Analysis

  • max time kernel
    163s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 20:26

General

  • Target

    2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe

  • Size

    24.3MB

  • MD5

    3676e46bae8ef223ab2b771be5e00705

  • SHA1

    0d3dea4cc8afbee91e91fa69d0a15c5fd4c50f4d

  • SHA256

    e546be9e73cc18257f2a4da7e8cc58bc784ae56957920925f50be87f95ce68a2

  • SHA512

    175b61cee5f766480cfcf935a6ca58434866551af5c6597b3c3ec07aabd0531f1fa4b2a54a0d4137c2e4d818d1e8692575116142b4038f6789fde1fe120fde31

  • SSDEEP

    196608:+P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpUH2SAmGcWqnlv018PQ/:+PboGX8a/jWWu3cP2D/cWcls1z

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 24 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-06_3676e46bae8ef223ab2b771be5e00705_magniber_revil_zxxz.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4184
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    PID:2312
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:3688
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1040
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4928
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4996
    • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2420
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:3672
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:3716
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:4532
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:3692
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:2932
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:4936
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:4044
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:320
    • C:\Windows\system32\spectrum.exe
      C:\Windows\system32\spectrum.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:4548
    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      C:\Windows\System32\OpenSSH\ssh-agent.exe
      1⤵
      • Executes dropped EXE
      PID:3696
    • C:\Windows\system32\TieringEngineService.exe
      C:\Windows\system32\TieringEngineService.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
      1⤵
        PID:1004
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3420
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Executes dropped EXE
        PID:2856
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4420
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3264
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
        • Executes dropped EXE
        PID:1572
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4364
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:2240
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
          2⤵
          • Modifies data under HKEY_USERS
          PID:4588
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:1680

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

                Filesize

                2.2MB

                MD5

                9d664863dc498ba9f369b9ceb44a9103

                SHA1

                36373e42393ecb340c354054ae72c5548989fff0

                SHA256

                89e0bccf61e0004eed4a766ecaa742c0e89421d7bbb43644a83101e630dbbac9

                SHA512

                6f0baa959177b2d5471c1010e37160d6d4ddb2449e05d310431a93d6ffeccd3d62ec9529016ef7c1417e760b6c8c4ca8871db062ba4cffd691a04d3c85da36c9

              • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                Filesize

                781KB

                MD5

                390e29b8c2f04debe0c0ae762412e4bf

                SHA1

                79b298c81bbd7a7195c0c098189c292af6f3c4aa

                SHA256

                e6a732559d8960529cfdcc253cda64165ba896e832842cafa7293412a137e0f3

                SHA512

                f98636bc18ac7b18547a8a6308e9cc69db3d7c73df9ec1a89492bd8c736ac0606f41051fc5b584ba40389701afdcd617df78331b5cd0e13c1505464b81444684

              • C:\Program Files\7-Zip\7z.exe

                Filesize

                1.1MB

                MD5

                c8f2ad362a66a73cb285fbabe982b88a

                SHA1

                594d01e3d739d2ac48b5d60906183a0b609d03cd

                SHA256

                d76f764b72fe6b30b7ce3a1154feabed5eedab805585c47dde17cae3950dae57

                SHA512

                bf3332fe40ab69d2e1e31a4015e981c5cf53dbd9ab00eb6dcfa32c7f3fde65193be8a43f4c443092dca44d2a8e404b50d0206d94858c02c4bab93067e0d100f5

              • C:\Program Files\7-Zip\7zFM.exe

                Filesize

                1.5MB

                MD5

                03ddf8f65b8583e237cf4dadeb0bca26

                SHA1

                b12e5e0455953d0f08ce2997640a9937ea263879

                SHA256

                84e35563bf586464364a9fde7b75491987328744a66d2bcb9f7c71ffe6bca452

                SHA512

                e11b3e7de6bbb8284e5a0c81a79aca851004347435e251ecf817a4181c3eca1325e3551e21ee46493e8773744a4ff8ee5b3b4b6a2bcf544c07b33f17e7d773d8

              • C:\Program Files\7-Zip\7zG.exe

                Filesize

                1.2MB

                MD5

                d886431ed8c86781e54d978c288699df

                SHA1

                606922fee027cddcd2ca4ce1d7cefc3523d3431f

                SHA256

                64c3f6dfae8330acd8f82dc64ed6542b9cebf45e8c56a0837ba671a215ded344

                SHA512

                eadbad7753425e02e604ea23f0690052854c3a125530209df0b233601bd88f32faf8b6636238e4022e2d66f93259d21511045b90bde4d5c9a6c304c6261a28ba

