Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2024, 18:33

General

  • Target

    2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe

  • Size

    5.5MB

  • MD5

    2b1aaa003ed82f02dc63f3d80710d7e7

  • SHA1

    a8e7c4a2b4d665564a384c148d28d1d6bd021bc1

  • SHA256

    8cdb92447a56b60558e54ed12ebb7abdf29a92cb973d3fd8a2bdd40f10f686e8

  • SHA512

    3cee5eb48fc609d3aac496cd3437c96a6c4cd637a5be3f95a816235c908da16df52f6ef394ce1e77a78f28ffd37bdcc1008ec1b09745b884d05c9e88ac06fe1a

  • SSDEEP

    49152:oEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1tn9tJEUxDG0BYYrLA50IHLGfc:mAI5pAdV/n9tbnR1VgBVmIF+iY3FPdo

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 33 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Users\Admin\AppData\Local\Temp\2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe
      C:\Users\Admin\AppData\Local\Temp\2024-04-03_2b1aaa003ed82f02dc63f3d80710d7e7_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:4180
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
      2⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc82ae9758,0x7ffc82ae9768,0x7ffc82ae9778
        3⤵
          PID:3968
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:2
          3⤵
            PID:3104
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:8
            3⤵
              PID:1708
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:8
              3⤵
                PID:2716
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:1
                3⤵
                  PID:4628
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:1
                  3⤵
                    PID:4244
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:1
                    3⤵
                      PID:4556
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:8
                      3⤵
                        PID:5184
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:8
                        3⤵
                          PID:5412
                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
                          3⤵
                            PID:5624
                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6db0b7688,0x7ff6db0b7698,0x7ff6db0b76a8
                              4⤵
                                PID:932
                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                                4⤵
                                  PID:5128
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6db0b7688,0x7ff6db0b7698,0x7ff6db0b76a8
                                    5⤵
                                      PID:5176
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:8
                                  3⤵
                                    PID:5668
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4696 --field-trial-handle=1880,i,13897810285090764400,2433721713174658397,131072 /prefetch:2
                                    3⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:6108
                              • C:\Windows\System32\alg.exe
                                C:\Windows\System32\alg.exe
                                1⤵
                                • Executes dropped EXE
                                PID:4112
                              • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                1⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Drops file in Program Files directory
                                • Drops file in Windows directory
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3288
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                                1⤵
                                  PID:2084
                                • C:\Windows\system32\fxssvc.exe
                                  C:\Windows\system32\fxssvc.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4532
                                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:1580
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:548
                                • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                  "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4084
                                • C:\Windows\System32\msdtc.exe
                                  C:\Windows\System32\msdtc.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Drops file in Windows directory
                                  PID:4324
                                • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                                  "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4652
                                • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                  C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:2100
                                • C:\Windows\SysWow64\perfhost.exe
                                  C:\Windows\SysWow64\perfhost.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:3832
                                • C:\Windows\system32\locator.exe
                                  C:\Windows\system32\locator.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:3212
                                • C:\Windows\System32\SensorDataService.exe
                                  C:\Windows\System32\SensorDataService.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Checks SCSI registry key(s)
                                  PID:1312
                                • C:\Windows\System32\snmptrap.exe
                                  C:\Windows\System32\snmptrap.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:2408
                                • C:\Windows\system32\spectrum.exe
                                  C:\Windows\system32\spectrum.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Checks SCSI registry key(s)
                                  PID:4528
                                • C:\Windows\System32\OpenSSH\ssh-agent.exe
                                  C:\Windows\System32\OpenSSH\ssh-agent.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:3664
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
                                  1⤵
                                    PID:1584
                                  • C:\Windows\system32\TieringEngineService.exe
                                    C:\Windows\system32\TieringEngineService.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Checks processor information in registry
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3208
                                  • C:\Windows\system32\AgentService.exe
                                    C:\Windows\system32\AgentService.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2896
                                  • C:\Windows\System32\vds.exe
                                    C:\Windows\System32\vds.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:2056
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5156
                                  • C:\Windows\system32\wbengine.exe
                                    "C:\Windows\system32\wbengine.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5244
                                  • C:\Windows\system32\wbem\WmiApSrv.exe
                                    C:\Windows\system32\wbem\WmiApSrv.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:5328
                                  • C:\Windows\system32\SearchIndexer.exe
                                    C:\Windows\system32\SearchIndexer.exe /Embedding
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5400
                                    • C:\Windows\system32\SearchProtocolHost.exe
                                      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                      2⤵
                                      • Modifies data under HKEY_USERS
                                      PID:5836
                                    • C:\Windows\system32\SearchFilterHost.exe
                                      "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
                                      2⤵
                                      • Modifies data under HKEY_USERS
                                      PID:5988

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          24d52bf7d94ec612f05790fe87f6d89e

                                          SHA1

                                          5665aab7e59455c977bdea7f4fc65353752e4465

                                          SHA256

                                          9884206fad64e32e338a6d8596b195378e36b50d31fcf2ce9e315c5464470211

                                          SHA512

                                          4ab41b16457f100972e47be33a4a088002c99e87fb7e904f2bfcc26948c962f9b6b768fcbfcd774de674ebeab0396b8811b825777576d41ba30edf525699145b

                                        • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                          Filesize

                                          781KB

                                          MD5

                                          783d24eaf5e7987a3baf0d24c431c45d

                                          SHA1

                                          c299800a03204bc5ddb0667f3c6b010eae97e16e

                                          SHA256

                                          e4c6b61f49f2bd3f539cb5476e2eac8736c49cc0ecd2aa557e97580f9dc38bc5

                                          SHA512

                                          275afa82c94b960298c0c9f03c282952693853854d4dba038285c6b96dae7c1e0d549d9751894a382f2c00a3f9f0e6834dc53f1057cfc1753142459296752cc0

