Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/05/2023, 18:36

General

  • Target

    1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe

  • Size

    1.6MB

  • MD5

    8a437b5f22a40f6a67e3482d572a1ee5

  • SHA1

    b901960026dfc17af9d36b3bc4d254d88712e90b

  • SHA256

    1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1

  • SHA512

    e5c6e1f0f4203bba0bf0e57ef85732729ccb6bc14ba5f1c4e5bbeb8236d273b1c2e04cb911d933cb34a3e74c53450ffda934d17f9de73fede3e3128a77b1f409

  • SSDEEP

    24576:4Pm1kT7yByn1KTLTHsVsv9lFajXfrZlt08JvtY+3TBD6l2X:jWTRSLzsVIjerF0se+3lDS2X

Malware Config

Extracted

Family

darkcloud

C2

https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046

Signatures

  • DarkCloud

    An information stealer written in Visual Basic.

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 31 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
    "C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe
      "C:\Users\Admin\AppData\Local\Temp\1818d06ab0cd3441de35fa14c0c981451bfd1139dec6edb7e8699e7d0f9ac8c1.exe"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2172
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    PID:1256
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:4572
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1716
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4028
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2920
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3832
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:2268
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:3964
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:5040
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:1624
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:4388
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:2676
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:2124
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:400
    • C:\Windows\system32\spectrum.exe
      C:\Windows\system32\spectrum.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:4544
    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      C:\Windows\System32\OpenSSH\ssh-agent.exe
      1⤵
      • Executes dropped EXE
      PID:3684
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
      1⤵
        PID:1528
      • C:\Windows\system32\TieringEngineService.exe
        C:\Windows\system32\TieringEngineService.exe
        1⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:4124
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2604
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Executes dropped EXE
        PID:2496
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3504
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1892
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
        • Executes dropped EXE
        PID:5100
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2932
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:4976
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
          2⤵
          • Modifies data under HKEY_USERS
          PID:2740

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

              Filesize

              2.1MB

              MD5

              04ae1ec76338f1c1559d93906717d3c8

              SHA1

              5507d8b92d733e6b5e7dfbfaf827ffc1e7879522

              SHA256

              bce29973c71d5b05c6d1aff5c716e7801b04094a6ac64a57a659d8c5a0dd8d87

              SHA512

              784eee05c224d8333446ca3dce927166bbf62c76b5ca7cc22d0fe0523757176de61778ae7b151db3e3d049b67a9ccb0a687119714b0886d3d424de91b7ac3c70

            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

              Filesize

              1.4MB

              MD5

              17a18d7e7da34ec4321c56845800dbb4

              SHA1

              d72ba1d42e8049722769729c246a349893aa69e1

              SHA256

              4caabff80a6bddd1fe2b4255edf4af9446b7a8fdbfbc568283d3db99a249c8fc

              SHA512

              3a4ffd9f907827b4c9bb139f48422c0fbfbbae8b9f683049638ad32d6b3782248d14fff9d27bd0d34d21e2a69b058c2f5d778a88c739b81279cdfde5f53df4b2

            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

              Filesize

              1.4MB

              MD5

              17a18d7e7da34ec4321c56845800dbb4

              SHA1

              d72ba1d42e8049722769729c246a349893aa69e1

              SHA256

              4caabff80a6bddd1fe2b4255edf4af9446b7a8fdbfbc568283d3db99a249c8fc

              SHA512

              3a4ffd9f907827b4c9bb139f48422c0fbfbbae8b9f683049638ad32d6b3782248d14fff9d27bd0d34d21e2a69b058c2f5d778a88c739b81279cdfde5f53df4b2

            • C:\Program Files\7-Zip\7z.exe

              Filesize

              1.1MB

              MD5

              4d9a54ba583cc69c0846e7332db22a28

              SHA1

              2a7565561f73b9960113cfbb8f9c57055888c190

              SHA256

              829563d5a0ad7feaf4f2131c559018fffa769229e5fea7e664244eb496f0f935

              SHA512

              ae9c68145f484884bea71889464860cbddc19fd8ad8bb357d7c636a280dba1202b57dfe0f58453675c924b909e0c6bad2f86c86d9b33bfbd26cd28570b8b2649