              • C:\Program Files\7-Zip\Uninstall.exe

                Filesize

                582KB

                MD5

                1f5e7a002c544d38a8e261abfa6d02d0

                SHA1

                9544d559113050d2df87bf9a7760a255104f0ec0

                SHA256

                af7f77c596d9f6c507382bac14a43dcf85e7ceb1152ff273b4678ead5c614da0

                SHA512

                e05cf816b77f473f5169cb72dafa1c382cda2c26b311245aa0e5b2c2e75971956aa9724b15089cdde5022a08ecafadcfacf1eea34de0e2ae9ad6b845c10ab0b4

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                Filesize

                840KB

                MD5

                45ff32d9f02cce32e77e0a10588f3926

                SHA1

                56964ccbf0e66e66b72e9a4b36111b7a87e1dcf1

                SHA256

                f427945cd03b297310f96971171fdb4f870934378b2a217759c8f5347530f083

                SHA512

                04a7cd9d71a0cacc4e1902e35a29cfffd8a5cca91573945aee0b0557949d072112ae4eafb39d5e2467bdea7498ce421d4bcf25bd92ab42e9779b9f93de077bf0

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                Filesize

                1.9MB

                MD5

                a45b10cfcc3e8d5689cbc22e738aec78

                SHA1

                90756dc833c2bb69e5a2541c2ee2e364c422e742

                SHA256

                67c836fc069f7e32395fd377ef34e80779d98b6e77816b80bfdf57766d32f40e

                SHA512

                31c9aedfc03d677b691a88c945ff52a9dea6d2fe094afb162aaf1d7bf993ed52b02bcd5312674a18731aeac043ef6a95f19dbc137094117ad38f306b767d001e

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                Filesize

                910KB

                MD5

                aa75ccb0c2b085dd522ebca29bddd7f0

                SHA1

                d0864bc2ceaa542d97af69530ab5da90b436fb65

                SHA256

                32b9c3de9aa9e26ad3ba52950ff9de97859ae666cdf0406ab59201787e15685c

                SHA512

                88ece331c3b2876c9098a1834a8d37d0ff73d7c6bf13afe3328714a2a6e4efc9d860182f6f7e6c4ba4341b6bc1dded3139d771d1c0e80a69799b6544f9b91a10

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                Filesize

                1.9MB

                MD5

                caefc9787cb6f105789718bd0f438744

                SHA1

                c1787c3ae9eed5461791c671615117d842dd6c85

                SHA256

                2703259387feab3a6b9b3ce825789ed1453bb4f1d42dcbe909cfce204f1442ea

                SHA512

                91ba811b0bdbc00d1ad2c0f83df44cec90053d02053d22f9ee4da019f127e98ebbbe5bb8dce5d766abab00a3ee6db732464a84ae35156f1eeebe2cf72f143b72

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                Filesize

                1.9MB

                MD5

                c2a27adba96accf334091dabf0641f12

                SHA1

                9ef54afa609b7a285588a61194460802345058ad

                SHA256

                075e14269448ea50cb9c9c3e85c96c9e2015711a7696d63704c925520b4f8640

                SHA512

                916624cc8b0373fdbb56cc32184472b1c12f88a8bd53ca585750999aef765e9969805e51e2137b520a7a3be9630c3f589570070db92a5670a93403bc85a594ac

              • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                Filesize

                805KB

                MD5

                0f0d8294f499000a7d7e306db5f3093b

                SHA1

                674fd9d854f348e3bb22f7d5114e65fedc795ed5

                SHA256

                bdb6f5f2d4fc8aae32c36365ce8df06f392c5991c76dc74aaf48a3ba44add40d

                SHA512

                4b00cedb50f5cf2c8d21c99b4d3a12aa7495cc37aa90c726bb9916835b1cf219bad55be2fca30c095e2e962a0438c686ffc05ca896be37ba511f0e0f7c21ef6b

              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                Filesize

                2.1MB

                MD5

                f4f0c06b0c824e9ff99bbe683e4d0e9c

                SHA1

                f3b8b9729a527db0f5effd93a6e8c936b88c0191

                SHA256

                228f87a166b6f4809b99b956dfec8189652fe54df169c7d3240b86c78d9a93cd

                SHA512

                f99ee4a959a3811ba96008467fae52f22099d421664d5c39b4a66dc977c1517f0b82f372b444e5f774f6f810c3a819fa1fc7b3cf284f4a1f313bddeb9a2a63e6