                                        • C:\Program Files\7-Zip\7z.exe

                                          Filesize

                                          1.1MB

                                          MD5

                                          cc94fd4e452284bdb46e55a3725dc84a

                                          SHA1

                                          19338b2bdecd8a5624f2548bc9ca125ea46d1719

                                          SHA256

                                          09420c94ca59cb7c24c82e6625c9a9d0753ab76b6af6db8157927e8568725721

                                          SHA512

                                          146450e605ac395c91df2016eb91a5b84b3e2052567bb1847e4495478b9d464f4bba464e43ea78903333865172706f202ca030651262b8d5e6ed9674985d610f

                                        • C:\Program Files\7-Zip\7zFM.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          04a23793241e2810098c41d05988f98b

                                          SHA1

                                          8f0f69c58452fb12c468014a29d315f77abb9e4c

                                          SHA256

                                          1a0aeb1739db47b679dda84af643a9e82d23d99fc65f5a55777703aa001d3309

                                          SHA512

                                          e72d4065e3e0bd62242eb41ef83439b1e61a01c89b874f6063c7f62ed3c3acfb73e35a01699b4f1cef9cd38137fb181f200d2edb448126a22b582f5a487bfe98

                                        • C:\Program Files\7-Zip\7zG.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          1b4a324a581377b678b8e336f9532a88

                                          SHA1

                                          a3956721d35a9b1563ee4df18a9b3b976b34f8c6

                                          SHA256

                                          e00354ab7328a4ce74b0fb0d9cb2faf05fce28adf347b0e1df2d9bf0c52d1618

                                          SHA512

                                          3acbfa74bc50982171907a16b07b6021f1157f72c80e9415d5687d8d8d6966c106380d580547029b8aaf98ff9c2f5a2bd4768e154e7f88105de05ac83e84bdf4

                                        • C:\Program Files\7-Zip\Uninstall.exe

                                          Filesize

                                          582KB

                                          MD5

                                          9afdba3fa8592920c468ee1d7bfa8e29

                                          SHA1

                                          e062b72c1ab24ce421dbb4c0bfa47876dee1e073

                                          SHA256

                                          15f1ee03ee63ccae81c92876f06aecba15b5aaf7f3028f2bc5cc596ec1fa9cfd

                                          SHA512

                                          599e71de99a842181b42ddbfda901c8e7283715a356f3f92476c0617ae13b14618024769cba19f7d9062984d723ef6ff8be745e1a703395aacbbcd6c95893fcc

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                          Filesize

                                          840KB

                                          MD5

                                          a0af0ccacdb8fc527f46bc5e72f3d202

                                          SHA1

                                          09304fb851f2a7b9987783bcf9bc9779a0675921

                                          SHA256

                                          cf6585ae75e15d6233b6121ae2321b4c0b488deaba2a877b50638c931ff75504

                                          SHA512

                                          f46a2c76a918fa14d6a4adc56b24c9edc6f6063fe18944c5ad1f7f6d07e6ae801af3051a55a7aeeb7174d0081143914608589320fd37e3820c83d4be70809011

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                          Filesize

                                          4.6MB

                                          MD5

                                          c56e70f4175769a5ecd1ed0777712979

                                          SHA1

                                          351afb2f1eff348b0b2b2acb79bab0b1e63f6b8b

                                          SHA256

                                          b402fdec841d3b8b695608d089cccef540092800636ad0150abb3a7957c9029e

                                          SHA512

                                          56ada80175022746f7647a121ddac727629e00afe9081b18d2dca981d8fd29b213bd089af01df543d00e604c29d64100c036a7e6fe026019b08468a7ee4ee0c5

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                          Filesize

                                          910KB

                                          MD5

                                          aba80dc564a663d037ec5a665a737b7d

                                          SHA1

                                          e93dbe7eb4895e8184924acadfe08082c32428e8

                                          SHA256

                                          2db8109e7830ba711ae0cb327ca38df06e5d047fa4b44b3636476f4f582de668

                                          SHA512

                                          c88e8cbc77afc8ba7652529d53a5d487c8da7e0bafab12dc0b2e4b1dff05935a7996522942d46349f67c78d4802575c92d4d12e45a5dbcc3dc87d31de3811965

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                          Filesize

                                          24.0MB

                                          MD5

                                          602b05fb499ba1bd8304249beec92206

                                          SHA1

                                          5b329d59e7c633cd41958e60189642f1147daa93

                                          SHA256

                                          1649879f9475babc1e4fb4e460d30e4acca2380cbfedf158cb72b55b2fb2a2e4

                                          SHA512

                                          6109f4e03cb5acc47a290ab66c5ec143721e85b52efd7b0a5c8fc5a64fbf8b7964c4142f4780d27eca4e67419f3e08df663ef72bd5ed28cbd2d9a0fd3ba9da08

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                          Filesize

                                          2.7MB

                                          MD5

                                          7ec1f95f2f6e9440d903a292798c0ead

                                          SHA1

                                          9472f4ba38bc16a5ee803e22b55e725b84345caa

                                          SHA256

                                          567a138302feefa38642b8192c4a46c8825d3531ae47de9c8ef2ea7f1d340efe

                                          SHA512

                                          e1ddcd160a257afd11d4cf71f134029681868717726745f74258936f01a290dc66c69a3237548fe595ca574f805b5f5484a8dc6d80ba20e85e90c1f3e55a304e

                                        • C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

                                          Filesize

                                          1.1MB

                                          MD5

                                          7ab703814b75b2f1611d118eb2ed2d23

                                          SHA1

                                          78f86ccb4ef8fdb92d0be5b83b67d03d25d35116

                                          SHA256

                                          df748feec923f27a113a5dc924d21edf54cf116c8c784b999d33045fb343cdd4

                                          SHA512

                                          26a08abce697e2587b03585daaa87c26e986e3c23fb7776b9cc82eef37912221eb3b7420788181b8b7a7929d474bf4540de575b92ca8b35b95668c490bfab44e

