308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
Size

738KB
MD5

1ffd1c53b2738258c5b1028d22e70f6f
SHA1

3b69a4874b9751a12fe76c8a1d44bf260e590991
SHA256

308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd
SHA512

738518abe28406963cad86ec0c6e1807a1bc28aadd614c0766f48a84ebe8655733d257449c37520f731b40c50020e0f668585b1fad660988d321ce7857b36c08
SSDEEP

12288:g9mmpcK5VEjObxrx84BdEPSsKRIkgq/2oW0Qtn+nd62puFuNtyg2nIh/Qkge:g9mmqK5VEjObxrx84BdEPARIVqs0QQtr

Score

8^/10

defense_evasion discovery trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
defense_evasion

Executes dropped EXE 8 IoCs

pid	Process
3580	alg.exe
3484	DiagnosticsHub.StandardCollector.Service.exe
4148	fxssvc.exe
4872	elevation_service.exe
3880	elevation_service.exe
4828	maintenanceservice.exe
4280	msdtc.exe
3460	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\N:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\W:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\G:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\H:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\I:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\K:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\L:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\X:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\O:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\Q:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\V:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\J:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\M:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\P:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\T:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\Y:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\Z:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\S:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\U:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\R:	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened (read-only)	\??\G:	alg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\dohmjdkg.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File created	\??\c:\windows\system32\nenamkpk.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\system32\openssh\iaookgme.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\diagsvcs\kddcdkbf.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\ohbglfoj.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File created	\??\c:\windows\system32\aiopgdhf.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\vds.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\ookjacol.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\khcegnib.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File created	\??\c:\windows\system32\ejlhdodg.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File created	\??\c:\windows\system32\dncjlcio.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\perceptionsimulation\jhoaiija.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\syswow64\jpmjlpcb.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ojdabegb.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\cadkdpin.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\locator.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File created	\??\c:\windows\system32\hiaaamei.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\bkamlakd.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\fpkbbjhl.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\wbem\egjigimf.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\pflbbpfi.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\windows\system32\ojalgmbl.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\nfmldenm.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\alg.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\7-Zip\jgpijieg.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Internet Explorer\kjkookie.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lbdhbkde.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ocnfphoi.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\nfghdhhb.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File created	C:\Program Files\dotnet\ddnfppgh.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\onbaidqf.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe
3580	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2020	308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
Token: SeAuditPrivilege	4148	fxssvc.exe
Token: SeTakeOwnershipPrivilege	3580	alg.exe
Token: SeSecurityPrivilege	3460	msiexec.exe

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe
"C:\Users\Admin\AppData\Local\Temp\308f86a5791eddb3ad7e70684220e9440a9d77d263adfc8db0ad8fd253eeb2cd.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3580

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4600

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3880

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
fbe1a4816fff72ecdf6be22813083f43

SHA1
124b43e00e726e07d833ac15fbc15dec3841ec10

SHA256
1e1b0be92e06caf84d1ba15fd18939525e726ab0c169aeeb6af6f06e287bbbc9

SHA512
ddd046a3a748c7bcdb9c99078a88955bc64f1fe4f8665a171d5fc7b5f994c4c8175212a266876ee8e4205708452bac500a153263bccd3be7e275594dd287e39e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
f32ef480dfea976aba35846a34ea9547

SHA1
61e60141e7ebbbda73e3bec05698860ab9409c81

SHA256
5e18121d00f06a2efa1582bb58ccc399cd100843c97463687047090123d2c2b6

SHA512
2b49f285d6fa66f869604b7bfd8c22b4898b3fb33924934efefa69f7ff29c6c5db48d3144b0eb0c047b212aaa211d5887d5b5672a4871b70ae16ebcbcf3ec6ca

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
e1252d0c5322f3439cb76ac7d7b0e215

SHA1
a1758226dd824442eab668955febb236c3d00aa6

SHA256
9d6ae57a073dc1bc7409c3a745fca4cb0d54e754ef553a22d92ed94b4c80b028

SHA512
5db7f18d9282eff70fc0b797ee3cef7531fbe96d9e5960e8fe158c72ecd2f9ddeda6e49db833888e576720e949983e898438d20896380060ca04300c3f0f629e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
e42b4e4342d86d632cd80b001215427f