              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

                Filesize

                448KB

                MD5

                568607446b977c1766c45f25d958a7f5

                SHA1

                94a7f357518aa0686e77b798a060d4c92f20410c

                SHA256

                efdc5796249361eb5c058520dc0fb6fdef5db84c9ea95db8f178b29682bd2fdb

                SHA512

                7277b5c9f31103c23e37b0df4bd6d60b85e952486378defd31233811b4695d864b7cd7d834c7f090a397497721e780dc017fc6c84301a8c33160e4e1f269f538

              • C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

                Filesize

                448KB

                MD5

                e54a30e15f86ec02a4a83ade50fb4d2b

                SHA1

                7a6c286e0ec9524e8c7fb8a16256b033d7b43e5b

                SHA256

                76b29a14a354d2f72b8a33a8d12753ed4517447efe96fce955e269b8839f3e0b

                SHA512

                7c24833b8e4e3474a1e085c37392bd04875690a353ec7a5fe4808c4c03784c011435bec677f9fa6c3d2684da1be7951592c243be7cbe510f57ef479a7637c64a

              • C:\Program Files\Java\jdk-1.8\bin\idlj.exe

                Filesize

                512KB

                MD5

                2574c34591ba2be7ad05c471a402c634

                SHA1

                779783c23d45be078968668cdc5c48b15d827c6a

                SHA256

                8029159907eca17f7b97b6759dd18634da8d27d68ee65428030befb26e27e6f3

                SHA512

                0bfd28a4d7da900b95a73d954cd12b9bd41caede7bd830ded9bf7955e574855bffbaf41815ec2a99165cbc801a70283842733914ec6e7f34615122de0cca18f0

              • C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

                Filesize

                512KB

                MD5

                0ebbf8b476378dcba78f065ae65a12ed

                SHA1

                be5b03fa30f4d906ed224dd864248b333980346c

                SHA256

                280bc43b96acdcd585bca6b49f47bb5f97b4c7081f750bf6edf51ddc03ec2332

                SHA512

                47c1135bbc8ba4f6ccdbbcd520e3d4d4504e58ab7bf56a567f3d5e83985d013f8d50e9468a5a73ea5bf79a217c09f3ae060c419798ab30cf0f53e14100d512e6

              • C:\Program Files\Java\jdk-1.8\bin\jar.exe

                Filesize

                512KB

                MD5

                0ab155797b4b5f4832b0c62f49b70c79

                SHA1

                f51b7cecb6a02baf9aa9271778e6a4ac88242bf0

                SHA256

                54cc278ac52882eb2b24770f8b6be7ca8853dcfcdaa83d9793debd20d86a8352

                SHA512

                d681dbd6fdab4c9ba0d89f641bb61c23150e8680e4cc013a2bd127af8186abcdbfa5a162ab7606abcaf38946e3b50be5c65bbcbe12d8fb766ee879b344e0a410

              • C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

                Filesize

                512KB

                MD5

                bc9d4aae6283fc579c30c588fe2a436e

                SHA1

                3274c20a5bfd17b168157817ca0af4ff5efc2359

                SHA256

                b64825714eb1106d044967d04e16916a2a7e5af73dd83e684442372f83abf25e

                SHA512

                1ad000452a75c7e379d99fc46001372d6d8d4423e977744ef1dae677f8fa22d79f3e39c3b01b46769ce65d7c818e92cacdbe93fb52a96d1d5bf000fa4b480f20

              • C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

                Filesize

                512KB

                MD5

                c5e6ab7115829c51136e80146424d143

                SHA1

                41b3d599d3dd14d17b923dec60b7a5eca42a6732

                SHA256

                97e3ff44b1065df9d66c264ffd72475c6173c09bba028ddaa2ab8b7aaa2f54d8

                SHA512

                9f6540555eaf38c284ad02407883d44515e82f1d81bdfe170e811e48f2159a581b2ccba3c6ed9daaaff34ec37306a6849eee0cf088073961551f463e9df5a88c

              • C:\Program Files\Java\jdk-1.8\bin\java.exe

                Filesize

                384KB

                MD5

                305a0da2e0c844857b9a1855f50b7c98

                SHA1

                0cade7cc464136449633724cd3df66b646f03364

                SHA256

                cffb6225b17f21889ccd80fa9c1f19f32564a1e1a8429aaae024608f50d910cd

                SHA512

                7061e7aaaaed16b6f4891d1e9bb912c1c376e19254b200444a9caecec01caf99c28aafc2e3d4c1464c211221822d89a59ba4694776c56739ce3e7e2315d2829b

