Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2024, 11:43

General

  • Target

    2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe

  • Size

    5.5MB

  • MD5

    205a43fd811544c905363c9968c9d2b1

  • SHA1

    1b227c03b0bc3718f165f4552034724ffccfe1fa

  • SHA256

    e0f3a162c7e98924dca05dbcef50c4448159a74366fdc046b6a76c53b2e4ad52

  • SHA512

    40e380a868e613b0800a0f999ae5885a898bd980e9cad240c7b2bb855786778024cd4befb3b723ed4c40eb443c19d965fddbdd9cb98bccee7570aa6c357b6de2

  • SSDEEP

    49152:EEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfM:iAI5pAdVJn9tbnR1VgBVmFE3Xc

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Users\Admin\AppData\Local\Temp\2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe
      C:\Users\Admin\AppData\Local\Temp\2024-04-03_205a43fd811544c905363c9968c9d2b1_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2e0,0x2e4,0x2f0,0x2ec,0x2f4,0x140462458,0x140462468,0x140462478
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2836
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
      2⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed3db9758,0x7ffed3db9768,0x7ffed3db9778
        3⤵
          PID:2092
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:2
          3⤵
            PID:4988
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:8
            3⤵
              PID:3380
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:8
              3⤵
                PID:1836
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:1
                3⤵
                  PID:2192
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:1
                  3⤵
                    PID:1488
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4580 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:1
                    3⤵
                      PID:5080
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:8
                      3⤵
                        PID:876
                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
                        3⤵
                          PID:552
                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                            "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff73dbf7688,0x7ff73dbf7698,0x7ff73dbf76a8
                            4⤵
                              PID:1240
                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                              4⤵
                                PID:4776
                                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff73dbf7688,0x7ff73dbf7698,0x7ff73dbf76a8
                                  5⤵
                                    PID:2864
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:8
                                3⤵
                                  PID:976
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:8
                                  3⤵
                                    PID:4412
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4928 --field-trial-handle=1884,i,7242747935253715489,2571849748467892590,131072 /prefetch:2
                                    3⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:804
                              • C:\Windows\System32\alg.exe
                                C:\Windows\System32\alg.exe
                                1⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Drops file in Program Files directory
                                • Drops file in Windows directory
                                PID:1328
                              • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                1⤵
                                • Executes dropped EXE
                                PID:4416
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                                1⤵
                                  PID:4448
                                • C:\Windows\system32\fxssvc.exe
                                  C:\Windows\system32\fxssvc.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3092
                                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:5040
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4740
                                • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                  "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4188
                                • C:\Windows\System32\msdtc.exe
                                  C:\Windows\System32\msdtc.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Drops file in Windows directory
                                  PID:1196
                                • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                                  "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:2236
                                • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                  C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4420
                                • C:\Windows\SysWow64\perfhost.exe
                                  C:\Windows\SysWow64\perfhost.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4140
                                • C:\Windows\system32\locator.exe
                                  C:\Windows\system32\locator.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:1840
                                • C:\Windows\System32\SensorDataService.exe
                                  C:\Windows\System32\SensorDataService.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Checks SCSI registry key(s)
                                  PID:3852
                                • C:\Windows\System32\snmptrap.exe
                                  C:\Windows\System32\snmptrap.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:3920
                                • C:\Windows\system32\spectrum.exe
                                  C:\Windows\system32\spectrum.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Checks SCSI registry key(s)
                                  PID:2504
                                • C:\Windows\System32\OpenSSH\ssh-agent.exe
                                  C:\Windows\System32\OpenSSH\ssh-agent.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:3068
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
                                  1⤵
                                    PID:3148
                                  • C:\Windows\system32\TieringEngineService.exe
                                    C:\Windows\system32\TieringEngineService.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Checks processor information in registry
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3084
                                  • C:\Windows\system32\AgentService.exe
                                    C:\Windows\system32\AgentService.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5128
                                  • C:\Windows\System32\vds.exe
                                    C:\Windows\System32\vds.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:5240
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5336
                                  • C:\Windows\system32\wbengine.exe
                                    "C:\Windows\system32\wbengine.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5448
                                  • C:\Windows\system32\wbem\WmiApSrv.exe
                                    C:\Windows\system32\wbem\WmiApSrv.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:5564
                                  • C:\Windows\system32\SearchIndexer.exe
                                    C:\Windows\system32\SearchIndexer.exe /Embedding
                                    1⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5668
                                    • C:\Windows\system32\SearchProtocolHost.exe
                                      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                      2⤵
                                      • Modifies data under HKEY_USERS
                                      PID:5296
                                    • C:\Windows\system32\SearchFilterHost.exe
                                      "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
                                      2⤵
                                      • Modifies data under HKEY_USERS
                                      PID:5828

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          0906617be86aa7ce0bd610ab7e0b4df3

                                          SHA1

                                          0891f64b74d1ae8d51f05a15f5e3175663dca1cf

                                          SHA256

                                          8b83f8c8fb30350c36be75ebfffc3518c519fe9391fde6383074ab2459b54966

                                          SHA512

                                          37876fbc04dbb9b876cf8fea7d3882191dd1de5cf204161a11d5ec592bd8d8caf6c0b8344579d47955b3d161d55fe4fdabab6dec26742a219e28beeed012ee87

                                        • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                          Filesize

