Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2024, 19:03

General

  • Target

    2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe

  • Size

    5.5MB

  • MD5

    fdc74ca202b9381e6eea61dc22b5a31f

  • SHA1

    c636d926816d6c2aec766dad61b031bf9494c867

  • SHA256

    af4b5f5cb78dc3c8bbdb25e98e484b1695f25ca5257640ca5e763c58b13ae2d5

  • SHA512

    6b3463c2cc2007a6c8143ea67cdba0def0ae490a1c54147c82f3c74c877972da241536ace5cc5974923cfa6abc279af2519974da256e54f28a3615bfb949d50e

  • SSDEEP

    98304:uAI5pAdVJn9tbnR1VgBVmzU7dG1yfpVBlH:uAsCh7XYKUoiPBx

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Users\Admin\AppData\Local\Temp\2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe
      C:\Users\Admin\AppData\Local\Temp\2024-04-03_fdc74ca202b9381e6eea61dc22b5a31f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2dc,0x2e0,0x2cc,0x2e4,0x140462458,0x140462468,0x140462478
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5016
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
      2⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc26e9758,0x7ffdc26e9768,0x7ffdc26e9778
        3⤵
          PID:972
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:2
          3⤵
            PID:776
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:8
            3⤵
              PID:4836
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:8
              3⤵
                PID:2884
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2812 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:1
                3⤵
                  PID:4308
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:1
                  3⤵
                    PID:4024
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4616 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:1
                    3⤵
                      PID:2304
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:8
                      3⤵
                        PID:2344
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:8
                        3⤵
                          PID:4424
                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
                          3⤵
                            PID:4552
                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff66cd37688,0x7ff66cd37698,0x7ff66cd376a8
                              4⤵
                                PID:4488
                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                                4⤵
                                  PID:4436
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff66cd37688,0x7ff66cd37698,0x7ff66cd376a8
                                    5⤵
                                      PID:4596
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:8
                                  3⤵
                                    PID:5256
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1888,i,8139003985619677151,3583325621310268436,131072 /prefetch:2
                                    3⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3516
                              • C:\Windows\System32\alg.exe
                                C:\Windows\System32\alg.exe
                                1⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Drops file in Program Files directory
                                • Drops file in Windows directory
                                PID:4736
                              • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                1⤵
                                • Executes dropped EXE
                                PID:1408
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                                1⤵
                                  PID:3884
                                • C:\Windows\system32\fxssvc.exe
                                  C:\Windows\system32\fxssvc.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Modifies data under HKEY_USERS
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4044
                                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4556
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:3312
                                • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                  "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:2100
                                • C:\Windows\System32\msdtc.exe
                                  C:\Windows\System32\msdtc.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Drops file in Windows directory
                                  PID:5024
                                • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                                  "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                                  1⤵
                                  • Executes dropped EXE
                                  PID:2136
                                • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                  C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:1564
                                • C:\Windows\SysWow64\perfhost.exe
                                  C:\Windows\SysWow64\perfhost.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:3344
                                • C:\Windows\system32\locator.exe
                                  C:\Windows\system32\locator.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:2836
                                • C:\Windows\System32\SensorDataService.exe
                                  C:\Windows\System32\SensorDataService.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Checks SCSI registry key(s)
                                  PID:1472
                                • C:\Windows\System32\snmptrap.exe
                                  C:\Windows\System32\snmptrap.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4148
                                • C:\Windows\system32\spectrum.exe
                                  C:\Windows\system32\spectrum.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Checks SCSI registry key(s)
                                  PID:2284
                                • C:\Windows\System32\OpenSSH\ssh-agent.exe
                                  C:\Windows\System32\OpenSSH\ssh-agent.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:904
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
                                  1⤵
                                    PID:5144
                                  • C:\Windows\system32\TieringEngineService.exe
                                    C:\Windows\system32\TieringEngineService.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Checks processor information in registry
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5336
                                  • C:\Windows\system32\AgentService.exe
                                    C:\Windows\system32\AgentService.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5472
                                  • C:\Windows\System32\vds.exe
                                    C:\Windows\System32\vds.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:5620
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5728
                                  • C:\Windows\system32\wbengine.exe
                                    "C:\Windows\system32\wbengine.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5860
                                  • C:\Windows\system32\wbem\WmiApSrv.exe
                                    C:\Windows\system32\wbem\WmiApSrv.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:5964
                                  • C:\Windows\system32\SearchIndexer.exe
                                    C:\Windows\system32\SearchIndexer.exe /Embedding
                                    1⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:6100
                                    • C:\Windows\system32\SearchProtocolHost.exe
                                      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                      2⤵
                                      • Modifies data under HKEY_USERS
                                      PID:5528
                                    • C:\Windows\system32\SearchFilterHost.exe
                                      "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
                                      2⤵
                                      • Modifies data under HKEY_USERS
                                      PID:5708
                                  • C:\Windows\System32\mousocoreworker.exe
                                    C:\Windows\System32\mousocoreworker.exe -Embedding
                                    1⤵
                                      PID:2344