              • C:\Program Files\Java\jdk-1.8\bin\javac.exe

                Filesize

                384KB

                MD5

                c6734e579fd9e0f5c30918f3b403b3d6

                SHA1

                838094b6783deb42ecf60dc6bc798ae17b5a066d

                SHA256

                5b791f7d8737e9567a918ba4019833b635ad909c99c98e071793509b80056314

                SHA512

                c844cc71878f74efffaaa11d5df57058690783483dd1a3fabdfe6371ce2f7b05fe9aad8699654821d485f1b65b711c2581a55cedf025abecb42af9b607127684

              • C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

                Filesize

                384KB

                MD5

                1b15877aab4fbbbfbd5bfaa1796e5290

                SHA1

                6e179eabc4ccee0bb4d0c3428b9983b3deb405f3

                SHA256

                e4c1897ebbcbdac9adf043b49b9062f49dc48219390fb47e16e180bffa67a7e4

                SHA512

                caf97eb164381bba8622b3a9378a33aa184fd1c41232b5ac425d4e20a18cc3695bc45613f600510acbe4c3f1ba3ce28adc11d616195b93d8b5d01434ba46584d

              • C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

                Filesize

                384KB

                MD5

                b399290c49f8839742cade29af3a418a

                SHA1

                7a60a0c0afa6c0e37f34aef6d46e99b0fd96d0ac

                SHA256

                d5fbe890639dcbb83440a0ba31a32e379587ba80d7bd976474c27c4f56b43e5e

                SHA512

                9565bb7ef18855bbca2cf2590e935b7b9f2e9231f81fa43715f6330c1442a3674f467f24d587ee45ee8b66a2a6f3840dc5187dc6c330b2ccac5662b5cd0712b2

              • C:\Program Files\Windows Media Player\wmpnetwk.exe

                Filesize

                1.5MB

                MD5

                32f7ec3a720b6a80c616d6a87e554822

                SHA1

                ee441c4370ea374dc8d1942c9c3ea8b608781c82

                SHA256

                451c81219827378d343215bf0ee7a600a66e24bfd6ea164efa13f684be594b31

                SHA512

                c3af46835d7c506ec30dc83d4bfca213a32a9626c22c42440134babadcc7d67d04ef25fbd46a787dcfdff2b5d23f0993777bac8d32e4d8a9cf8a590e5a57132d

              • C:\Windows\SysWOW64\perfhost.exe

                Filesize

                588KB

                MD5

                facce650e16ccae27b6d5a2ecfbfb15f

                SHA1

                019190aeffbf00a8c66904dd19198dfaaee67593

                SHA256

                895edcd8ae3870cf83df4d58e3435a24058b6d2a6c586568473aa2116dc9c655

                SHA512

                054e39405a0a34d8444bd3f8ad5293866b3c8e44799072e6df7eab2bd822f55f9c8813378f2b58d29bdb5f6423fe8cce1230440e9b40bf0953d94006859be7a9

              • C:\Windows\System32\AgentService.exe

                Filesize

                1.7MB

                MD5

                f0c1a764db90ce34f32e045fb0a8168e

                SHA1

                2b4fc5171a1226d62a0ca62cd7c38b7f9124403c

                SHA256

                2c328850db050254ed0d83d87d414d20ed8ac7693d472e0e544f7846a6e49c79

                SHA512

                cb196748a3c2b12d2a0b6a62b2b27799cccc4bbb70ce51e7e9ba0ccb8081e95ee62009f3f4dfe6ae627f16676a454e2c55a12a0ae36232b0c54097b15bb65e60

              • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                Filesize

                659KB

                MD5

                55fe6c4220def7e9aa9ff1b63efbe1ac

                SHA1

                24ed4928a9a68ed898cba4239d57f0f21a1f8a5d

                SHA256

                dd3812166eccc6d3caca8f67d9468ad4ae27f6386a9869ffa8a86d175c400c8d

                SHA512

                f4ff04ebf4756ca9948cf49f5382fb57ea0e407a8a837d8c90924285fbc3786f0a3389f47d2586bca97c1b5b074b917c5dffec42cc0f2fa70fa7e4a303c6c9e1

              • C:\Windows\System32\FXSSVC.exe

                Filesize

                1.2MB

                MD5

                23e9eb69922fb23831d66270f9396de0

                SHA1

                f8ad447ca72abfd643682b106400edb85d51f60d

                SHA256

                798812ab6a2a1b0f09ebed92c006d0dcbe7d4e1b28a2f8ed9fd075d118435f7b

                SHA512

                d39016ed8ab83f90d3ee54a123ed43029a9eae0bba3d134dbb0ab7b9161f9480c8e01fd6eac8448bfb37e8147e6a6a5abb8b59edb4991eccd22c4b3cd60e34e5