                                          1.6MB

                                          MD5

                                          e9774f8380a95dac02b25862acbeab20

                                          SHA1

                                          d6f7b6dea75fe251d27dc678c49c462779b2c194

                                          SHA256

                                          e0ecdfa636f40d3ac3a49ea5454aeec4e5f4ec1247f6cafd428368d477b5178b

                                          SHA512

                                          0cc9219577ec66dce35b5a2128a10cdc9bc797085e0e6ae12f6eda979714023c54a9a509f3248e17922ac9bbae7e5032df826e71a04a81c8237d31a57fca7500

                                        • C:\Program Files\7-Zip\7z.exe

                                          Filesize

                                          1.9MB

                                          MD5

                                          85cb225b9039736b8cf57826ca7b8d98

                                          SHA1

                                          388246d05c284e2a1ad693fd14a043aa76a42647

                                          SHA256

                                          71aa6f8a6240359cb2dab2b6a87b2b5e95931ed4279f75439838c2469580cc69

                                          SHA512

                                          17c523e2d67a118fb2eae0cfb0f33f4f816fcb89f82dcddc1c6cfd322b989f6cfe1f19fdd7fe3f9fdb4904b88c8e38a8e911a253aae06961a09f5833d43b88cb

                                        • C:\Program Files\7-Zip\7zFM.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          825e286cf0b3830dbc36722404ed4627

                                          SHA1

                                          a3f59baed8bf71cd4ff2fa6345546c4aa4c809ba

                                          SHA256

                                          1293ffcacd9302a8ad636c830a55c023e9833ecdb60c8e364c820ded04ab8bad

                                          SHA512

                                          25ed4d96d22f25ab032087b2a744dd3006a640e5a14983548e503396ca7e8c08a00d5b7ff23b97ad1b8d1c2db903228584e2eb0f79acdf887ddd8094006e8f1e

                                        • C:\Program Files\7-Zip\7zG.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          eb33c758ec6b1eb86cbc9aa0b464b2dd

                                          SHA1

                                          07349dfce55cc487a6d0f55a4991f87081dbdaeb

                                          SHA256

                                          5ef0db978f78e67727338f8a4c366f7f8fb078b67869154a703db70b3f8dede9

                                          SHA512

                                          4c71373139a64cbdb2b292b647667d466950f723d59fdff65342ab5afa90df2bd8097046a67d9c2efaf348bd39036311f9c2290beee1e3a6fafba61297844518

                                        • C:\Program Files\7-Zip\Uninstall.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          65f0bc2be1d4120c1b008f0957906c24

                                          SHA1

                                          ac67cc0fa6ecb0f2eb8a2d32427546fdfada75c7

                                          SHA256

                                          8938cf26d40afc2e61e1dcdf5e777f9330919c2b7349be2a0c7c5727681fe726

                                          SHA512

                                          b9a77c9c3561e39f654874ea8c4e6105e2e39dd5376029f96fc7b3106dceccee9cdf5ff7af2681e6a342a197049f1aa5c635f3d8503a320291b140ad25a9c934

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                          Filesize

                                          1.6MB

                                          MD5

                                          ea2ed75422eb177303a09674afdaa0b4

                                          SHA1

                                          dabd2a413ed1e1337a07f63dfc6b485d0fc172b3

                                          SHA256

                                          c88c60a18a65afd1051bc9adf7e428289cca9ee0c697b90e3deb489e6a49a828

                                          SHA512

                                          050a380d61ef5dc5a661318d7321343194271b3783ac6ec6583b2274c8d0b3112f5d353aeeeb28235b468eb0b352caf3922b1fea2ed3569287356fc24c9a8812

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                          Filesize

                                          4.6MB

                                          MD5

                                          41f5798aa501eaeb7f010b7dea7e52bd

                                          SHA1

                                          35076fd9b10b8659b3522222fdf6d3eb494ff4d8

                                          SHA256

                                          e1a9b80d8328d0e446814d3bc21a87810b6178772ddcbbeb9b6036c60e735b74

                                          SHA512

                                          3981dd1af8e35e4ae90fa7cc09f490cc87a566b3ea338ad84d7ee330e1f39b0f4b607255e40b6372a8325bce873e4cfadbb296597e8d3a3e13d27a1d85666eb7

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                          Filesize

                                          1.7MB

                                          MD5

                                          63f478265c599f120326bfb9907ec57f

                                          SHA1

                                          15c5060c6c60ffe0f0229eaf5865013d561b417a

                                          SHA256

                                          7ccfb3568d407f3883c57bb877ff4759649c575e1157c6ad8a08a24ddfc274bf

                                          SHA512

                                          fa40c806f7765dc9f72ae63f7e967af9bdd8fae55870fdb5d9c3affc2c3708b87317a46050fa5df85d97e4c99c9a32f51d6614a5dcedfbbb55ce7dd95108a0e3

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                          Filesize

                                          24.0MB

                                          MD5

                                          d9c276fe126acf201b401f903ab43bb4

                                          SHA1

                                          482ce8dbb7d6082e22ff26bcef05e3ac894aef42

                                          SHA256

                                          eb25d81f1ed0c4dd0bb7b2a1a167bdd8168f1a485e5410471667d41b5d042aae

                                          SHA512

                                          34feb73ce512cf0effef48b9e62e1c0ad9f043e77118029e4e3dde333e9f27ebf1116197dfcc0c714c9c3ae6c7e704367db0d2b15d0df5c0c1ad6747957860f4

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                          Filesize

                                          2.7MB

                                          MD5

                                          ce0136868c582f1063e54ceb798a5a86

                                          SHA1

                                          f3dac5fb8d96c22dae1985589cc412bdfade00a9

                                          SHA256

                                          61df12dab2f21e547cc451c392fea691e5bfc642bd6f5d0d28c1cd876ef421ae

                                          SHA512

                                          a11a8079cbf7e53357db1b3cf30fdab6d4a046694cbf6a1c56d98c744edfbde33d183a5bb2908be6e58e549df47673551db7f74a3583bba9bfff8947258e063c