                                    Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

                                            Filesize

                                            2.1MB

                                            MD5

                                            d28bfc4d23a1023eded9e4c62e4e4cce

                                            SHA1

                                            d371c1b5aa15588a45507dbd9c71c77b18699fc2

                                            SHA256

                                            d6ad1858d689a77ba63d0eed06bebbc86e92b4e2e628a13eff7dcea18eb818ed

                                            SHA512

                                            8cd8e132a40774f9ef603869fef6fda56df20761de650d3aa0eeab83e3f240849e4b69035672bd015939dda35048a07210ff12e6e2d1780e2e086dcd5dcb24dc

                                          • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                            Filesize

                                            781KB

                                            MD5

                                            581691de175938cd0ead2f4179475d75

                                            SHA1

                                            e6312166abdbcb9d686326e995945c72afc60cc7

                                            SHA256

                                            414e4f7c9b5c1eb4a3f53fc52180ce0ffba522b8f02300778f9721f69d4a26c1

                                            SHA512

                                            6015bd4401560d5bd651e0e938f0e1f2f8c2cda62d877f1c51db462f6045b633d9c5c82e45e6039d9318c6bd6afefe4cf3f88089a5242d77043635c521258adb

                                          • C:\Program Files\7-Zip\7z.exe

                                            Filesize

                                            1.1MB

                                            MD5

                                            f210350a181644235c7f258418743726

                                            SHA1

                                            ee1d5c7ccb0bbe33653576112f6971b719d1ad18

                                            SHA256

                                            10a2d947f7607090a535b727ef331405f60b3337ed80ea9c163a5e94177c5b6e

                                            SHA512

                                            a3cc2feb73ae92d61c2370fb47afc31eaea5fe1ff14f79c9bbe844f8cd17f17994fdaf21bcb272976432a15e791a5848ee67f0de88b7f6a879fcdd1810e29a4c

                                          • C:\Program Files\7-Zip\7zFM.exe

                                            Filesize

                                            1.5MB

                                            MD5

                                            6f9632a7de176527710e8a3308724568

                                            SHA1

                                            22bc884dd7c4cbee5e0cfd7cbf4815d97fab906f

                                            SHA256

                                            688b69e799438b6ac8c6ca47adac9cb5d48aeb3812dafc3619f9549e36c749b1

                                            SHA512

                                            59310a019bbdf982986a6bbaa893049ceb338c379f177d83af9b6a1fc462718e594e964ce05ad70d025570d9c7592243ed4c4c8508188a472d14c84e7c76edd0

                                          • C:\Program Files\7-Zip\7zG.exe

                                            Filesize

                                            1.2MB

                                            MD5

                                            80cc24f3a4e83a9fa3c795bc2af652b2

                                            SHA1

                                            f4c0b519d3a84926f488af802677da02800d1173

                                            SHA256

                                            5d5a2b4dd3851f6c2f33573f426480753b5a6a56e18aebf1fab2a2f8bf8a8364

                                            SHA512

                                            15efca2571d59f19a8f319a08e78af756c4bb63b7caddc2de595f4375e83e0604c74f5a0c1fb17cf6e3da002e0162ec303ebaad32ff9d668ab8bc8bc9babc4eb