              • C:\Windows\System32\Locator.exe

                Filesize

                578KB

                MD5

                7e8f29a602fb21660f2720e56dbcfdc7

                SHA1

                b5751aab9c2ab51e9c7a38f7e93dd72a67b2fa11

                SHA256

                51c75cc2a8c16216896468ef560dbdca9213dffe9c0f64afda79e457fba23bf1

                SHA512

                df6fce8d69f3f6b737a93c2a003be92370e7238cb2d6571f854a56c141e9cce659e6f3e1e825d9ea9ee8798a08ee91c1d06de3ba1e2299201cc3f31d96fb824d

              • C:\Windows\System32\OpenSSH\ssh-agent.exe

                Filesize

                940KB

                MD5

                b5aeff542d708c8ea6715d7d692e316c

                SHA1

                a3aac73dfbafd4754e5aa7ece79f04106fae82af

                SHA256

                1c5d60811912b937610dfaeb530d6ea92d3a275420afa24bd1e0637fd6fec7d5

                SHA512

                837452de327f08a33e360a4881fe3ad075f4748bd0aafe32792e8529498722cf806e2e3efa2ac00a061d52d06db1f6f29d7c8e63b629eebb2a2b5d8a54a52ba2

              • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                Filesize

                671KB

                MD5

                7e29f534f121515235b2debf29965a48

                SHA1

                4af9c3a748cb0789c0bebe5ace7a5173f0170976

                SHA256

                84a74fcbc5cf3af2999b02b615e081eb5412dd9199bd284717aff20a4c5b833d

                SHA512

                32e9732ef722bf7e93dfc41c50ff57279da11a77cef6eb5b8f0ad641bcd7611662826e1e69a37e10d301d7921ec60e1fd37a23b37f686ce5a90bffc01f069132

              • C:\Windows\System32\SearchIndexer.exe

                Filesize

                1.4MB

                MD5

                c9c0267725b62a6670d7538908a09692

                SHA1

                6f6fcf83c2ef74e2e307e14344340594dc324a05

                SHA256

                5853069d18c2fe828062c12728e576f3cd3e2895fe019553e4a10adc8860f054

                SHA512

                376c30c9970ebcf66ce37bd70a1b416af51a58ed886e6ca0698275505184f3cc7604f80837c6e113e216337051bcf645d68adee88a1d9c23f34574a985cd3a8e

              • C:\Windows\System32\SensorDataService.exe

                Filesize

                1.8MB

                MD5

                a3983c235ed0e98a5991b874adc18f61

                SHA1

                324a12cdf4a1458e1410b54b2e0e914186ade4a8

                SHA256

                2465e3cf1fd4be7bc4bff8e13b328a76d53377d2708b345a915579b173726eca

                SHA512

                526776e82705928f3fcb22768e2a1d5be9f75eef81f16d7963f0d7b71bd4e1223663dffabde8c2b9c4fd9b61aac65a8c55ca3eebb669de5d3c49e8e052431835

              • C:\Windows\System32\Spectrum.exe

                Filesize

                1.4MB

                MD5

                c183e3238990262c83ea25d0e5419f4c

                SHA1

                bee32be46f81191541fb44244f181825e78681e1

                SHA256

                b0508555b37cedfcd5ca974aa85e5086e178f4c4468d263378e26dbed4913ab6

                SHA512

                f8ba77990e6094b7bce8fbb4522f2c824cedfa59914d4f8f403624dbb6329990c71d0ee212455469268fb406cbaee8ca492398c4496f8b085712e09a86ebb523

              • C:\Windows\System32\TieringEngineService.exe

                Filesize

                885KB

                MD5

                199b2a03c669859bdf64cb853c972535

                SHA1

                2586ef5dff363c8bf4e69802342c2c1c1404c25e

                SHA256

                d30840268dff014bdb8d7929001f00ad5ed574799bf1cbd94ff0c5da3929e435

                SHA512

                53869d40ca2e92dd8043ca644416ae3465827cacc50ddd136aa211e6111fbed3c70914f72e2f950a580045643687e04ac1b98af24b433ed8abce2655e17c7f72