                                        • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                                          Filesize

                                          805KB

                                          MD5

                                          2352a82dae089a086043806f12e21d43

                                          SHA1

                                          939aff02a3230555225f0102e91cacc2e2a86a9a

                                          SHA256

                                          7cb04c94a4d87df7e54b84dad091696ed61098c4540df938256ee76564d66b7b

                                          SHA512

                                          7c8d5933e90c78a904e2a8a1ec0ddae8e1f6b2eb86febde2ad72e48804381bc5dc34433c9b821e489c6dfa87362983c6050a07039c4dc427bedc83bcfc4d8ef7

                                        • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

                                          Filesize

                                          656KB

                                          MD5

                                          2bd7a9aa8a246073b75603b7ea6a5eba

                                          SHA1

                                          f1370c1537e0695dffe5e8676ab538c085f7a97f

                                          SHA256

                                          3a51b0667671fe2b3cf450147750b4569e8271097e7e82bdea03c03a1faf6bd4

                                          SHA512

                                          fc5605fede10d5f4a0c241b50157bfa86444e9d478ee547f04b7b24235f8139f39b03222743e64bc0e781345645a1b8c5cb90bf83d9f62c43afd08e4fc7c5440

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

                                          Filesize

                                          4.8MB

                                          MD5

                                          df444e5d3630490a77b58d6347f37fad

                                          SHA1

                                          eb0718eb24a9fb4f1350aa5afacb23e7210c7dce

                                          SHA256

                                          14b54b6a11451231a4f6732dc470e005eedcd87e0355bde55d0b14b5a1f35b70

                                          SHA512

                                          e9478cd1eda46b3a5d260a1bbfdb4d9ccbceecc5b5b9d3eace9a71f5256313f8e2fc8a55db6e39cc12fbe205e2103afd0b499daf133091e790119e1f6f3f8232

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

                                          Filesize

                                          2.2MB

                                          MD5

                                          6b319370cb16f9148f4d5ba1371231ac

                                          SHA1

                                          4080ec4ff62e2f8c54dbb928c7baab8aad10d6df

                                          SHA256

                                          c168e27a241db60fd8ca8f7ae8a040b297d5069099283aab00ef7149e13064eb

                                          SHA512

                                          5664522a8a2324606f1bc3e7da90d56a18b522b14061f938664d7d3997adea0131d48ddfc3f24141055ccf5531e4ae71889895237d654fc019cd54e24fefb41d

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          577e4da6087a72b04fe2004499be63e6

                                          SHA1

                                          78b60f6656fa222a4cf9ab141f5a174430a7403e

                                          SHA256

                                          c048aa98e280ac4b345b2a07419247031e0759a8f8a5911b57de7203638dd388

                                          SHA512

                                          3ee0124c0edbb49723061c14b3a7d45dbdc861f2bcd0ee20c43a5e8926bcdd53772d51e7f376dd2de92e3486fd7e1f74906182693b31f2bcf0661cd34fabb0c8

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

                                          Filesize

                                          1.8MB

                                          MD5

                                          2fd8a42971b726524ad047b13efa8b8c

                                          SHA1

                                          19054aeadab479cce9c14c2a62f9e32cccc6ffa5

                                          SHA256

                                          9bac8e89f9e89c801e33f9ba8d4b82bf4d3a47676dbc00c87b4d424ef590afe1

                                          SHA512

                                          744460a79192b049bd76a0d9603d5b39216352d6b50eb3d3c42558aadca68eb759218fdfe768ed07e1b9b0824afc52f45a838f0dbaa0f3d2aab88ce847311def

                                        • C:\Program Files\Google\Chrome\Application\SetupMetrics\39e54be7-5bab-4646-a5b9-b0ee2a4e0360.tmp

                                          Filesize

                                          488B

                                          MD5

                                          6d971ce11af4a6a93a4311841da1a178

                                          SHA1

                                          cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                          SHA256

                                          338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                          SHA512

                                          c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                        • C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          a7df9bb5cec7421c0984e36afe7f875b

                                          SHA1

                                          a72adcb73defa09d47644deaacb1f9c380ccdf41

                                          SHA256

                                          9c09b5c62c272b5ebb031832a0b44ae20d9bdda6e0ac243a54f9cdfb76dd64c3

                                          SHA512

                                          8c0911d9a4c0d11237b62620656976808ab731297b2cd54b6182d6a66e00f3da17df1d1c2249d3de5272f0d365da36260f721beafeef6fcd8043d2e4cc94d718

                                        • C:\Program Files\Windows Media Player\wmpnetwk.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          bb2334108090f6d8988b1987a6073196

                                          SHA1

                                          7eabebdf9fbef3a984e70db3e39a4cda1005cff8

                                          SHA256

                                          04bf1a12a37196a98a68daeaa7a8ba556651b1a074ff4b4a3e0ccff9655b2be0

                                          SHA512

                                          494397b801ba4f87a3af319dd8248748b8ffa105e841788e5f55fc9706970aa0b5133ff5b58693dbc2edbbda208ac3224504da5f76cfc7c8448ebbc882d56d33

                                        • C:\Program Files\dotnet\dotnet.exe

                                          Filesize

                                          696KB

                                          MD5

                                          628190089b67c1533dc18b56d75ba7f0

                                          SHA1

                                          a819b83d07b5f387ce3a7cda21b80d2701722de6

                                          SHA256

                                          deb5356190fb5a63b6f983bc693c80c70b3969f800b1c1835c9c511223ec3309

                                          SHA512

                                          e7fac81012fb86a8126132e1b1dbf89404474724896300391f84c606869898c9f908fe342db2ba670b2b71d962898f3570b3cb5db66b6cbc787b46e0b9bd2e12