                                          • C:\Program Files\7-Zip\Uninstall.exe

                                            Filesize

                                            582KB

                                            MD5

                                            e5990a28077518a6019f048b73c9744d

                                            SHA1

                                            070e17fa8829b300a279f5a956cc48e3e66ef7ac

                                            SHA256

                                            fe3f440986fa4a9bd2168a75d929837a46f5e0bc1eab26af7e94138b5cc0e69b

                                            SHA512

                                            2549cd0701fb762b5982ed2a13e8a657eaef2186d0586d53225c008d7dd8b0c3d5d9c310b69d6815fafcf82754cbd45031a6739498c893607df768ea501f3cce

                                          • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                            Filesize

                                            840KB

                                            MD5

                                            28b850bbc60e888b0deed23e4b4f1791

                                            SHA1

                                            f44117a988237db3752c2d7d65473ac24587f685

                                            SHA256

                                            b365420b35a00a5c9c6e35e2452dc76854edb8efbcb5385fb5628037a4b69c40

                                            SHA512

                                            8fb657e04bac7568f6493fb1eb637b9b79cae61d25b52b96f28ca74719d9b8cc79762cee00079b015bfe29e0cfa6fefe7f166226d7a0548b31cebcd579d54e60

                                          • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                            Filesize

                                            4.6MB

                                            MD5

                                            64b383883a65967f9d709f71c790c47f

                                            SHA1

                                            61dc4b8c4a492cbc67c3fd11e3abd4bf70d7279c

                                            SHA256

                                            251dfabac8f94f3be8fc7ae1ffc69a3b9bc59c03cbccc86f5a3bc153dbf8a692

                                            SHA512

                                            35bd75e4294698d5b851b6467ab68e7deaa17367746be2e71e55fcb8fbf77c5efbf00d34ef6ae63edeec51563830a1608436c128606c57a2bc80b44f632c9c39

                                          • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                            Filesize

                                            910KB

                                            MD5

                                            43e17f0a922690b67f6d2e8c35cda493

                                            SHA1

                                            d3bd6476939daf24711e0d96599912db2c1a4493

                                            SHA256

                                            c0abe168ae65afa8cda82c40321c2bf74356592f9452478876402de568729e84

                                            SHA512

                                            96217a6f7fc4ee0d0aa71f5f384eedd1ae5e1eba73f8f733a0fdb714908a348110823c8b9c02fef5d45f2a141eba24a9a758fd9f096c4319a3c894914044356f

                                          • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                            Filesize

                                            24.0MB

                                            MD5

                                            24ba4a923e656b48f09129861b00d87a

                                            SHA1

                                            32443248844318b2fae7eda0a4bca2dc758d4ba8

                                            SHA256

                                            5105e4ac3a39dfbfe9b35955dc3e42ab7f579efba4e9d247af7b0c9d27caf627

                                            SHA512

                                            28cadc00321fc419e7ad81afc0ac7c8d6a152451c6c3a883e2fa863f7b292bf8434c3886f724904b20625033e4d5a840c1086a5021f635e2e7ecbaf581b4034d

                                          • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                            Filesize

                                            2.7MB

                                            MD5

                                            cf3cfb5d916a5bdc06ec2efa091a35ed

                                            SHA1

                                            76a045a4ff1c62a87fc28e1cf3b6dadaad64ef24

                                            SHA256

                                            a9d2c6a24bb080609ebf83ea89ff7bcdad886e3976fc0f39adf57fec0e4937e4

                                            SHA512

                                            9de171996d8ca1e6382336d018d87b8f75e83a0fe671f111dd1a9b4e08d2895340c5dccabe74066f6acfbf157ee95a25ca89b0ff7c8f485109482f74006ccb49

                                          • C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

                                            Filesize

                                            1.1MB

                                            MD5

                                            08d79b9b6ec0b1d2d28ff479fcbd18e2

                                            SHA1

                                            f1ea4ee71d53801588ad990070d6c71568e08cd5

                                            SHA256

                                            310844c867454fafa18dd5e938bc1884a1f547df5182b45760b0e456c41f6477

                                            SHA512

                                            570db7e66833216ad6aac852575b79d6417e54220864db6d42a9a50fd17514e9e7adb7f18f7d1dec9f7c39c26a665c5a48787a3298908be93ee4c5fec78dcce0