                                        • C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

                                          Filesize

                                          1.1MB

                                          MD5

                                          2276a81cb4528bfd393ca9db8d032ae2

                                          SHA1

                                          a957328d9a478ef1069a67605658e27cb2ef2261

                                          SHA256

                                          e357227e734a2f416c78c5951c6ea52094e31cd9ac99a958a3cc9266cebffe84

                                          SHA512

                                          9052df03bcb4f57477b1f0e0b1b2feb270b6c457042832bf0cad71d614cbc5550b5e80af6d8b393a2c8fb347b8e2f46565551565ce9e96cd21ef7484baba4cd9

                                        • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                                          Filesize

                                          1.6MB

                                          MD5

                                          e8b863b6f0f50d1773535b050a4e3c9d

                                          SHA1

                                          a1c42628f77932412b85bf3321ce3ae2f00e4dbb

                                          SHA256

                                          f54458a85c6bdd02f82a9a71c43fa99b0f242b257c7c916fa9270b9f2763d817

                                          SHA512

                                          def55e6199ece7e23c068ec3fc59564a49303dcffbf940b0c30d9f77b6e17f4252c639eb0761d39a3584a9263181bb3d7b11a4ffd87a6271686c1e3ea17d39cd

                                        • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          8f49463bc9ebeefc78058e4a0d3f6f67

                                          SHA1

                                          003970b7e434aa4c510071fa4862fbb1483e53d0

                                          SHA256

                                          23845841781b6030ad184da2eebe9b26cc4e504fefa8c190e6ed6dd75f66df36

                                          SHA512

                                          90c685bf1f97f75913c62eedfe62f9c2308c78623bb6492ffa6438279db32c428204e2fa29b6f940930ac287a001ff2585c1114a866ebbae9123380fa91b44a4

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

                                          Filesize

                                          4.8MB

                                          MD5

                                          bc425cdb3b6798c6d4ad9fdb0db41a67

                                          SHA1

                                          523b5ae7c98ffb619d7dce0dae7aa7a592cb88fa

                                          SHA256

                                          fe5ddb2f2094d5be0b5ee9ae4fef3e0eec04af416d63b5e8eac9d239bef6e988

                                          SHA512

                                          066446d77e5941cb85710f869b0c44190ae8a64a5b798dfe84f096487ed49c305fd4786ffacafa27987ba030be269c503442a833a5a892aeab8623d6086624ec

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

                                          Filesize

                                          2.2MB

                                          MD5

                                          e9892fc51a1abc7909516bf9b6b0fbf7

                                          SHA1

                                          357724fce196ac8b0fd0234bf0ee585194491487

                                          SHA256

                                          5aa417ce508972e5cdc61c9b6e7e51b7462228bf01f0bbf1f5b0583cb2398172

                                          SHA512

                                          dfa7e6008b69feb3a3c65b994e3eb3bcf1f6d38efa91b870788e94c54f178b7a47daa8d87a7bd8b6b8b9845ebde67fcda5c3a47812e2cabc39442d37c7ce4756

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          fa13a2fb78cd5551fc76835dd204ff39

                                          SHA1

                                          87bf4d2a89b08d5f2e1105a0e8793ad8544e7abd

                                          SHA256

                                          16feaa1d6020c5aa847b3c17850ee73f9830dc84b18f21fc09c60e4dfe8d95bd

                                          SHA512

                                          a8536700696092233989d3cc448c7c5883da3ffb4985cd0cf936d80c5012c822571a701db2d87e25b501d42582b81b528a4023672542e85105358ca5958f46af

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

                                          Filesize

                                          1.8MB

                                          MD5

                                          bea2f57e5bce41510d3a96828096c3f5

                                          SHA1

                                          548e48181bde79b274843f6ad7c44d66f2366a99

                                          SHA256

                                          ce585f198cf64d0f35ed24a42c4b2b0b15662cb4e174a499e0f1f3b377b89c0a

                                          SHA512

                                          191cc71a57d8c299fe75845816d67c1a89e67d6c5217ab09813623003f308b60fb6ee1b3f73a5c834f99f97535810f7c53a6314080f49655580c21229a970451

                                        • C:\Program Files\Google\Chrome\Application\SetupMetrics\e25019ec-8316-4092-86dc-d05d10d84e1c.tmp

                                          Filesize

                                          488B

                                          MD5

                                          6d971ce11af4a6a93a4311841da1a178

                                          SHA1

                                          cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                          SHA256

                                          338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                          SHA512

                                          c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                        • C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          759c4295a33b8bba227ec4d7dddcf35b

                                          SHA1

                                          22bdc89f9f3fb1ac2af7f79a5e0321b414254b8f

                                          SHA256

                                          c44ccd3ca02c23bbfee1736a8f5bafb1a788ff7b35139a0c7fe431f8dbcbe956

                                          SHA512

                                          e2c54eeed71a1b9618f89158dfa009833840a95b7bc9d1b63915fc0b43bbfcef6190fdae6dd131503500ab90715c99032c1f002b55437db81bad18f7737b84e8

                                        • C:\Program Files\Windows Media Player\wmpnetwk.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          f07f2ebdbf7b3c74b4ad78a6f14480e9