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                          Filesize

                                          40B

                                          MD5

                                          ebf424291670dda4b391fd882059506f

                                          SHA1

                                          fdf5196e0b5d872e7b8e9c35abea4e779329f606

                                          SHA256

                                          0c08e7fe9a70023ad15bea10d76035610c1d52a826ac1af4fffb88953e4b1ced

                                          SHA512

                                          a9731e463b3a62211a105c4de220c460b3e982728a8630d9821814d3fb774316ec94a37ea8cc1668206aa83ba4b8f42df08dd61255da3b7fb8941eda8adf4ca5

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\00108ae9-4c46-4528-9409-a6f0fc280000.tmp

                                          Filesize

                                          5KB

                                          MD5

                                          79ce552596ca63bc499df32fae09edae

                                          SHA1

                                          a08a280464ac38fe79ef08264185fecd84ba1aca

                                          SHA256

                                          c9e3cb53057b4a444c916c25522c757687bee89d6636e805bfd145bf8bd4a1a8

                                          SHA512

                                          a6597c8fff58c315b91c827e6236d678fd53f930a79aea73d398220a54194455f12c15f2d769d3c2868237c62ea4e075516a4d28cdff755c1847bdcc03ee718a

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

                                          Filesize

                                          193KB

                                          MD5

                                          ef36a84ad2bc23f79d171c604b56de29

                                          SHA1

                                          38d6569cd30d096140e752db5d98d53cf304a8fc

                                          SHA256

                                          e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

                                          SHA512

                                          dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                          Filesize

                                          944B

                                          MD5

                                          ae29211b89a0159901918006a42821f2

                                          SHA1

                                          f85320b5cc5b60b75b44e281d5b217113bc4a141

                                          SHA256

                                          95681e1defebcc3e6d3e5d710080435fbc82257e1077cb73628ae1659e34f152

                                          SHA512

                                          b130401ab791ea9b801b80c920e01c976e9fd3705df0df41fb11f027f27de402bb6fa47f0eb24566f9080166c087b496bb3c5e286c9ba3159c96bf4826c04fce

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                          Filesize

                                          369B

                                          MD5

                                          ec659cf07466b7ab84d6d7c98e876b84

                                          SHA1

                                          2fc7c01c3e871bb7b50829fc394fcf6e49b030d0

                                          SHA256

                                          873ba55e0fc9b62b8637e3aaf87efa3441bdd5c6c4d0b749de6860ff4990b015

                                          SHA512

                                          e83394197cb8a6f3238aecad0f4e184f337726d76930443763fa8bfedea111e01d245d451aca70c7d9ac86df513052ef43f4ec2cf3ce28bfc4d2f419487c32fe

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          4KB

                                          MD5

                                          addf7829f077d2e9f5006d21d06b5c8a

                                          SHA1

                                          11d9abd2c4023b356a71ec6688d22d03b7575e07

                                          SHA256

                                          644bdc9b67950a975337248db6481719b85cf25aee6a42510834639de1d37680

                                          SHA512

                                          f856e1491809254e11621bb8949833ee288406e46df6d1d3f5115aa46800e0f7cf28d126d198b2de2acddb8651351257870a34144dea11e054602de526feb28f

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          4KB

                                          MD5

                                          a6f011e5e01733365cb1c66d7116b580

                                          SHA1

                                          f5695b1cda373ee1316d731b2fd4e81898aa2428

                                          SHA256

                                          6ddc5b9f9003517611a0c03c63287a75885462986e613cef1ae6baa0c07f9e00

                                          SHA512

                                          37232b1e33a5d3c75e2ae5fb87f31beabfe834769008b51a9d1276a4596e0a53f78a6dd4e73f0fe3916863b2c40752a16466db6120c98cc840e4ec039e4ccc61

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576ad0.TMP

                                          Filesize

                                          2KB

                                          MD5

                                          6fe4bad5e77f6d29673dd3adbad450a2

                                          SHA1

                                          70183705e4fe1ebfd9cfac7c1141d1982d85085f

                                          SHA256

                                          8ad9b41fac5669e8a2efcb59587645fffe2ef0494a7aebf17c7cb0781f87d7db

                                          SHA512

                                          1221c99e1cfbc36789d3a37b7536da2b16af9b9423642dac9f12e91022eba1e93d3850ee2c80eab6e017dd20e8229cd56f491d824f35dc627ef34eb917c51736

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                          Filesize

                                          15KB

                                          MD5

                                          fd36fb36ba2c5c9fa331bb7e8b3502e6

                                          SHA1

                                          2f4a0479067e1f6cab03cfcc34fd5b778985a033

                                          SHA256

                                          d324da5182656c1873bb805d73f5c262275e16a1684c0ca865af6ad1a5486c21

                                          SHA512

                                          1cbc2e31bbefa3a75e6b3fce6f5fffa9e5b9971edec1d7904593521582a506d0def0fb08a6c3231d00df4415bfd1bcb0f276f519d3ee82094db22da119a63621

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                          Filesize

                                          260KB

                                          MD5

                                          b4d68765b9ec56628fda11d92f38373d

                                          SHA1

                                          9f78e098a6bb2f36c59be7411ef0151cab3227fd

                                          SHA256

                                          b3144c675f840a91240d64d9a360f5ef5d7110febd2c2a2d23fc09de9e122ff9

                                          SHA512

                                          a8be7de6544cd6a38f273e1e8a53d43b5b8526cd6d0db26bf3e88c89efaec7fadd5601c313f260410aeae7178dfb596badc4e555daf70df90afcbfd0d1e0efeb

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                          Filesize