            • C:\Program Files\7-Zip\7zFM.exe

              Filesize

              1.1MB

              MD5

              78d71482573829d54d54f5cebfc81be6

              SHA1

              1ee448d7520e36fc8c63d6e125669236a8759520

              SHA256

              ead6e24152cb911acda27c771be9ceec5e6b3e52444af396fb6b91ebc7c30aaa

              SHA512

              269caaa34a730f0082c203ef609d834346c35e29e64215b846c9aea80098ca1d84d6c248031a82ca1295edf1b29bcffd28651f51cc1d68114442720564a6dbf0

            • C:\Program Files\7-Zip\7zG.exe

              Filesize

              1.1MB

              MD5

              1979e689b289837bb892eef78eea1de8

              SHA1

              7324f5f289e9db50e17096d7efbcdc65820124cc

              SHA256

              10eeef2abf402f2f77b0f6f95b4de08df7bc717f4e5405376e58d7d36342bab7

              SHA512

              567d1b4f38bdbec9536f89ceb365d7ec14e2d93e1a61aad1dcee50a4a9967d3212c340b979d3fd6ead712e6f4f114555573a79e193294c9ae059e1427d3b8921

            • C:\Program Files\7-Zip\Uninstall.exe

              Filesize

              1.2MB

              MD5

              6648339ba23edd0d9e7399ad25f7767a

              SHA1

              361f57ebc00552fe023b56906516c58bb5a112fb

              SHA256

              816a31c547b1884325ca0f62f35616d95124840492fc42cddad2da0006dbd2f5

              SHA512

              79948753a277bf9ffa65713c9b0c85bb6df96deedce236e7f546c3d14182b4a6db884a0b3ce17430d07de1a2b0b680ea1c303486ecbef3908411c8472cddcad9

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

              Filesize

              1.1MB

              MD5

              586e6557355925b4e99dec43b5513058

              SHA1

              19ce813be90fe4e163a0f8511cb677ba0973d1db

              SHA256

              1f5bd4b772dc67d92d65308ad7d5893ef82712eef5dd7c0313b9ef9a726575b6

              SHA512

              82ea89f9c130d6151fda2e7bbffaec065efc5494c00c290667ad84803f3fb38cbe712e36749ba4f6881e86cd58675583ecedcf4cb1f88c3cfd01c38118b379b4

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

              Filesize

              1.1MB

              MD5

              e3dcabb73fad8ac866e9d147309fc7db

              SHA1

              c90aac6b2ba458dae6e00e4d2731ef5a0d1cdd07

              SHA256

              795c619e69fa24891a0151503ef0aec797a408fab1a6915d56d835d741ea5aa5

              SHA512

              e17c1cc343ad13bdc8bb0c41bf26706b02c3c9308954c598750f3c567aa62dbc0ec093e8c3ff997372e3dc18367c0959eda515b861d987c5d144f2c06b5b7480

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

              Filesize

              1.1MB

              MD5

              7701019cb31892cb5aefd7c57f165b63

              SHA1

              1a6ee9c2b6a5e57f1b7c0e73d7b061ebe92e6e0e

              SHA256

              24bd13f9f83f900e8d19acf871eecdb6980491af88949f9d58e2fbabd920038d

              SHA512

              c1ecaf2f9206762d343423aaad80b4e1ebc829e2fd9f0f5b24906bd0807eb655e7997ef454a249fc6ee57086b354d6b3b53c486688211ff480e9806e39acd7fb

            • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

              Filesize

              1.5MB

              MD5

              56ce5fc4edca0a0de2579f359cf5a96d

              SHA1

              e50570914e3a76d33637e10c4e0150c03ae97517

              SHA256

              a8e8f00447bebc1dd2f67192716296215cf15c9597f3d88da794d9f85e3cde12

              SHA512

              50e653d683c89b4019fb97ede55ed5f0c781cc544ba09ed8469374ffc6bb4f311ece5e20630e152a87f6b23e1f494188dc59e20de6ae427b873d5aa8c5ebc5a8

            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

              Filesize

              2.1MB

              MD5

              c39fe0a04b80377474a3eb2cb55ab7cb

              SHA1

              dbfcd7be1835084031d6cbff540900b55758d93d

              SHA256

              2d84b37d29fc8f38671d21fc6c3bdc680d23a1c0764cd4334f39d183bf4e302d

              SHA512

              f5318eca431d4e5e30b66b97775991be645c51c93f71ee3bf409b6641ec0bf90b18b3cdcabfbe7e752826dc920fa98feb09fdaba302707ce8d42bc87b9b00179