                                          • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                                            Filesize

                                            805KB

                                            MD5

                                            5e3b08e447af9b1a1f527228bcfdd4f3

                                            SHA1

                                            40e3f723a2ac1752d952009884bb9617d07bed12

                                            SHA256

                                            18b9bddaa220d37393c1f67c3399374d155916d172367df49aec3e465bd84537

                                            SHA512

                                            105ddbfbb86c0cba1203c51908b0d19422d212f001be711d1e50e7a94f3d643cff8fa06c440f93967896a51000977f667275b5b23744c247a9f2557786911acc

                                          • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

                                            Filesize

                                            656KB

                                            MD5

                                            793f3d6a2247dd3ebe933e8fcd57a584

                                            SHA1

                                            001fb7572f078df06aa43b95e7300b4e8d97d7b3

                                            SHA256

                                            8f6ab8aa122512a15bffae4f1715f3c67b3043dba5191405d5c9619ca9e6ad7e

                                            SHA512

                                            a546eb44110c0253e00e3c1cfd4b92b242898b06323089eebc2e89f355ce9eaddfb368b7661d6107bc7de8a2bbba350e4c4415f2df7cdaad9775647b24e96220

                                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

                                            Filesize

                                            4.8MB

                                            MD5

                                            71c69ac343ffacffd9804cf1d0a4a5c7

                                            SHA1

                                            4a08194d25f5a9bd664db5f9bd71198c18a07de1

                                            SHA256

                                            6f21e5854108193dc6155423ecae3c3f641a390279db8f062c9cc4e54e00d82d

                                            SHA512

                                            e7732ad8325e30192461658f5f20651fe1dff298745c6f2e2543b63d79df1a33f231e69f916bc216bccaa69efe7d4d5e23a6f2390ec274cfac4e10a87ae2fdbf

                                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

                                            Filesize

                                            2.2MB

                                            MD5

                                            90df5a8e53a7f0000698372f2ccc8cb5

                                            SHA1

                                            01eef22117d79409a3c25897219780ed818446dd

                                            SHA256

                                            75795d1a2e2af14fc54afe37f962b57d9f022308df2446becb407db14374559e

                                            SHA512

                                            7507ab8ef1696ee3302d535417a6b0c1022a7cb90b91cd567760c08e32133d2fca2fde0ef91f58bcd4e9eebdb2063c746209e767611e9ab4ec57a31b33ac106e

                                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                                            Filesize

                                            2.1MB

                                            MD5

                                            190874d7cd04953976ab90a56c930e86

                                            SHA1

                                            997cf9afef37a277f96d4e749b702cd2c6758a3f

                                            SHA256

                                            72aaf9c6156796d22eab0840e8b452fd50a9da014c283662391d51daf530d664

                                            SHA512

                                            41a7d8296dbc4c7023a9736650f3ca6b95511b4ca0484423fec700398c8aa0441e8a26741ad59064952b1eab3937752273535af06b88ce59eab11c8a024db24e

                                          • C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

                                            Filesize

                                            1.8MB

                                            MD5

                                            2d30e7ef73c15b7f143b1dd0da137347

                                            SHA1

                                            ea9a2eb02db8fd49ea0700d816310aa58307a26b

                                            SHA256

                                            b9432a762c913ddf75de1e4a44fae60674a5add997f806276239f9f5651ddfe9

                                            SHA512

                                            3888fc397b3765fba20053d3d3dcd2d603362ad096c4d8efca25563fc1c0f7a5dc28671966d86d4ae5a320dfaf54f7784abb6a2ea930a8713a5cc0cf726262a1

                                          • C:\Program Files\Google\Chrome\Application\SetupMetrics\b0345dd3-6376-4519-a8e1-2361906317ae.tmp