                                          2B

                                          MD5

                                          99914b932bd37a50b983c5e7c90ae93b

                                          SHA1

                                          bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                          SHA256

                                          44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                          SHA512

                                          27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                          Filesize

                                          7KB

                                          MD5

                                          210404000578cf767ce74c9663fa4559

                                          SHA1

                                          163f9f117a53802b54bcb7139e26ce1d25a2e7c6

                                          SHA256

                                          f0fee14cf9166ac98672de300cbd78f981bf8f7c82ed7fde8aa13da269041b27

                                          SHA512

                                          8c7e52f697244c77b943b48966f5e5bba6050315c477564b3c28589dd080e579b6d8e7bee0ea9a59cfc0a6882764196113a2b9121701e536eddd46a5828159b5

                                        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                          Filesize

                                          8KB

                                          MD5

                                          6883d51ee706f37ded157d502ab8660e

                                          SHA1

                                          983972b52eeaca6e12fe6eeeb672eebb253e8a8d

                                          SHA256

                                          24fdd219f9ffc9f2f188650f0dc7bf7a523c74b75865dd3cc1eb8a5517c6c977

                                          SHA512

                                          3aa6fce2ee841ea05a68948fbdcd4928319d951776e87616871331b366775b30a840a7ab45b00701771cce735677e323415d8d748da0f3099c8a81296c580b47

                                        • C:\Users\Admin\AppData\Roaming\d3f520f6822cf6b9.bin

                                          Filesize

                                          12KB

                                          MD5

                                          deab6a0711b328040bce91f3e39ce78a

                                          SHA1

                                          604a1513e53dfcc416f2bf5c1e3a6419ea1e3151

                                          SHA256

                                          be8079d85e1c8e3d4e6fe18c3cdcbbecd20d48967f66e1eb1e49fa3152d2fda6

                                          SHA512

                                          2cdc1bd84d545dd75f107d08d7aeec665f78745a4bdf734f91594c028f75f45893f9fa124920188f9809c1b8dbe86785362025bac28fcf6037974a6dad1123f0

                                        • C:\Windows\SysWOW64\perfhost.exe

                                          Filesize

                                          588KB

                                          MD5

                                          026f3acffd29aa8bf8f26a037e016558

                                          SHA1

                                          a70977f5e52bfbf51f4435ca07914d14a89cc316

                                          SHA256

                                          1ca4462cdd5667342901dfbe0db91ed4100af27a0414536cca3fca46f1e0cb93

                                          SHA512

                                          70e791e0a1ae59885bb047091dc308b540d971f1e928dac614ebb46be0f1bf16dbbc1c24f321ba710652e8c80adf7dd542330b3619ec5aee5c4cdeb707a8b7f4

                                        • C:\Windows\System32\AgentService.exe

                                          Filesize

                                          1.7MB

                                          MD5

                                          da4ca27ba2b81af8a747851e23801ef0

                                          SHA1

                                          497080189bf6c8a3d94363be25af88e25cd40f1a

                                          SHA256

                                          4ea25cfd0b493059effaae1138785713e08e832ed81def05c172305cab57fb46

                                          SHA512

                                          668c6cae36d8a0634214b57c95b78a6d1437dc89fdb44a297c66207422d9e500ec7c3481ad4bfd8c26690a61237d2845d53379de3f9c681c1309522b07faf456

                                        • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                          Filesize

                                          659KB

                                          MD5

                                          1242b4c6028dcf01b19751960fd3bcad

                                          SHA1

                                          1cc10edff78fa0d0556d10789f4904b1dfacbfd1

                                          SHA256

                                          0221bce6cb76028465491ec869884dfca39810dd513c89a241e3f638f31efdfd

                                          SHA512

                                          dcab4815be7b8ecf561720f4d4baafd8e597b711e246d014f0e01bdd854cc3807207375c6b53728338e24e8bba142ef532a27b83d3ea03d82d66ed73d9df6f89

                                        • C:\Windows\System32\FXSSVC.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          82d5a7f3320023f11491e3764d141759

                                          SHA1

                                          68c7fc36061ecca08be7a5029bddca441c6cca1b

                                          SHA256

                                          a9425bcef3c8694439a410357e9f57419b05026cd22e1e962bc6b24bd982b39e

                                          SHA512

                                          53f1045dab085098c2c77f72189287689769f1298b2bda46e8e28ff4b25c7923fab60af7ed2dd47b8c44f74a9acd3e082f3e1cc1e62bed3d428b9cdeea999a07

                                        • C:\Windows\System32\Locator.exe

                                          Filesize

                                          578KB

                                          MD5

                                          048d17e89b127266304be8eb42410219

                                          SHA1

                                          ec3effaa47134763be2d234dcba90dad1885a15c

                                          SHA256

                                          21f7c262444439948ed2f0935de0738cca24fb220e24af48e08603bd5e86324b

                                          SHA512

                                          1ed9e92bb753944605be8ecfc23f07bb102e3c8ed6e0fe80185d043b54d7151a031a60d453daea613310cf4070c5c4e413ac4a19dfb2e8b02118ad0dfd01e9f0

                                        • C:\Windows\System32\OpenSSH\ssh-agent.exe

                                          Filesize

                                          940KB

                                          MD5

                                          46b1015515798b97f1b0ca2533622d38

                                          SHA1

                                          226604036ac7fae0ed3e4d7e2f6e6255c8592fd2

                                          SHA256

                                          cb420a43046440f41ce5037d24d3b95034f6c1461ab8982367f14d6b69855176

                                          SHA512

                                          afd3241abf7bed227606cdfead55e539aa560d37f2da49052c4398d0313beda4aeca99322ccb3f5b4787441e4e78302e83a1cfe8c3eaffc3416b56571fc9915f

                                        • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                          Filesize