            • C:\Program Files\Windows Media Player\wmpnetwk.exe

              Filesize

              1.5MB

              MD5

              72d08c4089a4b2b9e44dc6821e7fb2f5

              SHA1

              1f6db81c39abc6613ab6e8cfdf7d2eea60236ffb

              SHA256

              1fd0101094b4df648bed947598d2ad03b4f0f3fedfbc6ff95da9fed973f3afca

              SHA512

              744219b454d6c23f985f882306aaafeb9c1875fb1cf03192c8c6d7077cf076e30660128000b9011b833dbe28d1ed3f4c1a1d58cad201c4c6b05a14237474dacd

            • C:\Windows\SysWOW64\perfhost.exe

              Filesize

              1.2MB

              MD5

              19718652c39286980d8e76863251cd8f

              SHA1

              9495351d9a6ccbc56a1364d92985d8e7026592ce

              SHA256

              2a171f86ec91531501a45bf2ce6b189e45780a0a056b82da14da8c07fa8c0c9b

              SHA512

              0cba6ee1ecfa73a1d9540957fec70cf2e88c63c25d84c013fe8ac989f0a468ede62b25ca16c49567d7af46f6ce261fa8a7f419d9e54a4a440e5178b0e80197fc

            • C:\Windows\System32\AgentService.exe

              Filesize

              1.7MB

              MD5

              728bfd12274a9ea3a1c950a8156d9329

              SHA1

              b1a5a11f7c3bc720f146ea8e1aa8cbf25bee6587

              SHA256

              07058bcf734d6143672b39025b60a09b66e1db8a49aa411dd3a338a68c4be26d

              SHA512

              dbf843ffa8e7fe4b9eece020121169712bc046481cfb4dd2f78bf22bb2a53fc1127b92a3426d50096e341a7db43f4a90f94a04416d48ababec858d64b7bf6e9c

            • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

              Filesize

              1.3MB

              MD5

              26c963d9d8d1a2a2c64389d7e122f0c0

              SHA1

              a17b679e11943199abce6c7acdc8713ce21f5eae

              SHA256

              9504e65d044362803e2cc0612943b93f7090ef6d41e321442dec026bf9ad5aba

              SHA512

              1e4274edf70730b12c82c57c27c5687f3f4e5ac6a046143b7f0553df4632ad4ea0506fbea4dd9b1c77e83beed4316bfc87cbd4fb081c2d22a7924371b922ee52

            • C:\Windows\System32\FXSSVC.exe

              Filesize

              1.2MB

              MD5

              3858340e8a43e3afee3c5fdcb11c2cca

              SHA1

              fae43ff3cc1bce26dca300120d01723ca84886fc

              SHA256

              cbcee621874a1241cf12b081c5e35318f2f165fbbabe5866d36911eef6d3b1cb

              SHA512

              6c21de18b5424beebeccbdb7cb5f67fb8e85a956bbac8623afed733b54462bc1b4083024dc137568918ecce987f8c7e8f02479484eb1db3badd74372d130398b

            • C:\Windows\System32\Locator.exe

              Filesize

              1.2MB

              MD5

              2f1d8ab24212944f9d31e60955222d9d

              SHA1

              35c7b600e0b1c03582c6798f1bd56076d68dc7f6

              SHA256

              5eee914bc0936569f3f5304352fb020ae1058105f926c1eb3586555aba11ab98

              SHA512

              b9e0f299f6abe6a74135167841e585943bd8a84d770605047965f2e44b2295c094163b799cd4f3a7626118f1b8a96058e5a41955c179ae5953c47b9e7e8cffd3

            • C:\Windows\System32\OpenSSH\ssh-agent.exe

              Filesize

              1.6MB

              MD5

              bf922ddfc7ddf5ba7092ee68dd5e51df

              SHA1

              963b5d22db26bfc578100c50fc99f0a54c8d475e

              SHA256

              67cf0d5cbe72dfe93658189b692784c3d6ce4aca3d07a6368f885a312ced03ad

              SHA512

              5e2323a53b3fb1614165b357c3603585b0d7936ddf732dd3d966c92450c2ba3ae48b48b49b3ada79ef951adfc11de6b7c34544eaf54071099314a6e1cc70ef6f