SHA1
5550b51366109392479d42298ed4a757666b36f2

SHA256
1d66625b5272d896526d46a844ff2b6bab3bc34f715912a9b076cfb22d2f5455

SHA512
046389cfce9bce74f751b76d61b4ba40b413df424cb81e640e1ee0ae50234f2b837eafe9314ce223d699e5b5d0a074bcb4cae44a7a0f673d7f3cb88345767fcf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
0889cebbd5bf066599b56f0851394cbd

SHA1
48b3a580e8e98e12aefa6dd13c0e7e4b29237a99

SHA256
306ab035746826f772f9d12623cc4ba0f467120096082632d5ef74d365656a04

SHA512
62ea6e3b191facf1569b1e122440587b25fdb7af09c49fa0b321a179d7571fcaa282b7179f59872904fd5ba749fd9455c0a9444a666c21cbac629e30856cfba3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
6ed053b9e73f239a2af52295e038e9dc

SHA1
0a6b64842a448fa85ae66574433aba9358965869

SHA256
f40e91ae30eea0c406dd263f182a926a89e37a6f8292c3c762c0fff79243a597

SHA512
b48f558126b2a571df5ede4aa81a18bd8d650df0866b25e91baf63d6ba4bf38a55c3566a1e5d33605a4e12be5f1924ddfdfdf1bb95ac4bf8330448a6052f01ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
66f18c7ff49252248ada73796d191418

SHA1
eaa4aef165d0a5a7866f38bbe931b0f140ae9430

SHA256
aeed6efc0a550cc67c8748958911bcf14173ca17ec7a76631203f53b7baab04e

SHA512
0376f47c856b5a340486437502fe2a71ae699de9d2c58e01ce20a221697fc742433a47998aadaef840eddbfe9c913203dc515ea9159e1f5e9b8339e1592f6456

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
73a30b3923868d3406cdc4a2beb0ca92

SHA1
a1eb9859682cc84c8dc84031b752eaf0c52432bc

SHA256
de30b31c8002df90f824026362c27fb1e5da70f5b41ed21423e55a8576086614

SHA512
f1179041f43a10871ffaec1e34c98a9c308477a8344f10fdf4f2fc121657dc683b498ecfc666d286bf5e5f9b01fce5983e8750fa44747f03ac246bf25001f16f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
742KB

MD5
237d249890e5215ced7c16c9f8ef1525

SHA1
30b7f8bff61bc1b4d88e4e7014b0e1f4be17c00d

SHA256
337764a1cb4a358e93cd6855ed45de4f5606534176663a92756b27892554e917

SHA512
b8962a4c64b86b8aa0c9298a5e3491b09678f40f22b7d25966860e14760779771b249d96f9714309928bdcdf2d2ae00a45db6c52b7d37fd41305df6225acf1ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
ff91d2fa8311889a7b2834cd8cb044c8

SHA1
9af74a4a101803e4f440e5a47d44f1baa2f29821

SHA256
ef7cd8fdc5e4c503ba069f465c39411c62bd99b0583a4cbdcc6a4585f911ebc5

SHA512
fb4e6bf7e331ef91dbf20419b9798fddf77fe909b412d3cfbc5c79effb37d0d438ed78883883a933be4c999c42a282b6eb321976be89c5a84ca95f6e4b5915f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
f3adffcc82ef79f57da984e63509b812

SHA1
ebf0af55afc87367c5e47fb88678cd3e342803c6

SHA256
cbfea2797c8921eec77acd5c90ca994fcdc8e4304cc44cbce72597e04f30428f

SHA512
d655cde3fb1d0be1d0ffdd7be4a227143da2d83dd85904c31cf5b8655125f23191cfcbbf79938d31432d0c8434e398cafcbe725efd69df4f75800a53ea9acc92

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
2855b579bb1cf2f5c501c1a8b3c9394b

SHA1
b82dfd66204439ab41a3a18e2dee5f8719ec5716

SHA256
7d75012bf26bc258786f0951031a956e6550e9af5ec17e2760eaae8ba71a822e

SHA512
5cd38d2700b59f81a214ec4744cf592f0739cc6e374a5702e4ce681f228d584838b886101d220b025040aad6d2818be1f7f294bc1d164750ab622bb5574f86a7

Download Submit
C:\Users\Admin\AppData\Local\raqmnnoi\cmd.exe

Filesize
682KB

MD5
7f7ad0f00ca5177a369e9a2299b6f5d8

SHA1
9413ca8a7d3abbab54dd65704f2f19cbd98e29ee

SHA256
1d3a646515bbdaba01c1ca854bd94d6a4dc0810c42b2df9554f799facac9528a

SHA512
cfc8f0dde7cc8f3a7e08359daf7398857ba7ddcd5463d9a4ab9cedc05172256f5acaf537cec9c462de2cef686428c71c80e321de76edfcb324669c26aca5de70