                                          671KB

                                          MD5

                                          ebafe264dafbf69c42b515f1857339f1

                                          SHA1

                                          19f94ea8693de9f3f785fc0d7192a5c9e45de6f3

                                          SHA256

                                          b3893a270a48206f570fbcef016f5b654e053979610419d07448de5a5126ab2c

                                          SHA512

                                          34fae897c6eac2593c3cbd0984b3498d8bdcd0fcb5acff94954fc6ec4162a0098e133abcaa695a0744c7bd71995631d0a745c0b0fe5bf6b00c2914008a8e38ca

                                        • C:\Windows\System32\SearchIndexer.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          70197d2b02604906951536c32d354f1b

                                          SHA1

                                          82924fa50cf2be6006e619c387124f168530f14d

                                          SHA256

                                          7097268f25fa526b648aa4705e4bf912c1aa48868730e8fe32bd7d6f4719e143

                                          SHA512

                                          bd96c544e90556025e22b0a8e6f9bb14371feb6d4fda56ab79e2cabc34d7e51f7f6e5671905fcb878463fa1565177a450eb22203590647d9798a7c10f14ae40b

                                        • C:\Windows\System32\SensorDataService.exe

                                          Filesize

                                          1.8MB

                                          MD5

                                          23ed6c4ca4ae153a7ebe7f4aaec1ebef

                                          SHA1

                                          6a43808d73273ddaeb21b07c7c4622dc87009b27

                                          SHA256

                                          cc18656db5538adaff8478fc050cdfec8ed35623426c24cb31ecda580499e595

                                          SHA512

                                          0105449e15df0552ad32ab758b5e3bc060d2901d771ccf64bde8607747e8c952e659a829ddabf6aa0fb571b6a3ffc8aed8d0292e026f0fc61c57672bf4f765c3

                                        • C:\Windows\System32\Spectrum.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          8d521aa676fec059ac03147a7a1fd89e

                                          SHA1

                                          4736bc8b7ffdcd963f54b26a35bdbd38d111ab51

                                          SHA256

                                          4bf1da6d82bcd56a3c0efbcdd6e7186d9843794d1447fc4ba167a6f0b95f1d54

                                          SHA512

                                          e766b74ff6b03f869521b09a7180dddebd6dc41e761b187a223575957fac6dbd0c83b9a58839e26dab6be75614cf1292aee64d28931abb0a6a1510c1d0d1024f

                                        • C:\Windows\System32\TieringEngineService.exe

                                          Filesize

                                          885KB

                                          MD5

                                          425e783da3b3ded81d77711f147bbe9c

                                          SHA1

                                          8f7f5b60cc9c3c2daacf04f6ff20b74e2da1af79

                                          SHA256

                                          e9a0ad72f486e22228bd9e851a8a0f04788fc2df5ee25c808855c221a4efe1ce

                                          SHA512

                                          772bf5b3b9bf5967cd2b1711098e0a019b3d3dd3436ab41bab67da4252e4af5ded91c1fca74a0fc2a7f600d576328b2e33ead37b9ce52a97b3c15c95299f3afc

                                        • C:\Windows\System32\VSSVC.exe

                                          Filesize

                                          2.0MB

                                          MD5

                                          85d5544668e877d1016b36ec97957356

                                          SHA1

                                          d5f2eff404c7d370b201fadfafc2041cc56140d9

                                          SHA256

                                          dfb64de15578df24ee8368aa9ee4b7a7ffcfe73c9839d7e703f5f0af0518e075

                                          SHA512

                                          b0cb1f4babee7fc9b504221d919ef6b63cb6c574c67a570d1d886150ef88a1e61cfcdcebafe155ba434224b697436f043b20b415d08acac4a1ff2f522217989c

                                        • C:\Windows\System32\alg.exe

                                          Filesize

                                          661KB

                                          MD5

                                          aeb12b5e024e74695e2a3e98a48ecd05

                                          SHA1

                                          99905287ab41905bcf0c9bcb6c6e22529a34776c

                                          SHA256

                                          a8b03e68c0830e1c0c399956c480e5f6ac208b3f76f1f463e92a67f06135c64b

                                          SHA512

                                          00fe6dd5fbc4c46fdc5caca2f9835a007f692bf61158ed8eeed0b4f521fe96b4699d86be0050148391c7c95255c63bf1cfd091b5e2adb979471bb551185adad4

                                        • C:\Windows\System32\msdtc.exe

                                          Filesize

                                          712KB

                                          MD5

                                          bf72ee450255b449300e92a740800e8f

                                          SHA1

                                          e6f63c80fc01f34052a2a8b7b07ae9a9fc006a6e

                                          SHA256

                                          3d43a70f63e96de07a0561ce93d1d67e4363fef343c5bddffe4aaa26e8775bb7

                                          SHA512

                                          b94d229157e762e15e363d0febe98c7d695d927c4a7dab60f20b297d7b3ab676bdfec9df38046f07ff4d6bb489fa59bc490e1197d3b2f4663bc7b280cf71123b

                                        • C:\Windows\System32\snmptrap.exe

                                          Filesize

                                          584KB

                                          MD5

                                          b13e49562b56fb1c9bc3de4dc0e87354

                                          SHA1

                                          4c2a8b0db7425e817219a4fa9df9813d46244391

                                          SHA256

                                          febee560da620f26218aebedca439cb7bbc8df54c1588f68a6d928ffba4c3ee2

                                          SHA512

                                          e150e87af0cef01073df12c9c5443090322e018b315f6d9504f23a3e0f2aed9d0dacfa8ae89942f1e91f019151ed655ae06567be1630ec70cbaadb8b6e66903c

                                        • C:\Windows\System32\vds.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          49e3cdf6a897147b908e6e5d9528a386