            • C:\Windows\System32\OpenSSH\ssh-agent.exe

              Filesize

              1.6MB

              MD5

              bf922ddfc7ddf5ba7092ee68dd5e51df

              SHA1

              963b5d22db26bfc578100c50fc99f0a54c8d475e

              SHA256

              67cf0d5cbe72dfe93658189b692784c3d6ce4aca3d07a6368f885a312ced03ad

              SHA512

              5e2323a53b3fb1614165b357c3603585b0d7936ddf732dd3d966c92450c2ba3ae48b48b49b3ada79ef951adfc11de6b7c34544eaf54071099314a6e1cc70ef6f

            • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

              Filesize

              1.3MB

              MD5

              2aeb8795db41bae4812bc4c792920169

              SHA1

              ffb7f07acce8e06dbd2dd478df57032892e998c0

              SHA256

              5e4412da6678ebfda785ac053937ece1b2bfe448514959c5bc620ef7ccef7e49

              SHA512

              fb330f882d9a6c855f1b8f12635f7d643ac07aaa68f99fc7b63a56e956dc344f326eb24730c55490283004f20e865058265616be15a88b93029e6ef17f1c6d81

            • C:\Windows\System32\SearchIndexer.exe

              Filesize

              1.4MB

              MD5

              93cc061163c1346be61b23e9037f67b5

              SHA1

              fb42c95deb3696548d04933cda49c1bd00583f53

              SHA256

              c1df797209dcbd15f6bdfe5f86f4326c9d1fa132d967ca34caac630ac13a8ec4

              SHA512

              0d6be514bacb098f9a6237e9cf4bed631fc339b7093a92faf1e49e4710c314d62bec10b896dfb0ce868d502bab06c20c9e632186827ca49c15260a4f0acd10da

            • C:\Windows\System32\SensorDataService.exe

              Filesize

              1.8MB

              MD5

              834c659bc949c91602f044c2226ae372

              SHA1

              29ad8f3a1396619ffd31c268a2c0a193240a0300

              SHA256

              b0381341d456c152251057f7ad8ea5c4e522a424e4c41c045c3c0812cf79e9fb

              SHA512

              ddf6df22e4e5c64e6e6a9605402d204bcf285286e99b4a66523073ce8d4f3a4b357305433c7f4cf95065e7db283c0bdd75761b3009dc043a29af55fb5351d778

            • C:\Windows\System32\SensorDataService.exe

              Filesize

              1.8MB

              MD5

              834c659bc949c91602f044c2226ae372

              SHA1

              29ad8f3a1396619ffd31c268a2c0a193240a0300

              SHA256

              b0381341d456c152251057f7ad8ea5c4e522a424e4c41c045c3c0812cf79e9fb

              SHA512

              ddf6df22e4e5c64e6e6a9605402d204bcf285286e99b4a66523073ce8d4f3a4b357305433c7f4cf95065e7db283c0bdd75761b3009dc043a29af55fb5351d778

            • C:\Windows\System32\Spectrum.exe

              Filesize

              1.4MB

              MD5

              0f7d798bf877007a3d0d1919ceec4029

              SHA1

              007d7f5f28d92924460c52951dea921b8420ccfa

              SHA256

              252058638bd1a4508e84f5e2841fecbf1ae1ef3005b82e547eaefc48217b490f

              SHA512

              e8f3e3157037c76781b2e87ab7b1c420549f7437ed9a021be583f1ef1a1a100ce418593d7f76664384a494b4cb08dea64af0c164412fb11e31066c89c552653e

            • C:\Windows\System32\TieringEngineService.exe

              Filesize

              1.5MB

              MD5

              285365fbdf987e6165e40aaad3ee5c27

              SHA1

              e8adda49bfbfaad26a3ca878a88b2c52ccce4a68

              SHA256

              605fa8971016c562286ced29a2c77b026939a57e6f71bf1ab438fb92106fac9c

              SHA512

              0fc42f561487cdeb217f249f20faa01a9854ce7bb9eb217b4dee92d30c8572d75468bd198894536583bdfca91c644ee1fa5b09d55249a96c7de4dc2fb4696232