                                            Filesize

                                            488B

                                            MD5

                                            6d971ce11af4a6a93a4311841da1a178

                                            SHA1

                                            cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                            SHA256

                                            338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                            SHA512

                                            c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                          • C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

                                            Filesize

                                            1.5MB

                                            MD5

                                            330082cabaef426e061359ecdec116de

                                            SHA1

                                            6fd356f51bd87bde56e6083a9fb71ec3ebb51afe

                                            SHA256

                                            e4b607c1f58e4fabf2e49b2efe22e43c4abd52ac13408c2a22aee02bc9500746

                                            SHA512

                                            07a7a7168b3f86908d9c42791b59df37c403a803dc24dac3c3f2dc76672899f4c870cd75a67d42b467384a2900c19f42d5ca0b625bc52d016b0bb4710c2d4969

                                          • C:\Program Files\Windows Media Player\wmpnetwk.exe

                                            Filesize

                                            1.5MB

                                            MD5

                                            7115a69e22814ee82d016d801e7fd5b5

                                            SHA1

                                            bfec277d8e20290c0374442fa9b0b9d7a2af5a12

                                            SHA256

                                            d5c848924252b86e8dfec12355af21011f70b1dea7699dfc7f19e61feb1360aa

                                            SHA512

                                            caa36c28b6d4288bd7f1a33a43ed8f9fe252bdc402758f460995e09537c8718ae93a40a5be234be87e331ad7b8725b279eace67a3154770cc203ecfaaee0f85e

                                          • C:\Program Files\dotnet\dotnet.exe

                                            Filesize

                                            696KB

                                            MD5

                                            96ef4d44d4d21b1df6687682f3d62e75

                                            SHA1

                                            faf9b37fd1af4fea04eb979bf4884928a682da83

                                            SHA256

                                            c92ff2f076098f5139d9decbf0dbd6043a22495ab292494e4b751de2e895395f

                                            SHA512

                                            cfca25d4b21adecc58295ba24153c2ab655abfc164cfc150d728d4aaaefef96b0fa85dc21ede88db236dde4201c7a7cbe9a398615a739bc24c883d59538a9498

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                            Filesize

                                            40B

                                            MD5

                                            99cc49358cfa3628888247c84b312722

                                            SHA1

                                            72df90d4341e204b5d695a65f8f0575d75d6d342

                                            SHA256

                                            570055b300595d9bee19cd486aec73f2e432043cc1a510b5075bc55da6b32757

                                            SHA512

                                            1b3f0129c396f2e582b6e1316e622f9faf71776e5878c95e71a961e4851f9aa90b651f0e3c3d406602c79f377776df5c8353578f44673359088ba16998fd614d

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1bbe746c-9023-45c9-bf9a-1b8b502d522d.tmp

                                            Filesize

                                            15KB

                                            MD5

                                            ffe0e85c654036c6b07745c2691f9c74

                                            SHA1

                                            e6dd72eb2458ef7f8857c1a12e7e941901e2ce71

                                            SHA256

                                            4225fd4bd4d948c52bee22a65e93adbf2870636a768a1d3e44ae2d01a461bb73

                                            SHA512

                                            68b0c25e5e0695ce763385ccb161aa59a226d9c086bc0c7f68ccc2040599d8a34fc5b4a15784d418e94f58839a9ff3d074d7a5ef3d0d61c784d08f8536d1b875

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

                                            Filesize

                                            193KB

                                            MD5

                                            ef36a84ad2bc23f79d171c604b56de29

                                            SHA1

                                            38d6569cd30d096140e752db5d98d53cf304a8fc

                                            SHA256

                                            e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

                                            SHA512

                                            dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                            Filesize

                                            945B

                                            MD5

                                            018885ee37aa1f078346a48e48a62a95

                                            SHA1

                                            c612126b1f9d978151cdd91b5c2291c7e73b4717

                                            SHA256

                                            44a6b4ba4b8ab02810943794e89c175c3f04513517a84cd2743f5e53413ae1cd

                                            SHA512

                                            7fb8e3a93a31f374d056cd9663f1a4c690fb0b519824b91d254a0ececd4e8e43f369f2c1c965bfcad2a36fbe3b950fc2e6ef0ae56ff5eb3f15979f3c0d7f9ae3