              • C:\Windows\System32\VSSVC.exe

                Filesize

                2.0MB

                MD5

                5f50d74224b23dab012a28e07ce1adf8

                SHA1

                35ad9e9cc5e7e6684eca2314b862ae25d6ca0993

                SHA256

                b642e61401232a754757a2656a160c5bc347ceab93777627dd0de44eb5a59fb2

                SHA512

                1a9bab4a25fd4cb0289a742adbc73ddd875a541af5ae87281ae64994cf2b403b5304a8f9d994293d3f95623575c05a7d43ef975eeaa857a8bf4b26bd2bde7d8f

              • C:\Windows\System32\alg.exe

                Filesize

                661KB

                MD5

                5e25fb39e862208b3cd2800cb3d37dcf

                SHA1

                fdd00d30a27ddf10d7783adcd8e5be194c527486

                SHA256

                081e7e0177b69dac86ce37793724c8f72bc2f2acfc23fcd896415005118c1b30

                SHA512

                5458abe746247836809f640e6ed3cc12a85abeedc2bde5b342afef717e104fbe6be918c812743ad22b113c8670de6a5e8e19c7777211e8ee97f0a68ff542b3be

              • C:\Windows\System32\msdtc.exe

                Filesize

                712KB

                MD5

                12fdec9bd749b43dd61da43d0e78070d

                SHA1

                6e1fe98d191324a7a7b88a0a73c69f6c1d3c6fe2

                SHA256

                11b3fca7af56b50f41981acfc12dacabcb95e9a44556d85895b2677e4578f824

                SHA512

                9551ad469c70dedf49bc54a4c6940a0c65f61747edc5996bc50ed4814668e303a0435c4e66f2cefae62fb3754adda02071f08eb743a4322c6df1622e038b906c

              • C:\Windows\System32\snmptrap.exe

                Filesize

                584KB

                MD5

                585675f46d59554cfab8e2abcb7759a1

                SHA1

                a69207c2d7edbb5a5d7c46fbedc0d2861e2bec87

                SHA256

                63085b864c5ed42e89c09b9048f152d8e5e0412502dfe2f2db89935fc53dc06b

                SHA512

                009bdce782a4bdd4f1152e45cc77dc44681bf6e51f97dee3e01c65179909b320c13b2caf07fe4dddb6a7d579eecf4ddf93f3b125b634b60a90f5f4c1a13e290f

              • C:\Windows\System32\vds.exe

                Filesize

                1.3MB

                MD5

                01cd799b33663d504f65750509435547

                SHA1

                0568ac9876a36120b078acd764ecaec94e708688

                SHA256

                3256a8b07536ef9fae1661e1940e9afebc157b7d55bd40b2d55c8f4de27cba7d

                SHA512

                b5b9bbad2552df9d99702f907a134a21cd19b46a0a1c9fcf1124e986915cd80e05478cc5ac8ace3c3f66b247f17341f660a22985e1a25e9a82640a0fe1210a34

              • C:\Windows\System32\wbem\WmiApSrv.exe

                Filesize

                772KB

                MD5

                87f2761cf7fb83349386827c2948b1b7

                SHA1

                d977eb3df3536bc86a2f23b014552f3888e0a44b

                SHA256

                beb39d76921a0ed0913ac42ab3c59891a0b13cc418a7e02b0fdf95c020a592cf

                SHA512

                f115124e38e1246ed8f868ed4d0e1045cb2762d8042f199753c73a9c6cbb4bc23ab752292b3b75929e27e2d7437f49ed27d4ca5ab9e3bb69986eab63a0c4ef97

              • C:\Windows\System32\wbengine.exe

                Filesize

                2.1MB

                MD5

                c92933ae873c86c167564346b896f06f

                SHA1

                e13fad3a6095f5ba6f9250b90db49e74e0f5bd8e

                SHA256

                d3ab08a11095a1db2644d83bc7b299977bfe16771e17f0f8ffc538a3712b557f

                SHA512

                01ab77712933417376f1b77a1ddc978cbfdb2ae30d767a03ad62d481f9943a7c20b1067bea24d78fdb250b7051808012c44ef875e71c45446eea1f793ea942ac

              • C:\Windows\system32\AppVClient.exe

                Filesize

                1.3MB

                MD5

                c6c6c62dc1fe69ca17719def82827924

                SHA1

                4e8fcdafbe4e6e2d0cce43095fbaed1bfc8f0715

                SHA256

                8f2ade10ae6dbc2b376f37278a2160b8560f0dd1ab2ccd91264138796514a524

                SHA512

                faf260da27d6dd9dd807fef2bf02e9c8722310f01f3cdfdecea87be6705210b68e0ff9425aaf391e9b3e12d8f68a4c45681969e10af1e44ee2ef23451986de1a