            • C:\Windows\System32\VSSVC.exe

              Filesize

              2.0MB

              MD5

              78a8ceacb459fb498b669eb302426ef2

              SHA1

              da7f6d423c839efcf75214134de3bec9b28ab4c9

              SHA256

              cd70dc456125b76aaa3c974febedd1e8ebaef8d79c6700c11550b700646353ac

              SHA512

              5a5dee91be672cd525454abb1debf0678d3aa7d2d1a0d9365da011b93eab548bf0156fc7cade94b940513ecdab15bfe814369fb1a1c92270b1a0dbfc128e2d32

            • C:\Windows\System32\alg.exe

              Filesize

              1.3MB

              MD5

              b577409c73f5094739da5c19a5c9fe72

              SHA1

              82c54d209d67e77aee37db362efe72c6f825a0d5

              SHA256

              e5c174e6e569cc10462e2f34d5cc86c4b8010eb2bdf96fb11aabdbfe716a0a40

              SHA512

              6c00b8028a8c890a4c43bdab4d298e7a4ac9e0c2e140f36cebde77dcf78bd0879480e694c4589a15ebf1c32a2cabe6b8c60a35ae58ccb98e0e960e33a23f0cf7

            • C:\Windows\System32\msdtc.exe

              Filesize

              1.4MB

              MD5

              133ca165b44b6b96a2d9335ab36a7cd3

              SHA1

              d91cb5caf610f0411f4d337886fc28491d3c9156

              SHA256

              86b4e9047f419b56571d21e8b12e096f891babcee1852a6dd078624f0d5fae5f

              SHA512

              a12ad5b4f7cccace5e82c3eac688a18040de061e7338ed1b17fc5a341d974616e9cbde096e35ff37a0165637e62b18efe39faa0a787f770c29ae37f774c90531

            • C:\Windows\System32\snmptrap.exe

              Filesize

              1.2MB

              MD5

              e4a9e2bfd2faeeba5d9fd287543eb9b6

              SHA1

              2f76af9a52718b3e66ea9a0a5470ca9769a92eef

              SHA256

              4164dffc7339debcdf2b2774d945bf0f6ed855eff1c564084d8a976d995382e2

              SHA512

              e6d80c41c9079ce0fd6cbd0f331ec75740dc02f742a7480a13a9010dfa4c18f59d7284158a254f80995466314ec59a1f463a2fcf8030715a3e739d2df57b125a

            • C:\Windows\System32\vds.exe

              Filesize

              1.3MB

              MD5

              981d1f5b85d48ed03fe18e439fb1a587

              SHA1

              67925f026c1763274289bc0ce09eddbfedfc5392

              SHA256

              f34226024c61a5c3bc5057df3d91180883750c6447c3b820d39d346ad465d83a

              SHA512

              189f0adf309e22f987d49c35c156cc43a5777f753ac892267832dd7d220721b7d22f0b95a8bfd2bd60ba317397dc2aa674086e886118fc7758d8a52d8f2bf8a5

            • C:\Windows\System32\wbem\WmiApSrv.exe

              Filesize

              1.4MB

              MD5

              4ae991eaebc6fe242c700d9d6e57427c

              SHA1

              cba6a1850d8118ee369c822198e19e2bd1904688

              SHA256

              a4a4bd9dc255ac901ea892d8558c571ce5d2d52b33a495db403c84e6daa446cb

              SHA512

              27b205b3ed645d8addf24680c50ff320028e446a4b9478397582ee68ec764ca6bc73e396b7c2ea7acae2269156d4cb7e0816f666fa7d449879f2ba244bc19e49

            • C:\Windows\System32\wbengine.exe

              Filesize

              2.1MB

              MD5

              cddd142cd3a1e3c38acb516c76406a8b

              SHA1

              1b30bb4e1f67481088345dd8a60da41f4cbdacf4

              SHA256

              2b688f926db6b86b5f394766032a73e003a2a25cf467947262c42e998b9e46b0

              SHA512

              2571a368a7137bf344375c11da27aed78320647b697311ed4c9cc7798ad6ce1afbf886181c106ab15456dee711060b369e40efc7ce596ab172809663163dc5a3