                                          SHA1

                                          e7186bc4e39ba5bc9e564d379426a191f4ab0320

                                          SHA256

                                          6690fae6eb75c7b4f7d2afb39a8b390932818e9ebd322f0794fb5495383fb00b

                                          SHA512

                                          ce6a1c4c71c680eee9e311c82ca4d23087e645183736e6fd76f8ac7deaefd15065ee09c6af5b5a5d8684938ac348ccb2d0ea705019cb0a65a9455a6cdebde7d4

                                        • C:\Windows\System32\wbem\WmiApSrv.exe

                                          Filesize

                                          772KB

                                          MD5

                                          59b009b7d30d34d9603ce008a8e5f930

                                          SHA1

                                          fedbb3ac47df5af604f4d07a25fb1af7073f38dd

                                          SHA256

                                          cad6832b8e5f67ddf41fc4afa7bc5673643d236cf64ff89ad0539d17e8954dac

                                          SHA512

                                          81f5f648887699857b0a91782f1bac6fe1b870a347fe3db1ee2969318f1d6a3431c16353861704daafb34d0e9bbc918d97dfb0e99a1fcd286dadc12710478a20

                                        • C:\Windows\System32\wbengine.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          432d0d5e8b7678b3c3c19ee85c58cd1d

                                          SHA1

                                          94fb64e8c17258323ad2778ca6559fbd8dca1d4e

                                          SHA256

                                          8dc67b5440925103726f89ee4605eabd0de90a8a6051f1233d30dc086a2eded5

                                          SHA512

                                          2a2a43a86397a46fc388d1f6aa74e57dd477d96d4fc32df3e94aa33428c433cae231908e957846a5a842d9a1898c38f40ccda1849ad68abffbe51b7bc5ef1256

                                        • C:\Windows\TEMP\Crashpad\settings.dat

                                          Filesize

                                          40B

                                          MD5

                                          a9192caed8f01c6787ad3bdd1d229175

                                          SHA1

                                          00c9b64675e398322180e827875ebaa059450717

                                          SHA256

                                          4ff4abedc31b5dde5475b74633f6885981d29ad36c7d0a68c034a3a40a7e8d19

                                          SHA512

                                          b5e788c1ac18e745d2779925cd6cbe80d65da8f2667d66ffeb37da0748cc9720d8f56fbf55c36fa3825de404bb60741fe85489929c1d793d3365d7766eff8da2

                                        • C:\Windows\system32\AppVClient.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          0a9e94340522923a447da0443ed726cb

                                          SHA1

                                          2c04de18bb4f3ca68c41613eaaa8c54f638b4a6e

                                          SHA256

                                          5e93b22b94d17e520438402a3004918de05cfdbcc28ab15f7e5b16b63361c0e1

                                          SHA512

                                          768500402b9450619a10a7d1b3e6d5f57ea4b28c3e828fa38d978668dd282aac05248601c1c21d49211d0e9599ee73d31a44410695374928b9d34750e1269f78

                                        • C:\Windows\system32\SgrmBroker.exe

                                          Filesize

                                          877KB

                                          MD5

                                          cee28b3cc9ac6693d38ebf5e061cb337

                                          SHA1

                                          3986c90f92d1955ec4d4f22baccb99ac908e63bb

                                          SHA256

                                          ed0e2d0f778b2921a83dca7fefa1f3cd8000872b44e1d73a3899f1abc76baa60

                                          SHA512

                                          1f8f6ce31841a55c51fad1b0e00985eb570b38433a4688b01e4b3466967d0b56fbd483bed888038a3f2fd7abf6a2ebc18ed39932a90a4465fea8eff9dee56cd6

                                        • C:\Windows\system32\msiexec.exe

                                          Filesize

                                          635KB

                                          MD5

                                          1a47ce563f0f172693dff3759666c42f

                                          SHA1

                                          af99e90841c1d801f001e370f84b969328a50b00

                                          SHA256

                                          de7531da82c949a01e014a41dd7c13bfeb77c3f4d7b0e5748de055e50ad9abe3

                                          SHA512

                                          88fa6329c1bf990e6ed4fb4617e1d571aaa9b8311904e970703f923866f1bd855a6271cf90c458300d18197da756a07bf1d47b9579e9056cca44ac35fc35a09d

                                        • C:\odt\office2016setup.exe

                                          Filesize

                                          5.6MB

                                          MD5

                                          611ce7d6dc8ee0e5474f8b7259ab8988

                                          SHA1

                                          ea99166fb1b797bb95dfc108bf9b593bd8f11335

                                          SHA256

                                          94ed425bf91946b2fbe9e8441e2b48bbfd76424441ab9d5eb432c1955c4a1e74

                                          SHA512

                                          82f0c26bfeb0660e2c3225739987b456325af2e29357fdbdb61da63b122c81f882f2d790fc5b980d0e9c5b361c40e3f79565692b6fcd0b7dd08849146adba401

                                        • memory/548-87-0x00000000001A0000-0x0000000000200000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/548-149-0x0000000140000000-0x000000014022B000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/548-68-0x00000000001A0000-0x0000000000200000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/548-75-0x0000000140000000-0x000000014022B000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/1312-207-0x0000000140000000-0x00000001401D7000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1312-158-0x0000000140000000-0x00000001401D7000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1580-60-0x0000000000C70000-0x0000000000CD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1580-54-0x0000000000C70000-0x0000000000CD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1580-52-0x0000000140000000-0x0000000140237000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/1580-61-0x0000000000C70000-0x0000000000CD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1580-90-0x0000000000C70000-0x0000000000CD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1580-92-0x0000000140000000-0x0000000140237000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/2056-202-0x0000000140000000-0x0000000140147000-memory.dmp

                                          Filesize

                                          1.3MB

                                        • memory/2100-132-0x0000000000BD0000-0x0000000000C30000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2100-131-0x0000000140000000-0x00000001400AB000-memory.dmp