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
491KB

MD5
0aafef2c8e91acbd23f6f138fac7bb07

SHA1
d95a00f2a40b82b0f64140f41988b6c81117cdbe

SHA256
c1be9294ff9da6b6e5fdcc22dcf8cb858c5c5503c4b7df3ed4e412a80b645032

SHA512
759bc657335d6465a8ee2d883aae2b47c42b4ce22a060551fe5af58239b9a3eca3d8d91a53e2dd749b4fd2e51419934e5851dd191989bc3a3c7f57bc53d465ce

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
745d6d704d407dece746981398a9a7cd

SHA1
a9fdfca77906d61c7b9c8b690f90f7ca7f56b663

SHA256
70a97a3713f61e269df783c8f4d4ddcbbc72350f842d10aea390d04c04d1e83a

SHA512
919ae6b121adde387a8fb9516409bd07fe4a517858f14ead4b2073ea0904ecb12f367c6cfd54e8ef3bfccbbb10997080aca5b5f0b96e6dd211f05c5b991d7769

Download Submit
C:\Windows\System32\alg.exe

Filesize
493KB

MD5
dcaf410adf001768862d316b41a2ddb6

SHA1
bc36836f2910ebffb199dce200f4ecdda3ac8672

SHA256
d65eeca10b6df980bd0a74579acb0d547861cb90389ca560618e5c75d4b2767e

SHA512
063148c6e804cccbdcd4f5deebfbf3f77abde25910390e38c38cd603216a67b78c382fe005d28bc955e0f8de30322256ffc2d2a2dc15a95cc434ee586eaa081a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
544KB

MD5
17670f88170dc49ece0500a5fa55396f

SHA1
209d108a9bab84b4d11538ecb583600264294b67

SHA256
dbeb2a743db715359d760767e092cab5f89049529f53b940a9d03e3248513b55

SHA512
c94e0020063de64523e50e52e4153a966e9bbb6e8d861c915f95a9767f98b312b42d2ffc206f59be6e9a9d1a2038e3a35910016075ad3712ff5396eb257e5159

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
467KB

MD5
facc938ff780e60ab11ff057aca725b0

SHA1
30858c6f6443d5fd0839f4ffc12903ec9de05b67

SHA256
fbe0eaf13ca6e726f8e704dfeb3b898daf89c355f5ec85e357d8908d8a9c361f

SHA512
7160071488abd1057861e0c8ce489d81ec0f6e2f185a0b08f20009c952861a4c077f26e0f0ddc1e187223d1d10e4d695b752d59002844d0b85e3ae7432d48335

Download Submit
\??\c:\program files\common files\microsoft shared\source engine\ose.exe

Filesize
637KB

MD5
42dcc4dcf079c4b066f102c408216055

SHA1
c2b52860bbe9ed55aedbd149160b054f8677e356

SHA256
0a42767ffe8caa147ce9590cd5a3054d696bf9ca1714b8653e451eebacfb70da

SHA512
2f51812494515a11c0a16b086b8f600b28846fdf68e1672b423c6cabec564199eb24a4158a2eee1f0abf116bca9d8e067d1c61b3d164e4b9b2a63af51c7dbda8

Download Submit
\??\c:\program files\windows media player\wmpnetwk.exe

Filesize
1.3MB

MD5
b9ae3a6371cd8725d0319a88f3991ea8

SHA1
f9e9827100176864902d48fe292668f7cf403076

SHA256
0e9b831d2bf0ba61b726c417bd4cd3b3312ecb8adc6a882012612ed1e7914b20

SHA512
fe07409bb9fcd96d693bfa4c6d6b573d3cfca38b784ab13bf5c6dd3783a496a327510138ef8cdd6b6ff4ba0be281af8117e04e0a7c7e49f9efd9ff16bd74a269

Download Submit
\??\c:\windows\system32\Agentservice.exe

Filesize
1.6MB

MD5
728d1aee51e03967108202c8305b3cf8

SHA1
576d03d43b0cf5e6ceff3924cb3ab44d4700b001

SHA256
69909072a2a14155e90657d6f173cd7f94cabc4a195b71f578a2acf4854ca751

SHA512
0dab61a8edc161d65303f77cd7fca1c95e30eb84fdc9ceb17c6d05d4f2df5294f60194c71b8c3c6d873a42ef6801b35fd3e6a3728d613f4dc863da3ecae0f668