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                            Filesize

                                            371B

                                            MD5

                                            287cfb91973e38dd1845afd538e7e6b1

                                            SHA1

                                            9aadc0a629d2471f9bbdcba213349e508350ed3c

                                            SHA256

                                            536265203720c83149b81f082b2cdda349dbaaf778414568b045d9e016c44cf7

                                            SHA512

                                            5e4565f339045a78cec3269a4ae24de7adbf679860acdfdd94dfa255d3621f81963b4faa0fd2df1511b94bd206361fb1fdb97abf1031279008f621773403a1a0

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                            Filesize

                                            5KB

                                            MD5

                                            f35ec20f54fb768ebb60334ec5243e27

                                            SHA1

                                            4cf66da7627f22aff257c4657890f24fc7342139

                                            SHA256

                                            079cffaae7c6e2a60f97fc4fdcacb02d4704e478ee5cd18cf0940588bb10774b

                                            SHA512

                                            08c342558c467f40846319c50178f9fbe1e61e45309bf2103a72277df1b5943896fe51352dcb255b4b0df5e6b57e64ab4f4ce0ab27d3ca8b9b7898694db31b4c

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                            Filesize

                                            4KB

                                            MD5

                                            f20cc58f80e6b99d52ca0502d8322756

                                            SHA1

                                            a1533a3e428dbaec98441d0013122e895dd0baaa

                                            SHA256

                                            cfe87478296d572bdc16b72aa453b6ff6c775857ce1d5ffa6959ae23567d2036

                                            SHA512

                                            0e5873341d8f34390fb7751bc9ada4d343bba5b7b96099813fd7b33d8b2d4bb818c68c239fc609cd7a1eb76b720c8ac3ea86588e0a3621757443fd6e73e9911b

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                            Filesize

                                            4KB

                                            MD5

                                            48c4200623ffe24e138fafb1d67272f1

                                            SHA1

                                            2342772bbe5e06b0d5fbc83dda345bf7ff37ad89

                                            SHA256

                                            3017a538f6c1b1607716f25b39fdf514a7724399c681ea30aa0bcc17c1a9effe

                                            SHA512

                                            1b729de1d3996f4233c983ba5b4cc356652ef8b877eec7796b2f770fa0d4a9ec5576d1f615cf9533fc1c18e21076711af9a12c0c25c647f9c8c38d2f628e114d

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577782.TMP

                                            Filesize

                                            2KB

                                            MD5

                                            9789813c7b351abcd4b4cc4821874f82

                                            SHA1

                                            3c3839cb1e6fcbd66f3c6dfc092f3aa49c057c03

                                            SHA256

                                            899961eb96b3c34c8a0b0bed8f6e6d81c5979592af5cc0144590b71e394bf7b2

                                            SHA512

                                            9c8dce395a863812d3b050b5068e97301309e46ae0c69f6ee0f8539f3dd453d269bfe4865d4afc6a8518e4b85ac49f8901fc937ca19da27a1e5bd178e3774a76

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                            Filesize

                                            260KB

                                            MD5

                                            f20a53e001630195c319252cf21efb9f

                                            SHA1

                                            b418e843bf1f4e3cc33f873a08434a60f6848c5d

                                            SHA256

                                            3a7fd4ca276553e4fb4c50d83f1acf69b1e37e26a7b0ef1be1aabbd144cda585

                                            SHA512

                                            94679e12cb4b025767aaf36ff60629eb4e65b5553d650aae01a634666b3d93428038d45404a85c43e95ffda4dcbafbf0c38e6ca64984a431a3498f70b67c1f97

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                            Filesize

                                            2B

                                            MD5

                                            99914b932bd37a50b983c5e7c90ae93b

                                            SHA1

                                            bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                            SHA256

                                            44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                            SHA512

                                            27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                          • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                            Filesize