            • C:\Windows\system32\AgentService.exe

              Filesize

              1.7MB

              MD5

              728bfd12274a9ea3a1c950a8156d9329

              SHA1

              b1a5a11f7c3bc720f146ea8e1aa8cbf25bee6587

              SHA256

              07058bcf734d6143672b39025b60a09b66e1db8a49aa411dd3a338a68c4be26d

              SHA512

              dbf843ffa8e7fe4b9eece020121169712bc046481cfb4dd2f78bf22bb2a53fc1127b92a3426d50096e341a7db43f4a90f94a04416d48ababec858d64b7bf6e9c

            • C:\Windows\system32\AppVClient.exe

              Filesize

              1.3MB

              MD5

              715900b001a980f50e0cb07733cd3666

              SHA1

              95d175c14306d9b1d19bc8d3e64661d956cad946

              SHA256

              288476cbbaebedd354010a4135c3f92641a3a0c1259e270dbb152171d445b76d

              SHA512

              60c3ebc072a3acb46d0e620d232328802a3061eaf2610bbe90ea94767c2a77bd018fa0dc677062a77be28a51b58c2c538ef7624e7d6c8a9ee66380ebda85a1cf

            • C:\Windows\system32\SgrmBroker.exe

              Filesize

              1.5MB

              MD5

              81baf06d221e6bc3a571e802d984e54d

              SHA1

              ef6ec5855067919b3d753a0beef972661eea630f

              SHA256

              40e5110b750c624eb93b1a3bc6b50785ce0e2699c68bf385d3f7df045e642886

              SHA512

              0ac30c294133b49cd198391cf029be85ccac1478e50b60d000519978929565846409cb14df2c31b052e3f3e31d4b41ad8fb3fb09b8e698c1bb0cf32722329bc9

            • C:\Windows\system32\fxssvc.exe

              Filesize

              1.2MB

              MD5

              3858340e8a43e3afee3c5fdcb11c2cca

              SHA1

              fae43ff3cc1bce26dca300120d01723ca84886fc

              SHA256

              cbcee621874a1241cf12b081c5e35318f2f165fbbabe5866d36911eef6d3b1cb

              SHA512

              6c21de18b5424beebeccbdb7cb5f67fb8e85a956bbac8623afed733b54462bc1b4083024dc137568918ecce987f8c7e8f02479484eb1db3badd74372d130398b

            • C:\Windows\system32\msiexec.exe

              Filesize

              1.3MB

              MD5

              82348dbde32b9364f3df970744f46000

              SHA1

              6b7b03135924856874749e0404969566b887adef

              SHA256

              22987124997a4d799a635b230c148fc791cc55a8c99060405a9f076cde38a0f9

              SHA512

              84db45f59450a3ce20f3adbd3ba5d8d2532c8700b33e811272f94adc49cbbafbdb85d7084a0ea41b0fa699661d3e91b1ac35761f39a858d5e52269c92fbdad5a

            • C:\odt\office2016setup.exe

              Filesize

              1.2MB

              MD5

              7d7eca2238c4e7b4fd35ca8f91a9bd93

              SHA1

              26a3729eed99124eb8e6895a137462ea10e64376

              SHA256

              ebe41d189ab802d787717dc4f41e1c0690da6773f96278d83964d0eac331da28

              SHA512

              d16ebb6ad630bf915addb3f6341b7f6f50b2467f18ac070b3dcbae53c037a3d81db5c32fadc64a67e867a76967691c70c1d07ec6ee128fe5d10b06f648b39d45

            • memory/400-305-0x0000000140000000-0x00000001401ED000-memory.dmp

              Filesize

              1.9MB

            • memory/400-577-0x0000000140000000-0x00000001401ED000-memory.dmp

              Filesize

              1.9MB

            • memory/1256-163-0x00000000006E0000-0x0000000000740000-memory.dmp

              Filesize

              384KB

            • memory/1256-157-0x00000000006E0000-0x0000000000740000-memory.dmp

              Filesize

              384KB

            • memory/1256-181-0x0000000140000000-0x0000000140201000-memory.dmp

              Filesize

              2.0MB

            • memory/1624-270-0x0000000140000000-0x0000000140202000-memory.dmp

              Filesize

              2.0MB

            • memory/1892-604-0x0000000140000000-0x0000000140216000-memory.dmp

              Filesize

              2.1MB

            • memory/1892-384-0x0000000140000000-0x0000000140216000-memory.dmp

              Filesize

              2.1MB

            • memory/2124-553-0x0000000140000000-0x00000001401D7000-memory.dmp

              Filesize

              1.8MB

            • memory/2124-302-0x0000000140000000-0x00000001401D7000-memory.dmp

              Filesize

              1.8MB

            • memory/2172-149-0x00000000031F0000-0x0000000003256000-memory.dmp

              Filesize

              408KB

            • memory/2172-140-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2172-144-0x00000000031F0000-0x0000000003256000-memory.dmp