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
e923e884bd69e7818f7e0b488c7b0f50

SHA1
f384886aacb02e63b9d0c7779e4ccf263a2b5a4d

SHA256
14fe8ceec86c32117a507069ee2c1f6d30bfb46c096fc26fcbd2f3c4868c3c45

SHA512
1f4198bdc528f0cd3f648310669d1bc0c60fbde462aad66d1c8ab46961b08a6cf684df82d3cf87cf822fdade3e377b552dcf36211f36e26dc8e91bfb74bfc882

Download Submit
\??\c:\windows\system32\locator.exe

Filesize
410KB

MD5
f5c66a30b87792b4ce52da21e9606ed5

SHA1
541e171d057a90f804fe9aaf0157455f65316ee9

SHA256
42bd870aa8f9f621410f0cd436b037b1a89f41293f6982794408b7a2c7a18ee8

SHA512
458e430672845fba561ca427674730385b8b42d8f4307d7213c63f6f06c4745bfef941c9a6919995a5abcea62102203a86a9403341761ca441f176cf3a5b39e8

Download Submit
\??\c:\windows\system32\openssh\ssh-agent.exe

Filesize
772KB

MD5
04f5c872c30a911b6d8aef7a92b82ef3

SHA1
d23f82e10e679b0c557bcfee0a723b7d9664d7a9

SHA256
13a9612fe66c0802b2d4f2a3995ed8ecbfcd8ed1a597143fbefb423b9f559fe1

SHA512
4eed830581d2ff797815ca7f898b8f0dab53c8935454bb881005b185d2e7fa67a68cf93517e3a7b426a79f4d54b09b521a66163cc55636c599906b2ce8a30028

Download Submit
\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe

Filesize
503KB

MD5
adedfef029368dd68d9b14e9044da864

SHA1
f3d2d85b5452ca3618da014aa4e642662683fad1

SHA256
5d0bc2e5cc949fbb5d356ac4ec9dfe35f69b473a2c19e63a82e8e5e3763a067a

SHA512
65d6c9b75d82ae753471bb5672dbb355e92cbe5b2add7b57bfb9c0d987f452767a2ceeae9ed2fa80d9acf1a21e50c119f3b91a390b95faac7658372bb9fa1d78

Download Submit
\??\c:\windows\system32\searchindexer.exe

Filesize
1.3MB

MD5
9aac8e27ea6fb796df2d3b25007374f3

SHA1
d9e8916ec5810e27b9aaf4eb6b47ed1506e61517

SHA256
b6431cb3097f2b43c7fecf885f72bd6fe0ec56a35ab9b872a7939e9d0d688fba

SHA512
fcc1cc5f549442e363b9102f85f9f8ab08ad636224112d00f081bbe34bf584c4b0f1b562bdf4dea9c089fcc9fb2ebc305ec708c96f3004d8bad3d2835b09ed12

Download Submit
\??\c:\windows\system32\sensordataservice.exe

Filesize
1.6MB

MD5
31d428c5ba7ea32756488727cadc0124

SHA1
3dc218db378a51050f28b79ddff41c41d7c587ae

SHA256
d4294ec49b5950ba5868ac61e0d99b4a1d253f7c2379ab697a87ba3463962f36

SHA512
a538520e8fea97d48c83dd9c60bc004565621212870402dbf58d0781828e0e42e84f8124d423739ab0b4bcd48cac1b854d809745b4584228c77445a02344dc94

Download Submit
\??\c:\windows\system32\sgrmbroker.exe

Filesize
709KB

MD5
cf4058d13062c684708b06200f2b812d

SHA1
6dc34ba26d19c515d143916f71cb27354bbdb159

SHA256
2025bd698a6503975dd32d4e493ab37b238e605212f06d1d1284f4d39b178bb8

SHA512
b4e990711fb2d513bf1b01af776465d050be8217082bbecb663ce09357e0445c92319f5b85c4fb26c3befeb90ca30b2dab729212252730b174ed3c88cec09643

Download Submit
\??\c:\windows\system32\snmptrap.exe

Filesize
416KB

MD5
b353dcdbf23eaa03914dd455adb86f01

SHA1
980b399ceec3a25d5474847f0fa8e9b52dc994b1

SHA256
98a649506abcdabbeef1626589536ebfd74fb7f15321c0c770f0a3a18eb9be92

SHA512
65efb1df50de912513f23f0d07e0e52e323a8c1e42cb4cac823dad9a4621454492dead7d5172902684b1ada920a2de61d122cda44dd706246554ea961126509c