                                          SHA1

                                          bddffa77fa0b5d2d21c84ef6d12bf233aec2dbd9

                                          SHA256

                                          7a81daa97006289bb86d1805a9572057cadd03b180b976e0edda0bb38c0c9793

                                          SHA512

                                          3740c3b562f8cdb9be7eeead7c5ecd2486a9ed6014bccc547ca683d29b1c11a00b46561f1c1c5516741d7f59e6b7dd476d21480adc76f5a049917cb39dd22239

                                        • C:\Program Files\dotnet\dotnet.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          b53ead035436cea1e54d5197f80f3243

                                          SHA1

                                          6793f5b50a4aa4306ab943694b8adbb13f595653

                                          SHA256

                                          179e01a0a6b21df5154829c20c1237ee161a9bebe1f3bba2c6b1b7f05b54d1d6

                                          SHA512

                                          ab2e0b4a6cf4c7d3797a6378d9b3de8f3655fb737e56afa45f587c2895f71ed2e431a7dd933fa5f60092b27784610370129de613eb6701dbf54f2dbc3a6af8f0

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                          Filesize

                                          40B

                                          MD5

                                          bc16ebe41a9fc2938c4060992a92b0af

                                          SHA1

                                          1719af3e339b187d984a76437eb80cae5dc50e6f

                                          SHA256

                                          5874dbe9583546eb24cfb2b237d58f97ef186cd72866dd224df82e62817744ae

                                          SHA512

                                          c78d4be86a3f35ae07375b37fd39f869d317a6ec6699d7673731e6f9b255d7bcbfacf58ca71c3f51baac1e2b2bbee7da58603efa5bd51a31162c481aab7a912c

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

                                          Filesize

                                          193KB

                                          MD5

                                          ef36a84ad2bc23f79d171c604b56de29

                                          SHA1

                                          38d6569cd30d096140e752db5d98d53cf304a8fc

                                          SHA256

                                          e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

                                          SHA512

                                          dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                          Filesize

                                          1KB

                                          MD5

                                          b2878632b4b66c5d3b2e7c0bfddce316

                                          SHA1

                                          9e80ab4a4e0741971749d7a32dccd9e865570385

                                          SHA256

                                          4a006b42cb5e94af25c5044f2f9e75daf736728bae3a79f297ff0166c1dd053a

                                          SHA512

                                          4541fd02d099b21f0e422335f40c5f0c9c0933c749c6871c11ecd7bbb9a0fc2ae910a6dd86f69d6e6c58c759870029b7a46a3daac91d86fdf4c5aced7c6a0a4f

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                          Filesize

                                          371B

                                          MD5

                                          8b6197380bf7ad42b71f037c97bba243

                                          SHA1

                                          f2d66f05566dd629a481346ec6b1536b09ebb52a

                                          SHA256

                                          e277f81aa2b6582ad922767f7d9ac71ba358f97f36efa21fd9a2e18eb36d26dd

                                          SHA512

                                          cc5512b82d14406ed46f45781412cefc7acae8b22aed1674789aba84b91d522ff831985c84961a701885bd81b14ce5bcb8cdb9436a10b22df8337eb060d676b6

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          5KB

                                          MD5

                                          9c85cac8569d54aff003ab148e269b1c

                                          SHA1

                                          d21f60928fe8d084e8baa59934d15260731a6d60

                                          SHA256

                                          106b7b50719d704f882630cb411b80eaabd15f3940247ce5b265c08003e8e62d

                                          SHA512

                                          30c25e13b8200936f3c16cc961ae58747aa49f5b740e4a593b077dae16e240ae77c522ef8c71bee0838eb9e669d113602ea11cadf2bb7b29d321f50517200dfc

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          4KB

                                          MD5

                                          fa5304f9d36e911b138590ea9b86b670

                                          SHA1

                                          9c0972704ec86bb03b57b149fe798cbcd1ce9059

                                          SHA256

                                          5cce0ddbd567337b172b36f63e9af4f6f9eb7c620d8ef1e3d00d9c378a0d3c2a

                                          SHA512

                                          7fb556a2b68730c674f8d922cce9a1e0b711a2980202783a3677cc341a25d8d3ce0e256c328cb46c89c981e89bc8efac83f56f25891a54ee2a347f425cc7e631

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          4KB

                                          MD5

                                          e48108c7dee0b2d034529dc0b50ed93d

                                          SHA1

                                          f690357d19fb148483009bc456ccbbdee96d4de8

                                          SHA256

                                          f7243301c3fddca22bf574ed885201e1274e56305c6f66ec1ee31a9a579ed1aa

                                          SHA512

                                          c831a533f996d03d25863525ace922b1baa95132c5c578c743bb634b9ce0ae64c3d9ce11c15f21489d49f70c540d9f299be2e692b03b37b9965e89dd21b9073f

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57782d.TMP

                                          Filesize

                                          2KB

                                          MD5

                                          3edecd18ee6edb84a0c5cc2869b57cd2

                                          SHA1

                                          e291fe43a956ab29cd103e3cf39aec8a516938a2

                                          SHA256

                                          74396febec16fd8df1e991beca98541a5417c26fbc44246bd978e98ea81dc3b6

                                          SHA512

                                          30815ff00dbcef7d4b474b51c78c9d9be8ef9145e4dd6fcd8d89076a59e79c01441c62e761a91e13f9b2c03399badffb5717023fb70f6106a6ecbc943a3a576a

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                          Filesize

                                          15KB

                                          MD5

                                          29841d04494ff1d9fa9a94b943c7cf16

                                          SHA1

                                          89e34349a2c82e498280b30ee376e7b8430d8feb

                                          SHA256

                                          f932791a735dc7107be209dd24719c4850971660f88a1d544c96c9436a5733bd

                                          SHA512

                                          880ce898fcb291076b1722784283df30f4068de18388ca7e1e8b0984e4335516d1198539e0f269786ef5150117812971bc978cf5be3a86c6d87de43a7dbbf4eb