              • C:\Windows\system32\SgrmBroker.exe

                Filesize

                877KB

                MD5

                407775fe52257bd13feaf99e8fbed70d

                SHA1

                1fdd299db95f26affee7dc3c5c3ec98e6f7d41ba

                SHA256

                1b6b9e3a20abe04250f57de3dc8c81b43a676c0153c3937acfca48d62d82e770

                SHA512

                ef2a846dc79dcc9c930d6e266f7a7696d2666aaebc1165e15c508cc199ac85e1425e3f4bdfb75159c74547ec13a316ae7e5e5b7a1ef6c59407d2cb60e1d4f5d5

              • C:\Windows\system32\msiexec.exe

                Filesize

                635KB

                MD5

                5536ed055256f4833fd6d8d005dab2c8

                SHA1

                7b8f70dac7b981f2e2dd412da590f37997642bc6

                SHA256

                a2fc5879852201eb76122808accc41956821cbb42e794d3404c6351d84c810fe

                SHA512

                f19ee9057268d9692cdcd23968b31c0e8883b01ef5880c2059a52b35fe6c17da0d1b47446c5716a1c9a7a6f954e2da646510f56162d74e46a7b36eb193a009cd

              • C:\odt\office2016setup.exe

                Filesize

                2.2MB

                MD5

                c47f2fe85d0352f6f87cd8e784f213db

                SHA1

                25af8e489fb1119a2e40b640f122e01e8432587f

                SHA256

                9e8d3b76f769ca9c912c7f36647fa2df594ed499e255a1a337930673227b53a4

                SHA512

                0d8e83756ec980d0bba931c2d1813ec0c9942f002045d91b8dc6c5b57c1d5419f093428300cb8442ac00096cc8054a2edce265e984e23bb9013b4fdab3ffcbb1

              • memory/320-117-0x0000000140000000-0x0000000140096000-memory.dmp

                Filesize

                600KB

              • memory/320-215-0x0000000140000000-0x0000000140096000-memory.dmp

                Filesize

                600KB

              • memory/1544-229-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/1544-145-0x0000000140000000-0x00000001400E2000-memory.dmp