                                          Filesize

                                          684KB

                                        • memory/2100-189-0x0000000140000000-0x00000001400AB000-memory.dmp

                                          Filesize

                                          684KB

                                        • memory/2100-140-0x0000000000BD0000-0x0000000000C30000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2408-211-0x0000000140000000-0x0000000140096000-memory.dmp

                                          Filesize

                                          600KB

                                        • memory/2408-162-0x0000000140000000-0x0000000140096000-memory.dmp

                                          Filesize

                                          600KB

                                        • memory/2896-198-0x0000000140000000-0x00000001401C0000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/2896-196-0x0000000140000000-0x00000001401C0000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3208-192-0x0000000140000000-0x00000001400E2000-memory.dmp

                                          Filesize

                                          904KB

                                        • memory/3208-480-0x0000000140000000-0x00000001400E2000-memory.dmp

                                          Filesize

                                          904KB

                                        • memory/3212-155-0x0000000140000000-0x0000000140095000-memory.dmp

                                          Filesize

                                          596KB

                                        • memory/3288-35-0x0000000000690000-0x00000000006F0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3288-20-0x0000000000690000-0x00000000006F0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3288-110-0x0000000140000000-0x00000001400A9000-memory.dmp

                                          Filesize

                                          676KB

                                        • memory/3288-22-0x0000000140000000-0x00000001400A9000-memory.dmp

                                          Filesize

                                          676KB

                                        • memory/3664-180-0x0000000140000000-0x0000000140102000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/3664-190-0x0000000000DA0000-0x0000000000E00000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3664-451-0x0000000140000000-0x0000000140102000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/3832-143-0x0000000000400000-0x0000000000497000-memory.dmp

                                          Filesize

                                          604KB

                                        • memory/3832-201-0x0000000000520000-0x0000000000587000-memory.dmp

                                          Filesize

                                          412KB

                                        • memory/3832-150-0x0000000000520000-0x0000000000587000-memory.dmp

                                          Filesize

                                          412KB

                                        • memory/3832-195-0x0000000000400000-0x0000000000497000-memory.dmp

                                          Filesize

                                          604KB

                                        • memory/4064-0-0x00000000020B0000-0x0000000002110000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4064-32-0x00000000020B0000-0x0000000002110000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4064-40-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/4064-7-0x00000000020B0000-0x0000000002110000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4064-1-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/4084-96-0x0000000000D30000-0x0000000000D90000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4084-95-0x0000000140000000-0x00000001400CA000-memory.dmp

                                          Filesize

                                          808KB

                                        • memory/4084-111-0x0000000140000000-0x00000001400CA000-memory.dmp

                                          Filesize

                                          808KB

                                        • memory/4084-107-0x0000000000D30000-0x0000000000D90000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4084-102-0x0000000000D30000-0x0000000000D90000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4112-15-0x0000000140000000-0x00000001400AA000-memory.dmp

                                          Filesize

                                          680KB

                                        • memory/4112-103-0x0000000140000000-0x00000001400AA000-memory.dmp

                                          Filesize

                                          680KB

                                        • memory/4180-12-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/4180-88-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/4180-27-0x0000000000510000-0x0000000000570000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4180-11-0x0000000000510000-0x0000000000570000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4324-113-0x0000000140000000-0x00000001400B9000-memory.dmp

                                          Filesize

                                          740KB

                                        • memory/4528-165-0x0000000140000000-0x0000000140169000-memory.dmp

                                          Filesize

                                          1.4MB

                                        • memory/4528-175-0x0000000000660000-0x00000000006C0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4528-217-0x0000000140000000-0x0000000140169000-memory.dmp

                                          Filesize

                                          1.4MB

                                        • memory/4532-48-0x0000000140000000-0x0000000140135000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/4532-50-0x0000000140000000-0x0000000140135000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/4652-117-0x0000000140000000-0x00000001400CF000-memory.dmp

                                          Filesize

                                          828KB

                                        • memory/4652-127-0x0000000000820000-0x0000000000880000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4652-116-0x0000000000820000-0x0000000000880000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4652-172-0x0000000140000000-0x00000001400CF000-memory.dmp

                                          Filesize

                                          828KB

                                        • memory/5156-204-0x0000000140000000-0x00000001401FC000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/5156-500-0x0000000140000000-0x00000001401FC000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/5244-209-0x0000000140000000-0x0000000140216000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/5244-512-0x0000000140000000-0x0000000140216000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/5328-521-0x0000000140000000-0x00000001400C6000-memory.dmp

                                          Filesize

                                          792KB

                                        • memory/5328-213-0x0000000140000000-0x00000001400C6000-memory.dmp

                                          Filesize

                                          792KB

                                        • memory/5400-539-0x0000000140000000-0x0000000140179000-memory.dmp

                                          Filesize

                                          1.5MB

                                        • memory/5400-218-0x0000000140000000-0x0000000140179000-memory.dmp

                                          Filesize

                                          1.5MB

                                        • memory/5988-472-0x0000023237990000-0x00000232379A0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/5988-523-0x0000023237980000-0x0000023237990000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/5988-538-0x0000023237980000-0x0000023237990000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/5988-462-0x0000023237980000-0x0000023237990000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/5988-513-0x0000023237980000-0x0000023237990000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/5988-537-0x0000023237980000-0x0000023237990000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/5988-501-0x0000023237980000-0x0000023237990000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/5988-530-0x0000023237980000-0x0000023237990000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/5988-493-0x0000023237980000-0x0000023237990000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/5988-485-0x0000023237980000-0x0000023237990000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/5988-473-0x00000232379A0000-0x00000232379A1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/5988-481-0x0000023237980000-0x0000023237990000-memory.dmp

                                          Filesize

                                          64KB