Filesize

              384KB

            • memory/1900-221-0x0000000000C00000-0x0000000000C60000-memory.dmp

              Filesize

              384KB

            • memory/1900-215-0x0000000000C00000-0x0000000000C60000-memory.dmp

              Filesize

              384KB

            • memory/1944-433-0x0000000140000000-0x0000000140179000-memory.dmp

              Filesize

              1.5MB

            • memory/1944-646-0x0000000140000000-0x0000000140179000-memory.dmp

              Filesize

              1.5MB

            • memory/2400-149-0x0000000002B30000-0x0000000002B96000-memory.dmp

              Filesize

              408KB

            • memory/2400-152-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2400-425-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2400-144-0x0000000002B30000-0x0000000002B96000-memory.dmp

              Filesize

              408KB

            • memory/2400-143-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2400-140-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2440-612-0x0000000140000000-0x0000000140216000-memory.dmp

              Filesize

              2.1MB

            • memory/2440-390-0x0000000140000000-0x0000000140216000-memory.dmp

              Filesize

              2.1MB

            • memory/2524-175-0x0000000000650000-0x00000000006B0000-memory.dmp

              Filesize

              384KB

            • memory/2524-179-0x0000000140000000-0x0000000140200000-memory.dmp

              Filesize

              2.0MB

            • memory/2524-169-0x0000000000650000-0x00000000006B0000-memory.dmp

              Filesize

              384KB

            • memory/2752-355-0x0000000140000000-0x00000001401C0000-memory.dmp

              Filesize

              1.8MB

            • memory/2772-312-0x0000000140000000-0x00000001401ED000-memory.dmp

              Filesize

              1.9MB

            • memory/3024-388-0x0000000140000000-0x00000001401FC000-memory.dmp

              Filesize

              2.0MB

            • memory/3040-358-0x0000000140000000-0x0000000140239000-memory.dmp

              Filesize

              2.2MB

            • memory/3156-276-0x0000000000400000-0x00000000005EE000-memory.dmp

              Filesize

              1.9MB

            • memory/3404-157-0x00000000006D0000-0x0000000000730000-memory.dmp

              Filesize

              384KB

            • memory/3404-163-0x00000000006D0000-0x0000000000730000-memory.dmp

              Filesize

              384KB

            • memory/3404-178-0x0000000140000000-0x0000000140201000-memory.dmp

              Filesize

              2.0MB

            • memory/3496-579-0x0000000140000000-0x0000000140169000-memory.dmp

              Filesize

              1.4MB

            • memory/3496-315-0x0000000140000000-0x0000000140169000-memory.dmp

              Filesize

              1.4MB

            • memory/3544-510-0x0000000140000000-0x0000000140237000-memory.dmp

              Filesize

              2.2MB

            • memory/3544-202-0x0000000140000000-0x0000000140237000-memory.dmp

              Filesize

              2.2MB

            • memory/3544-200-0x00000000004D0000-0x0000000000530000-memory.dmp

              Filesize

              384KB

            • memory/3544-193-0x00000000004D0000-0x0000000000530000-memory.dmp

              Filesize

              384KB

            • memory/3748-573-0x0000000140000000-0x00000001401EC000-memory.dmp

              Filesize

              1.9MB

            • memory/3748-279-0x0000000140000000-0x00000001401EC000-memory.dmp

              Filesize

              1.9MB

            • memory/4020-187-0x0000000000EA0000-0x0000000000F00000-memory.dmp

              Filesize

              384KB

            • memory/4020-194-0x0000000140000000-0x0000000140135000-memory.dmp

              Filesize

              1.2MB

            • memory/4020-190-0x0000000000EA0000-0x0000000000F00000-memory.dmp

              Filesize

              384KB

            • memory/4020-181-0x0000000000EA0000-0x0000000000F00000-memory.dmp

              Filesize

              384KB

            • memory/4104-613-0x000001395EEF0000-0x000001395EEF1000-memory.dmp

              Filesize

              4KB

            • memory/4104-708-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-648-0x000001395F290000-0x000001395F2A0000-memory.dmp

              Filesize

              64KB

            • memory/4104-658-0x000001395EEF0000-0x000001395EEF1000-memory.dmp

              Filesize

              4KB

            • memory/4104-659-0x000001395EF10000-0x000001395F010000-memory.dmp

              Filesize

              1024KB

            • memory/4104-660-0x000001395EF10000-0x000001395F010000-memory.dmp

              Filesize

              1024KB

            • memory/4104-661-0x000001395F290000-0x000001395F2A0000-memory.dmp

              Filesize

              64KB

            • memory/4104-662-0x000001395F290000-0x000001395F2A0000-memory.dmp

              Filesize

              64KB

            • memory/4104-679-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-680-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-681-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-698-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-699-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-700-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-703-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-704-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-705-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-706-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-707-0x000001395F330000-0x000001395F340000-memory.dmp

              Filesize

              64KB

            • memory/4104-647-0x000001395F290000-0x000001395F2A0000-memory.dmp

              Filesize

              64KB

            • memory/4104-590-0x000001395EED0000-0x000001395EEE0000-memory.dmp

              Filesize

              64KB

            • memory/4104-614-0x000001395EF10000-0x000001395F010000-memory.dmp

              Filesize

              1024KB

            • memory/4104-615-0x000001395EF10000-0x000001395F010000-memory.dmp

              Filesize

              1024KB

            • memory/4132-138-0x00000000058C0000-0x00000000058D0000-memory.dmp

              Filesize

              64KB

            • memory/4132-134-0x0000000005C10000-0x00000000061B4000-memory.dmp

              Filesize

              5.6MB

            • memory/4132-135-0x0000000005660000-0x00000000056F2000-memory.dmp

              Filesize

              584KB

            • memory/4132-136-0x00000000055E0000-0x00000000055EA000-memory.dmp

              Filesize

              40KB

            • memory/4132-137-0x00000000058C0000-0x00000000058D0000-memory.dmp

              Filesize

              64KB

            • memory/4132-133-0x0000000000AC0000-0x0000000000C30000-memory.dmp

              Filesize

              1.4MB

            • memory/4132-139-0x0000000007C50000-0x0000000007CEC000-memory.dmp

              Filesize

              624KB

            • memory/4144-332-0x0000000140000000-0x0000000140259000-memory.dmp

              Filesize

              2.3MB

            • memory/4516-611-0x0000000140000000-0x0000000140147000-memory.dmp

              Filesize

              1.3MB

            • memory/4516-360-0x0000000140000000-0x0000000140147000-memory.dmp

              Filesize

              1.3MB

            • memory/4572-430-0x0000000140000000-0x000000014021D000-memory.dmp

              Filesize

              2.1MB

            • memory/4572-645-0x0000000140000000-0x000000014021D000-memory.dmp

              Filesize

              2.1MB

            • memory/4752-257-0x0000000140000000-0x0000000140226000-memory.dmp

              Filesize

              2.1MB

            • memory/4904-309-0x0000000140000000-0x00000001401D7000-memory.dmp

              Filesize

              1.8MB

            • memory/4904-560-0x0000000140000000-0x00000001401D7000-memory.dmp

              Filesize

              1.8MB