              Filesize

              408KB

            • memory/2172-461-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2172-154-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2172-143-0x0000000000400000-0x000000000065B000-memory.dmp

              Filesize

              2.4MB

            • memory/2268-227-0x0000000001E90000-0x0000000001EF0000-memory.dmp

              Filesize

              384KB

            • memory/2268-229-0x0000000140000000-0x0000000140221000-memory.dmp

              Filesize

              2.1MB

            • memory/2268-223-0x0000000001E90000-0x0000000001EF0000-memory.dmp

              Filesize

              384KB

            • memory/2268-217-0x0000000001E90000-0x0000000001EF0000-memory.dmp

              Filesize

              384KB

            • memory/2396-139-0x00000000071D0000-0x000000000726C000-memory.dmp

              Filesize

              624KB

            • memory/2396-138-0x0000000004F30000-0x0000000004F40000-memory.dmp

              Filesize

              64KB

            • memory/2396-134-0x0000000005350000-0x00000000058F4000-memory.dmp

              Filesize

              5.6MB

            • memory/2396-135-0x0000000004DA0000-0x0000000004E32000-memory.dmp

              Filesize

              584KB

            • memory/2396-133-0x0000000000320000-0x00000000004C4000-memory.dmp

              Filesize

              1.6MB

            • memory/2396-136-0x0000000004D40000-0x0000000004D4A000-memory.dmp

              Filesize

              40KB

            • memory/2396-137-0x0000000004F30000-0x0000000004F40000-memory.dmp

              Filesize

              64KB

            • memory/2496-380-0x0000000140000000-0x0000000140147000-memory.dmp

              Filesize

              1.3MB

            • memory/2604-356-0x0000000140000000-0x00000001401C0000-memory.dmp

              Filesize

              1.8MB

            • memory/2676-300-0x0000000140000000-0x00000001401EC000-memory.dmp

              Filesize

              1.9MB

            • memory/2740-660-0x0000024D91570000-0x0000024D91670000-memory.dmp

              Filesize

              1024KB

            • memory/2740-696-0x0000024D91570000-0x0000024D91670000-memory.dmp

              Filesize

              1024KB

            • memory/2740-736-0x0000024D91860000-0x0000024D91870000-memory.dmp

              Filesize

              64KB

            • memory/2740-735-0x0000024D91810000-0x0000024D9182A000-memory.dmp

              Filesize

              104KB

            • memory/2740-734-0x0000024D91810000-0x0000024D9182A000-memory.dmp

              Filesize

              104KB

            • memory/2740-717-0x0000024D91810000-0x0000024D9182A000-memory.dmp

              Filesize

              104KB

            • memory/2740-716-0x0000024D91810000-0x0000024D9182A000-memory.dmp

              Filesize

              104KB

            • memory/2740-714-0x0000024D91810000-0x0000024D9182A000-memory.dmp

              Filesize

              104KB

            • memory/2740-715-0x0000024D91810000-0x0000024D9182A000-memory.dmp

              Filesize

              104KB

            • memory/2740-713-0x0000024D91810000-0x0000024D9182A000-memory.dmp

              Filesize

              104KB

            • memory/2740-770-0x0000024D91860000-0x0000024D918A9000-memory.dmp

              Filesize

              292KB

            • memory/2740-695-0x0000024D91570000-0x0000024D91670000-memory.dmp

              Filesize

              1024KB

            • memory/2740-694-0x0000024D91570000-0x0000024D91670000-memory.dmp

              Filesize

              1024KB

            • memory/2740-678-0x0000024D91570000-0x0000024D91670000-memory.dmp

              Filesize

              1024KB

            • memory/2740-771-0x0000024D91570000-0x0000024D91670000-memory.dmp

              Filesize

              1024KB

            • memory/2740-659-0x0000024D91570000-0x0000024D91670000-memory.dmp

              Filesize

              1024KB

            • memory/2740-655-0x0000024D91550000-0x0000024D91551000-memory.dmp

              Filesize

              4KB

            • memory/2740-657-0x0000024D91570000-0x0000024D91670000-memory.dmp

              Filesize