                                            7KB

                                            MD5

                                            4682dc75415b6a14cd11328987326211

                                            SHA1

                                            bf45cd50681af45ab4852187227aa2734d5a35a3

                                            SHA256

                                            6e40077b20e82ea01f0428d2c5878214fef0f716308de85429e9a34b9a8ce7c3

                                            SHA512

                                            47bfcef68411ea9a1a9bfe34b8721b1646efe1cad946244b722024d3e0a4b3d77f41ecf09adaf7a9058a08971a9261c5d6326d89c528af3212192c35f345cb86

                                          • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                            Filesize

                                            8KB

                                            MD5

                                            2d13370701b76143a15b4382d261bfa5

                                            SHA1

                                            38191ad8eddd3b3d6a1c2b34b7964e8cf916768b

                                            SHA256

                                            7b1ac7a06df855167a7a4e89d433a56e460fda6c5591b2796e8467b390500fba

                                            SHA512

                                            0afb289c6ef85d9fd5ad60abe449d44ec5bcd8342acb49487d2cbde27f9d779aafb96d2c0f886bd3dddd1511451b44a141f6cb571589615e5ef3a64359ab15c7

                                          • C:\Users\Admin\AppData\Roaming\4b882c7412d07ad8.bin

                                            Filesize

                                            12KB

                                            MD5

                                            05d042493a4e533b24766451152f6003

                                            SHA1

                                            a16e1c41a5e5f8818e7583d344fb709df83ab48b

                                            SHA256

                                            488812cdb616a0e3a71ba8c405c83fa90c9a61d9afb7d744cf5efdec2a208fa6

                                            SHA512

                                            0af29fa9a6519483c18e098fb863a75878ed2dfcfef012b14cbe5edc0fea12a916283e261b8066e617b0aa53926fa6633ea10dbc2b44cdaec8baa9f38299cd04

                                          • C:\Windows\SysWOW64\perfhost.exe

                                            Filesize

                                            588KB

                                            MD5

                                            5aeea0eb172666665413dd6dc84078ab

                                            SHA1

                                            a3e78572df573b65c11922e7250203635d043e54

                                            SHA256

                                            9262e136369177ff76fd8d0b3ba3a808a1743a9acf1440dc8d315fcac88e6723

                                            SHA512

                                            98e2e29a642725de22e4b63ee7c90023d83ec71230d6646cd255e0589d42ba969e115108558c0d2b17b5feb9bc0e70cd5b138798852f26d27a1feeabe6964d3e

                                          • C:\Windows\System32\AgentService.exe

                                            Filesize

                                            1.7MB

                                            MD5

                                            cc7e9e8c7a0aa10a9100dc64274a9d55

                                            SHA1

                                            e4c54df65631efd77f43dd1901f6db08829be073

                                            SHA256

                                            9ae40334c10487c471d22b4d57c51aa6b7d91726ea3d5d82b87530b13398214a

                                            SHA512

                                            a19cc64a473a4f404503a41008b825da09275cb5767a9f1b099a1f6b18a5c1db9a5621325e1e0539f52ed77a0180b62104bafceb6676b60f70cd4228cc467c5a

                                          • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                            Filesize

                                            659KB

                                            MD5

                                            ef89944383ea5a86f7f1e5c0ad458440

                                            SHA1

                                            7ed4e7ee386ca503e849bb6fa96bb4d43a3017b6

                                            SHA256

                                            e8ede02f5eef8cb943ed062410297366a6cda1fabb8ecf306908d88837a14f92

                                            SHA512

                                            ff5b5cc2c412c641d036cdb8b8f4de9a7b41a42a76a6fcb485728c0b3eca97094c810675ec44dec91516c477569ebd331e8615806f687e78f8118dcee2cfb30b

                                          • C:\Windows\System32\FXSSVC.exe

                                            Filesize

                                            1.2MB

                                            MD5

                                            e0e74b251a7bf94538d8149b94370d7f

                                            SHA1

                                            0cb59bb15512b276b55e699612a7e6388d242fd9

                                            SHA256

                                            ac8472d9a7fcd77a6410da49887ef5c24a6e98fbf372eb49bece3b2003017548

                                            SHA512

                                            a71e6ef9d22679caa7efd0911c381e1c97808fd0d843ae3d57b3e063beec7cf3f07f691aaec71597c5f5101edcbbfe1f1500ee0349834a9144355433ccb76ef3