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                          Filesize

                                          246KB

                                          MD5

                                          675adb34e4c51adb10edd0bfab608aba

                                          SHA1

                                          e676e2e02f5f28e295f494c91e26b5011d094052

                                          SHA256

                                          00aa3220349a75f28ffe538337557e66199688e1c37a6fbe4746d7a79c94c13d

                                          SHA512

                                          09c27ad92e0fb107b6e090e34ff66c3f7e284a4ed946e608122545cd598e876bc9331771ba0529b2a3b9a90e0ce0ab8f3045c37bec816dbf5a50a377b79ce4af

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                          Filesize

                                          2B

                                          MD5

                                          99914b932bd37a50b983c5e7c90ae93b

                                          SHA1

                                          bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                          SHA256

                                          44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                          SHA512

                                          27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                          Filesize

                                          7KB

                                          MD5

                                          cc91a3b7a634cf5b75f1874e072ce890

                                          SHA1

                                          f840df6f29ab43f33a8f4f55540e0b945ce5c53c

                                          SHA256

                                          89632ccc6b3ce82201301782a1d9b3f8520b73c85fd07460eb68c6dee0249eb8

                                          SHA512

                                          10a0df71fe12d86f5443c892690be168c16e300f8fed1476b0140a5af347239e7f76a6c90673207c2222c5f8e5505f9c10000a756e205c83653c11dae8e1b35c

                                        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                          Filesize

                                          8KB

                                          MD5

                                          91007f9dde9208b06c5d152933f46ed1

                                          SHA1

                                          ad4cb1f544bb700afd31b1eb3028e9d09753e905

                                          SHA256

                                          c6abb7eeaf19dd4264336aa000ab93d90955143fe1ea8971a9b2cef51f9cd092

                                          SHA512

                                          8cca009a682312287ed17b8b57bd7d1c13cd16807db55a94b12350be6e14ef71fe655cb41a8dd76bed53d850e0a423e95a8991cb3fcedc42c7b4d58c8f9e7dae

                                        • C:\Users\Admin\AppData\Roaming\608ccf78ed1090.bin

                                          Filesize

                                          12KB

                                          MD5

                                          8830e8670e136132ed3bd6b67d5a05e5

                                          SHA1

                                          53704194686108be755d8abf7c737c0063d0ecd4

                                          SHA256

                                          1a655a07289101a280203a1b370049f57738f3c74d57b8ce8f67c3db59a9ebb8

                                          SHA512

                                          c8f68a483943b851e995efd7257b5296bb09ba302cc9aee965324489fd38c8b0124dcec24165b1f8fe78d6236b5985210d5e54256dd1f2fb448b2fd5ff9f8158

                                        • C:\Windows\SysWOW64\perfhost.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          04bdaad0566553893cf7bb2f0b737364

                                          SHA1

                                          da807b70683e14210f00481669617488025f59ee

                                          SHA256

                                          ae2629fad4e495eb96abcf4a1a01de96ac732bf3b5482a5200a3ab996940c479

                                          SHA512

                                          2c3d526f5a60fe269043439aaf43498d050e84efd14d1a3c49120bed8017af10e769d71ff80d2a4406645ce09fd0760325ac122ae72bdb152876f72e1fa183a9

                                        • C:\Windows\System32\AgentService.exe

                                          Filesize

                                          1.7MB

                                          MD5

                                          00e597d5fc889eb1afee456d324215b9

                                          SHA1

                                          fae64533dad5c959ed6dc27e03c963d689f44fbc

                                          SHA256

                                          519620046fb802928393c5ad1edf7ef2de8332ad14d3eadccb95df53bb0db730

                                          SHA512

                                          6d9ea8e0167cb26671908718f7d8e26692a6dcd6c5066f5a8bb164038d12470c746aaf7133d2c8c7070ac177ab2c9210a2f81a27b44fc8e53572f4c3886b766f

                                        • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          5167c78295dd8bd50ab55954fd4cb41d

                                          SHA1

                                          57ba1e7c955b24c3f3288e1be9488bc374ccb648

                                          SHA256

                                          d083f7b3f485b8d8c5064e8062b56a6e21014f6980fda865ebc8c00d26ad94a0

                                          SHA512

                                          4934b08b40eab572c0246327ab8faedde8c7f257a81d0b8b5b265d083e8d35a064c703b2423f4b0c1c7c8aaa02ca75def44bd3f5fb484d9fede78dd8246e4aad

                                        • C:\Windows\System32\FXSSVC.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          dea614727eb7033afefe2279eb92e377

                                          SHA1

                                          0d10f6ed33eaadb308ab221f732651858f2f583f

                                          SHA256

                                          f745d017b67aab6c4f8efc0f5cf302e42ed867060c7962acc6f7c359e109e8f3

                                          SHA512

                                          ea5f896248d844227422bc22bbaa685e18c19b8ddcae6845ac3e3f9b71bedfb96c380c874316373498b406264ba099206657ee3a0b0c990c8ff93d881a3a0093

                                        • C:\Windows\System32\Locator.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          2bfbab73e6be0b7f1a02a945b7a77c58

                                          SHA1

                                          86148a88b72c2c3776543df9c506fce2a5fa96e9

                                          SHA256

                                          dad455bbc25fae1a46827a3d1b74cd19ace06ef8f4e0799ad505aca60443ce52

                                          SHA512

                                          55d65bbe2cf4cdcd7146058a2467958f81fa1c28ab11cdab590242cbbde01709d7d6c4656ffa44fa1e08bc636e535634e376ca825f687f801ce9e46d81c63c56