                Filesize

                904KB

              • memory/1572-324-0x0000000140000000-0x00000001400C6000-memory.dmp

                Filesize

                792KB

              • memory/1572-166-0x0000000140000000-0x00000001400C6000-memory.dmp

                Filesize

                792KB

              • memory/2312-84-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

              • memory/2312-12-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

              • memory/2420-133-0x0000000140000000-0x0000000140245000-memory.dmp

                Filesize

                2.3MB

              • memory/2420-43-0x00000000009D0000-0x0000000000A30000-memory.dmp

                Filesize

                384KB

              • memory/2420-49-0x00000000009D0000-0x0000000000A30000-memory.dmp

                Filesize

                384KB

              • memory/2420-51-0x0000000140000000-0x0000000140245000-memory.dmp

                Filesize

                2.3MB

              • memory/2856-280-0x0000000140000000-0x0000000140147000-memory.dmp

                Filesize

                1.3MB

              • memory/2856-154-0x0000000140000000-0x0000000140147000-memory.dmp

                Filesize

                1.3MB

              • memory/2932-99-0x0000000000400000-0x0000000000497000-memory.dmp

                Filesize

                604KB

              • memory/2932-102-0x0000000000760000-0x00000000007C6000-memory.dmp

                Filesize

                408KB

              • memory/2932-106-0x0000000000760000-0x00000000007C6000-memory.dmp

                Filesize

                408KB

              • memory/2932-161-0x0000000000400000-0x0000000000497000-memory.dmp

                Filesize

                604KB

              • memory/3264-319-0x0000000140000000-0x0000000140216000-memory.dmp

                Filesize

                2.1MB

              • memory/3264-162-0x0000000140000000-0x0000000140216000-memory.dmp

                Filesize

                2.1MB

              • memory/3420-151-0x0000000140000000-0x00000001401C0000-memory.dmp

                Filesize

                1.8MB

              • memory/3420-149-0x0000000140000000-0x00000001401C0000-memory.dmp

                Filesize

                1.8MB

              • memory/3672-54-0x0000000000C40000-0x0000000000CA0000-memory.dmp

                Filesize

                384KB

              • memory/3672-60-0x0000000000C40000-0x0000000000CA0000-memory.dmp

                Filesize

                384KB

              • memory/3672-66-0x0000000140000000-0x00000001400CA000-memory.dmp

                Filesize

                808KB

              • memory/3672-64-0x0000000000C40000-0x0000000000CA0000-memory.dmp

                Filesize

                384KB

              • memory/3688-98-0x0000000140000000-0x00000001400A9000-memory.dmp

                Filesize

                676KB

              • memory/3688-23-0x0000000000730000-0x0000000000790000-memory.dmp

                Filesize

                384KB

              • memory/3688-18-0x0000000140000000-0x00000001400A9000-memory.dmp

                Filesize

                676KB

              • memory/3688-16-0x0000000000730000-0x0000000000790000-memory.dmp

                Filesize

                384KB

              • memory/3692-86-0x0000000000BB0000-0x0000000000C10000-memory.dmp

                Filesize

                384KB

              • memory/3692-157-0x0000000140000000-0x00000001400AB000-memory.dmp

                Filesize

                684KB

              • memory/3692-85-0x0000000140000000-0x00000001400AB000-memory.dmp

                Filesize

                684KB

              • memory/3692-92-0x0000000000BB0000-0x0000000000C10000-memory.dmp

                Filesize

                384KB

              • memory/3696-223-0x0000000140000000-0x0000000140102000-memory.dmp

                Filesize

                1.0MB

              • memory/3696-134-0x0000000140000000-0x0000000140102000-memory.dmp

                Filesize

                1.0MB

              • memory/3716-148-0x0000000140000000-0x00000001400B9000-memory.dmp

                Filesize

                740KB

              • memory/3716-69-0x0000000140000000-0x00000001400B9000-memory.dmp

                Filesize

                740KB

              • memory/4044-216-0x0000000140000000-0x00000001401D7000-memory.dmp

                Filesize

                1.8MB

              • memory/4044-113-0x0000000140000000-0x00000001401D7000-memory.dmp

                Filesize

                1.8MB

              • memory/4044-170-0x0000000140000000-0x00000001401D7000-memory.dmp

                Filesize

                1.8MB

              • memory/4184-67-0x0000000000400000-0x0000000001EFA000-memory.dmp

                Filesize

                27.0MB

              • memory/4184-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

                Filesize

                27.0MB

              • memory/4184-1-0x0000000003D60000-0x0000000003DC6000-memory.dmp

                Filesize

                408KB

              • memory/4184-7-0x0000000003D60000-0x0000000003DC6000-memory.dmp

                Filesize

                408KB

              • memory/4184-6-0x0000000003D60000-0x0000000003DC6000-memory.dmp

                Filesize

                408KB

              • memory/4364-171-0x0000000140000000-0x0000000140179000-memory.dmp

                Filesize

                1.5MB

              • memory/4364-332-0x0000000140000000-0x0000000140179000-memory.dmp

                Filesize

                1.5MB

              • memory/4420-302-0x0000000140000000-0x00000001401FC000-memory.dmp

                Filesize

                2.0MB

              • memory/4420-158-0x0000000140000000-0x00000001401FC000-memory.dmp

                Filesize

                2.0MB

              • memory/4532-153-0x0000000140000000-0x00000001400CF000-memory.dmp

                Filesize

                828KB

              • memory/4532-73-0x0000000140000000-0x00000001400CF000-memory.dmp

                Filesize

                828KB

              • memory/4532-80-0x00000000008D0000-0x0000000000930000-memory.dmp

                Filesize

                384KB

              • memory/4532-74-0x00000000008D0000-0x0000000000930000-memory.dmp

                Filesize

                384KB

              • memory/4548-217-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/4548-121-0x0000000140000000-0x0000000140169000-memory.dmp

                Filesize

                1.4MB

              • memory/4928-29-0x0000000140000000-0x0000000140135000-memory.dmp

                Filesize

                1.2MB

              • memory/4928-28-0x0000000140000000-0x0000000140135000-memory.dmp

                Filesize

                1.2MB

              • memory/4936-110-0x0000000140000000-0x0000000140095000-memory.dmp

                Filesize

                596KB

              • memory/4936-165-0x0000000140000000-0x0000000140095000-memory.dmp

                Filesize

                596KB

              • memory/4996-32-0x0000000000540000-0x00000000005A0000-memory.dmp

                Filesize

                384KB

              • memory/4996-40-0x0000000140000000-0x0000000140237000-memory.dmp

                Filesize

                2.2MB

              • memory/4996-38-0x0000000000540000-0x00000000005A0000-memory.dmp

                Filesize

                384KB

              • memory/4996-120-0x0000000140000000-0x0000000140237000-memory.dmp

                Filesize

                2.2MB