Download Submit
\??\c:\windows\system32\spectrum.exe

Filesize
1.2MB

MD5
2ba075aad6841dbafcc5e48b381140d2

SHA1
f84768e5ed7cd205a926175f71b6d998634c92ed

SHA256
ba441db70f1e6eb4da6ca07662cb460fd5c502cdee47da60fde94d762393178a

SHA512
eae69269ea2a8e04a2bf90e99e2976454edbd5bab2cfa2a0c2b74c77d646a7426f3f406721c549ce947ceb826c344d5406cad9c5e35392a29ff2b8971342625b

Download Submit
\??\c:\windows\system32\tieringengineservice.exe

Filesize
717KB

MD5
459b1c1c1bcf2e794a8f94928b8a47cc

SHA1
139c87d6fe9c6f95c08cf80f29958701fc794c13

SHA256
eba97d609c74a521e5894d8641da4cba3da237fdea04f7e3e46d4f5cb7cf61e7

SHA512
aa69aed602adc678c7d7da6cc68309057ca3f172384db3545b611e6e16fe9944434bab5c3f62d40cf7ec374d0815284b2c9121029101ebf9c0f91ad42212ff77

Download Submit
\??\c:\windows\system32\vds.exe

Filesize
1.1MB

MD5
8e917d06cd2586e9660031a0f1ed6cc5

SHA1
e3264c1d82b4d69531b36c67d6f95edaa331dced

SHA256
24081fe8c8657500be7bb9cf9e5a38ec31d933eea439b192d6a12246be4350bf

SHA512
270f12eccf1a75ae6a3fc9f9a4e01d03f6cb93c63f0a1b51154daac1c8b182849bb84b4b3374b11954bc1ba00e2a382be43b2b337f77b811b7810339f15e2176

Download Submit
\??\c:\windows\system32\vssvc.exe

Filesize
1.8MB

MD5
e11a11336a9e454c7beb27c181497788

SHA1
5f3db4ffd193bbbfc18550274e6a55a146408da7

SHA256
5a76b53adeed16ef0dc08a406a49a5da1da5c827684be06ccedd5bf9628201da

SHA512
3926cc8183f459523638de5f23885ad434e9bec2293d8b5da647d3d1fbd46fa8106b0f7440e28197141ea796fe131c8c19d6d5357a11f3ada2d581985d9bed75

Download Submit
\??\c:\windows\system32\wbem\wmiApsrv.exe

Filesize
604KB

MD5
5e6d541f460aef143f212d42ed807028

SHA1
8f89f00954e5cc0259bf6a973c02f22569f6cd6f

SHA256
c49706594c7b506fca767a0d9ca55c51710066734867163dd070eb4227d8b8fb

SHA512
b1047b1c1d3a518e3715e82793775297e7e163eac7eb53358ae18ae6cb3d45daf64daaf5dd167851e1e410b93f384d2ce040053a9b35f250528584bc67907a71

Download Submit
\??\c:\windows\system32\wbengine.exe

Filesize
1.9MB

MD5
9e934dec4605442b911c87ef00964903

SHA1
f71eebd324a5f271e02e88658fb9dc47c733b7d1

SHA256
63b324a9ee093dce9940abf2127b629a7e1bfd3518a2819434a80d9eccaa76fe

SHA512
ddcbe087f0912699e6667269f07b69ba40d3041404b0de5bc91d1719e7807cd7f79650b179dc7699bcbf8e452520471489a92b911dfc70ece968c502353e3f64

Download Submit
\??\c:\windows\syswow64\perfhost.exe

Filesize
420KB

MD5
2175dd9cae91194d8e9b02114c78947b

SHA1
b7499f09fe01f2d517484b549782bbb5ca3f31eb

SHA256
ec35b423dd659bf33ff433fdd0c47761e1995ffb7d9f3f0fc3dcac7bd661a4a1

SHA512
aa9dd3cd8e55127377f5a620e0b0bddbad8aed03486d38587fcd7fbb28daf008f262fd11b1c37cbe33b37a6cf2fe0c8fe9cdf8d68b9826891f72d90bb7bcd03e

Download Submit
memory/2020-0-0x0000000140028000-0x0000000140036000-memory.dmp

Filesize
56KB

Download
memory/2020-2-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3484-77-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/3484-29-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/3580-57-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3580-56-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/3580-17-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/4148-43-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/4148-36-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download