                                        • C:\Windows\System32\OpenSSH\ssh-agent.exe

                                          Filesize

                                          1.7MB

                                          MD5

                                          85b0679671fa77f98e2bc6ec39dc0cda

                                          SHA1

                                          c22ffee389f4f7443f657b507c0dbf795dc835c5

                                          SHA256

                                          2fb43613cedca51e8ed5c4491479fdec313f98d9c315208dbd9c108b79bd82ab

                                          SHA512

                                          f3bed423deb0f2fae1ce1ea0a304d65e6bcc331b2ea9baead4b4a045de68eeaeb888ff5a56f787d36ba039ba6ae13d9b18c0a4d3c74bf89139130026337512be

                                        • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          33db00de061110b91882e07e6461035c

                                          SHA1

                                          956af8a9bc28e25cf688a6d9fa9b46e8e9d4104f

                                          SHA256

                                          29ec7c157c2560f259f2f1acd048c77987d0cd3983aa6f24851211d004096cfa

                                          SHA512

                                          619c3a473e5e8443d8cda17829a84bf3663ef9302bb45c8aff4551d1a1b98e6ca34c613fd3084436940ff837f92cd41a92499a43921019ef71a0e6edbf07c994

                                        • C:\Windows\System32\SearchIndexer.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          1c30811f8b3d873ebafaf48bcea5ae7c

                                          SHA1

                                          7f4470523435396ae202086edd442fd0265e209f

                                          SHA256

                                          ff5c08d922cc94704932c160230551827f5c40b5e4a8a486652e49db9a21d118

                                          SHA512

                                          6fdadea6e9b74cf86197da6f3af9aa5443f2d493f77da26b97e24b5aeb0b7a0610ec1675a4bdc299310b649eb8a98870538371cd2ecc18f90182c2873b598b9b

                                        • C:\Windows\System32\SensorDataService.exe

                                          Filesize

                                          1.8MB

                                          MD5

                                          420a9fc1cabc66aed3ece8990204c64e

                                          SHA1

                                          e2724bc243a6a55f0dbac702cc80bfcb3dfbed22

                                          SHA256

                                          18e05a9b13aa0249483cdae47f5f0c81b1bcf12be596695af0225f9e4d85f684

                                          SHA512

                                          4b7c01cb005fec13db7030ad41687a3a2f4dea32121de9a15e2a092575cdb47c9114422d708195cf7359eb8e95fff833f0002a913029f9886f6f590a3cbcab33

                                        • C:\Windows\System32\Spectrum.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          d27dcae64f9f1982eb551434e0bc5307

                                          SHA1

                                          f6268c20639b7f7ffd8593e3c544629a01f53c50

                                          SHA256

                                          e9a7bb0f1b18ef1944588fc224957dbabe9028ca619c7c77d4f965f9db8d2ad0

                                          SHA512

                                          e946c560d11645dd7a60730a33480eb16071694a425d32c99d72b8fcf81d7c5cf338bd0d5237de988317f7339a5794e8a4cf933658d86d1bfbd64295e2184d96

                                        • C:\Windows\System32\TieringEngineService.exe

                                          Filesize

                                          1.7MB

                                          MD5

                                          80a2b5e98d1c63d7a25cf0e9bef5ea79

                                          SHA1

                                          4d6d7be4d3277bcd47e9fa22423e0731f4d25127

                                          SHA256

                                          90a756a49efb1e5eea9df5e72699c2a14f01f23b9051bddcddcbd3ac69fce1a7

                                          SHA512

                                          2538f4fbb5090561fe82e07030b880d3d96878cd910055599ac11c817f758301a8b5d77a279de47b5c03d7554d7a62d73ad757febab80aee8c9fc291385131b5

                                        • C:\Windows\System32\VSSVC.exe

                                          Filesize

                                          2.0MB

                                          MD5

                                          04b4d1329a576b99c37ba94cefcdc8cc

                                          SHA1

                                          9682fb422051c2660e35fca2ac81836bdd630b77

                                          SHA256

                                          950522707673db052a757a68e00f6c3afc29d28ca6fdd192a5c65ab618eba6f9

                                          SHA512

                                          515da8887304149594520c5f02484e683d9a03bec98318b30a5f69598cf8bf8e84294e6caca2f78e056b9df2d15690bd339ef96966cf192ef99b4049928b0b33

                                        • C:\Windows\System32\alg.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          42fcf6e1720242eab83df82516dddc94

                                          SHA1

                                          f5a253e10f800056479842348fde6895df815077

                                          SHA256

                                          78d1f36536e8911c0724db9147435f9b723f3ba35acc82c25284feefbb2ea7b8

                                          SHA512

                                          16d1e9de9a1b437de2e5e26472bfe8f684530606d77143f28b6a3eaa694881660548668413420ad9c648b074427cbbeb765600de00f1f92a5a383c27f65781ad

                                        • C:\Windows\System32\msdtc.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          261d8baf61d97860b88ce7c5ba65d5da

                                          SHA1

                                          b522bc5ce082385378b30bff14c723a4bb9c35a9

                                          SHA256

                                          fa93d868a65c7a063d1694fa3c2a4c6dc7a3bf1919db22b1f58bca6c1b392fdf

                                          SHA512

                                          0bb7eb06af09b82d3e83f75d9124363d97e7deb0d2a469440b78af558b7b0ed3342e9169b37723b77ab2959541a7eb4b19dd5d785b629c554cc92d0c17a541af