              1024KB

            • memory/2740-656-0x0000024D91570000-0x0000024D91670000-memory.dmp

              Filesize

              1024KB

            • memory/2740-658-0x0000024D91570000-0x0000024D91670000-memory.dmp

              Filesize

              1024KB

            • memory/2920-201-0x00000000004D0000-0x0000000000530000-memory.dmp

              Filesize

              384KB

            • memory/2920-213-0x0000000140000000-0x0000000140237000-memory.dmp

              Filesize

              2.2MB

            • memory/2920-517-0x0000000140000000-0x0000000140237000-memory.dmp

              Filesize

              2.2MB

            • memory/2920-195-0x00000000004D0000-0x0000000000530000-memory.dmp

              Filesize

              384KB

            • memory/2932-411-0x0000000140000000-0x0000000140179000-memory.dmp

              Filesize

              1.5MB

            • memory/2932-611-0x0000000140000000-0x0000000140179000-memory.dmp

              Filesize

              1.5MB

            • memory/3504-603-0x0000000140000000-0x00000001401FC000-memory.dmp

              Filesize

              2.0MB

            • memory/3504-382-0x0000000140000000-0x00000001401FC000-memory.dmp

              Filesize

              2.0MB

            • memory/3684-326-0x0000000140000000-0x0000000140259000-memory.dmp

              Filesize

              2.3MB

            • memory/3684-590-0x0000000140000000-0x0000000140259000-memory.dmp

              Filesize

              2.3MB

            • memory/3832-205-0x0000000000190000-0x00000000001F0000-memory.dmp

              Filesize

              384KB

            • memory/3832-211-0x0000000000190000-0x00000000001F0000-memory.dmp

              Filesize

              384KB

            • memory/3832-519-0x0000000140000000-0x000000014022B000-memory.dmp

              Filesize

              2.2MB

            • memory/3832-215-0x0000000140000000-0x000000014022B000-memory.dmp

              Filesize

              2.2MB

            • memory/3964-231-0x0000000140000000-0x0000000140210000-memory.dmp

              Filesize

              2.1MB

            • memory/3964-538-0x0000000140000000-0x0000000140210000-memory.dmp

              Filesize

              2.1MB

            • memory/4028-185-0x0000000140000000-0x0000000140135000-memory.dmp

              Filesize

              1.2MB

            • memory/4028-188-0x0000000000D50000-0x0000000000DB0000-memory.dmp

              Filesize

              384KB

            • memory/4028-179-0x0000000000D50000-0x0000000000DB0000-memory.dmp

              Filesize

              384KB

            • memory/4028-192-0x0000000140000000-0x0000000140135000-memory.dmp

              Filesize

              1.2MB

            • memory/4028-190-0x0000000000D50000-0x0000000000DB0000-memory.dmp

              Filesize

              384KB

            • memory/4124-357-0x0000000140000000-0x0000000140239000-memory.dmp

              Filesize

              2.2MB

            • memory/4388-563-0x0000000000400000-0x00000000005EE000-memory.dmp

              Filesize

              1.9MB

            • memory/4388-272-0x0000000000400000-0x00000000005EE000-memory.dmp

              Filesize

              1.9MB

            • memory/4544-589-0x0000000140000000-0x0000000140169000-memory.dmp

              Filesize

              1.4MB

            • memory/4544-324-0x0000000140000000-0x0000000140169000-memory.dmp

              Filesize

              1.4MB

            • memory/4572-183-0x0000000140000000-0x0000000140200000-memory.dmp

              Filesize

              2.0MB

            • memory/4572-175-0x0000000000720000-0x0000000000780000-memory.dmp

              Filesize

              384KB

            • memory/4572-169-0x0000000000720000-0x0000000000780000-memory.dmp

              Filesize

              384KB

            • memory/5040-267-0x0000000140000000-0x0000000140226000-memory.dmp

              Filesize

              2.1MB

            • memory/5100-409-0x0000000140000000-0x000000014021D000-memory.dmp

              Filesize

              2.1MB

            • memory/5100-610-0x0000000140000000-0x000000014021D000-memory.dmp

              Filesize

              2.1MB