                                        • C:\Windows\System32\snmptrap.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          0bc82ad759129ccdf57ff479c5453f1d

                                          SHA1

                                          9b68485fa768be9525d8035937b77d7bf1edb8f8

                                          SHA256

                                          4f883416bffe92eac7f334fff4358690d22e10e0f7aa8f643fc921e96a74953f

                                          SHA512

                                          be0a0bdbfc5253dbddf0d078c7d1445432296d0d37cc442cbe4b3c426ed957a8c9b48a3f87493d03b845f6a988cd7eb7248f651e91e7fd2bcae1716b6c31e9c7

                                        • C:\Windows\System32\vds.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          b48b612b19155a429d7333e203e88953

                                          SHA1

                                          dc076d90fb5e2f8a1280e8035d9f8cea345b222b

                                          SHA256

                                          757339a894241a899f8ab81ea9ddae0a11262d550d74d32bbf94a49ddde3cc15

                                          SHA512

                                          90fbec52175452d065ba5b869fef3151e106c4b185ecc69e0ac8ad88bb025ea28f3c9df0d2b85fa5c741c7e2063a01f30bb4af51f1a901cb6eba6cc51973b96a

                                        • C:\Windows\System32\wbem\WmiApSrv.exe

                                          Filesize

                                          1.6MB

                                          MD5

                                          4c4b6370747f871762553a602b52458e

                                          SHA1

                                          942b74ff65c45b16f0b927a2f4366a3c4f06460e

                                          SHA256

                                          ecaca65af037d759f7344a9ce8934b2d28bc010fe276be30b28e4b942d9ffd3a

                                          SHA512

                                          8fd04a5c4f6d4d5821126a845237dfe52a1710e38c2a126ed4c57f065be27691c78e2d3421059478864cef801e0baa935f4c2385fd116d6a93cdb44f88994de3

                                        • C:\Windows\System32\wbengine.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          409b992fcd91e37e426d6e6c7c75a063

                                          SHA1

                                          4bd48bd3626b7d93797ec2e2917675f090631d1c

                                          SHA256

                                          4d3608fca3c6a1230f7827f8cfc298f202fd48bfb68d9333556538ac8848736e

                                          SHA512

                                          e522273daf1b825bcbdf7ca65465748acadd146be5694da6c5fdb841a3644b050dc3290573cceb435a8dad28f95c962acdf8c34ccd6cb34d857a415693906f98

                                        • C:\Windows\TEMP\Crashpad\settings.dat

                                          Filesize

                                          40B

                                          MD5

                                          bb84eab408b76ba9a3fce9253f03fc64

                                          SHA1

                                          56bb35588825f6f31498bcf1b30cadf778ffa8a9

                                          SHA256

                                          790a9ce3e7c7ce0f7c79cae2be69cdcf54288ce0f1867ac750c7c7057b5a5b56

                                          SHA512

                                          98582734192b7a4af9d879d5bf939071bed70bd8fa7f23439223fc067c3c8a9675903db2b2833ee74cc6b7fadbb0511faa8e7179c7293a407e65e6f7888b6258

                                        • C:\Windows\system32\AppVClient.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          c2a710f184b708d1fdabb9e31bc3647f

                                          SHA1

                                          abf9174ea39ba634a9f31216f76b1438609937ef

                                          SHA256

                                          9377d6b63fe34ec90ac3a44ec91f769fff4efd5eab49c3ec8d16a0fc97f58299

                                          SHA512

                                          133a7ad2df0ce71584e0bc2cb870ec159fe2c027319db7075d4a01209ff74f26128803e775785676e2b59569f3eab2c52d3d14b8937edc969bc1531805aeb8a9

                                        • C:\Windows\system32\SgrmBroker.exe

                                          Filesize

                                          1.7MB

                                          MD5

                                          f3295b0915297711ee0573b8965ced60

                                          SHA1

                                          1642cb9e5780378f93098e5c869b980af6092c80

                                          SHA256

                                          bdcfd018b22af40589468070188f728eefa64bfec4f4d52113709f0e5f025a97

                                          SHA512

                                          802efba830d5ed51ca5900b9e5ea863a848f993eefb91a6cc19f798cd4b15565df4639de9b636531ea9ece3298e9db92f810e8201c3bf9b046ad642ff22c417b

                                        • C:\Windows\system32\msiexec.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          0e922985bd1af6f04a9a3a558f7ba128

                                          SHA1

                                          a32acb8cef495fa2a78ddf3334f7bfefa5a23e58

                                          SHA256

                                          cf6e09c1dfd6e1df39c3d75a62262f7ef8c2fec136d27faca90370e3d631037c

                                          SHA512

                                          333559ee91f56b701f930ca03039282518a4fa899fe44fb0be07f7d1ce8689d2e9c810abfb40a99f7e97ed54cc6d84e03db2fc6e207b929c523b2e8b698b236d

                                        • C:\odt\office2016setup.exe

                                          Filesize

                                          5.6MB

                                          MD5

                                          dd12835feb7c959b0b4691cdc4e79001

                                          SHA1

                                          62f98776d530529a558e8ea1797488271cfddbb6

                                          SHA256

                                          667d2a3601b4f5edf1af90459b7f63e2c6c4271410213fb03d6daf34f2aedd75

                                          SHA512

                                          b7841517147afd1da4d6e452bb427c5ae0902443411d18d909759918ddc6401256c3b73fb8433374972bc54266957bfe07150fd8687918e1fe4baeed738dc95f

                                        • memory/1196-142-0x0000000000D80000-0x0000000000DE0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1196-134-0x0000000140000000-0x0000000140258000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/1196-204-0x0000000140000000-0x0000000140258000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/1328-107-0x0000000140000000-0x0000000140249000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/1328-13-0x0000000000710000-0x0000000000770000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1328-15-0x0000000140000000-0x0000000140249000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/1328-29-0x0000000000710000-0x0000000000770000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1840-200-0x0000000000530000-0x0000000000590000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1840-186-0x0000000140000000-0x0000000140234000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/1840-283-0x0000000140000000-0x0000000140234000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/2236-155-0x00000000007C0000-0x0000000000820000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2236-223-0x0000000140000000-0x000000014026E000-memory.dmp

                                          Filesize

                                          2.4MB

                                        • memory/2236-147-0x0000000140000000-0x000000014026E000-memory.dmp

                                          Filesize

                                          2.4MB

                                        • memory/2236-232-0x00000000007C0000-0x0000000000820000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2504-324-0x0000000140000000-0x0000000140169000-memory.dmp

                                          Filesize

                                          1.4MB

                                        • memory/2504-262-0x00000000006E0000-0x0000000000740000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2504-253-0x0000000140000000-0x0000000140169000-memory.dmp

                                          Filesize

                                          1.4MB

                                        • memory/2836-14-0x0000000001FD0000-0x0000000002030000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2836-18-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/2836-26-0x0000000001FD0000-0x0000000002030000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2836-110-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/3068-271-0x0000000140000000-0x00000001402A1000-memory.dmp

                                          Filesize

                                          2.6MB

                                        • memory/3068-337-0x0000000140000000-0x00000001402A1000-memory.dmp

                                          Filesize

                                          2.6MB

                                        • memory/3068-277-0x0000000000840000-0x00000000008A0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3084-351-0x0000000140000000-0x0000000140281000-memory.dmp

                                          Filesize

                                          2.5MB

                                        • memory/3084-285-0x0000000140000000-0x0000000140281000-memory.dmp

                                          Filesize

                                          2.5MB

                                        • memory/3084-290-0x0000000000720000-0x0000000000780000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3092-57-0x0000000000530000-0x0000000000590000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3092-75-0x0000000000530000-0x0000000000590000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3092-79-0x0000000140000000-0x0000000140135000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/3092-58-0x0000000140000000-0x0000000140135000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/3092-66-0x0000000000530000-0x0000000000590000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3852-206-0x0000000140000000-0x00000001401D7000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3852-294-0x0000000140000000-0x00000001401D7000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3852-213-0x0000000000730000-0x0000000000790000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3920-311-0x0000000140000000-0x0000000140235000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/3920-235-0x0000000000700000-0x0000000000760000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3920-225-0x0000000140000000-0x0000000140235000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/4140-182-0x0000000000710000-0x0000000000777000-memory.dmp

                                          Filesize

                                          412KB

                                        • memory/4140-269-0x0000000000400000-0x0000000000636000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/4140-174-0x0000000000400000-0x0000000000636000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/4188-124-0x0000000001A70000-0x0000000001AD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4188-130-0x0000000001A70000-0x0000000001AD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4188-112-0x0000000001A70000-0x0000000001AD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4188-116-0x0000000140000000-0x0000000140269000-memory.dmp

                                          Filesize

                                          2.4MB

                                        • memory/4188-129-0x0000000140000000-0x0000000140269000-memory.dmp

                                          Filesize

                                          2.4MB

                                        • memory/4416-51-0x00000000006B0000-0x0000000000710000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4416-45-0x0000000140000000-0x0000000140248000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/4416-44-0x00000000006B0000-0x0000000000710000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4416-52-0x00000000006B0000-0x0000000000710000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4416-132-0x0000000140000000-0x0000000140248000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/4420-261-0x0000000000760000-0x00000000007C0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4420-251-0x0000000140000000-0x000000014024A000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/4420-168-0x0000000000760000-0x00000000007C0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4420-161-0x0000000140000000-0x000000014024A000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/4740-84-0x00000000001A0000-0x0000000000200000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4740-86-0x0000000140000000-0x000000014022B000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/4740-105-0x00000000001A0000-0x0000000000200000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4740-173-0x0000000140000000-0x000000014022B000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/4980-0-0x0000000000810000-0x0000000000870000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4980-2-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/4980-8-0x0000000000810000-0x0000000000870000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4980-33-0x0000000000810000-0x0000000000870000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4980-38-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/4980-7-0x0000000000810000-0x0000000000870000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5040-70-0x0000000000DA0000-0x0000000000E00000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5040-80-0x0000000000DA0000-0x0000000000E00000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5040-113-0x0000000000DA0000-0x0000000000E00000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5040-117-0x0000000140000000-0x0000000140237000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/5040-71-0x0000000140000000-0x0000000140237000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/5128-308-0x0000000140000000-0x00000001401C0000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/5128-296-0x0000000140000000-0x00000001401C0000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/5128-304-0x0000000000600000-0x0000000000660000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5128-309-0x0000000000600000-0x0000000000660000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5240-321-0x0000000000B20000-0x0000000000B80000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5240-313-0x0000000140000000-0x0000000140147000-memory.dmp

                                          Filesize

                                          1.3MB

                                        • memory/5336-334-0x00000000007A0000-0x0000000000800000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5336-325-0x0000000140000000-0x00000001401FC000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/5448-338-0x0000000140000000-0x0000000140216000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/5448-345-0x0000000000BC0000-0x0000000000C20000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5564-352-0x0000000140000000-0x0000000140265000-memory.dmp

                                          Filesize

                                          2.4MB