                                          • C:\Windows\System32\Locator.exe

                                            Filesize

                                            578KB

                                            MD5

                                            bd3cf843fa182b89b03835473dbacf2f

                                            SHA1

                                            062d41f93deb0a7286223b943f11de54de219559

                                            SHA256

                                            0266593cc9bb78172dc7bb1a7bd2bed872bcfdb99ad4f317c5b7b82f138de8c1

                                            SHA512

                                            2db662b2296a0304892e7798f5a028f1b7f997b06c6fdf5c175e79b1b6e247e5ad74ce32802bedfbcd214db9370686c28cf5cbbb2c99ef7d0175f9f735a1bfe7

                                          • C:\Windows\System32\OpenSSH\ssh-agent.exe

                                            Filesize

                                            940KB

                                            MD5

                                            29afab90b6cfda0f0bc8fed99aa255d4

                                            SHA1

                                            77dca93343b6edd499bd4d92e7ed1724edd48051

                                            SHA256

                                            2522fb212315877a66bb7b5d6d65350a68178af6ee746c1f2fab01bc564a065b

                                            SHA512

                                            81efb2003ca71723b1b40b937465b93f99b8f7a14b5870c42531136abfe121326709a89956fb0c0de5a745fe4f9272a95657d6a5f9f9678db6cd52ae26dd58bd

                                          • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                            Filesize

                                            671KB

                                            MD5

                                            7b3bbcf6657705a1d57a9b4a8d305061

                                            SHA1

                                            698a9fba7328545363facc481fe7f40693ef2027

                                            SHA256

                                            b810a826e21e020db043fe8f604aa7251bd1697bf0a98158b6bd5349c5eff1dd

                                            SHA512

                                            430dd2c29b32f48546e03178322d05054aa7de24aa9cf39c45ea0277ee5e2af240baf37aa12c1637d05e55f1a814a6c06613ae16d72be2527eb2db2b496717cb

                                          • C:\Windows\System32\SearchIndexer.exe

                                            Filesize

                                            1.4MB

                                            MD5

                                            0977c86cfb581796bf7da9cc93ff2d8e

                                            SHA1

                                            328f59516660158a34eba965d060f020068b9c4b

                                            SHA256

                                            6885f884d2cd8d96c4b971b967efd6b26ea7b115839ab23979939727bfcf0fd4

                                            SHA512

                                            a7698e4cac52f1516a1cf490cf3f5b24c5cef63b7d3a0ad592325795b41751499090da00e00ab1ccb251e1298205c3abe066881cb10f0d45ab224a7f8d6699a0

                                          • C:\Windows\System32\SensorDataService.exe

                                            Filesize

                                            1.8MB

                                            MD5

                                            0b74c5b6fa39516517cf388ac792b197

                                            SHA1

                                            b6c810f5bb3fb0e3ce56f2cb0acdd032f82f7315

                                            SHA256

                                            cd65aa4eb3d1971f90da893568be7dedddbec9d02824c24db0bb371b59aa50dd

                                            SHA512

                                            d67e9590c9e6b316f7a3ef0129442fcdd5b9d3915e2f2833c9a7fae1ad3e8ca45a385c132d3f94072191e69812dd5ff2db58872a825ee27ec5e57e38030bc3ec

                                          • C:\Windows\System32\Spectrum.exe

                                            Filesize

                                            1.4MB

                                            MD5

                                            00a4b39c1404d745dc9789c9029e6487

                                            SHA1

                                            74341fc1fde6f2fd4957e8bfda67aa9a45350966

                                            SHA256

                                            be2aa488e3e71f70cd2e13097d1003f0a6a3435db1c1c6887d524fae845c6684

                                            SHA512

                                            277354beddb698e64677a3bd083522f4365a7d9a6aacb75ffcd18d7ad691d49056bad8f48fb17a4204b59927103366d3f60b8ad9b47ef3235f15bbad885c66c4

                                          • C:\Windows\System32\TieringEngineService.exe

                                            Filesize

                                            885KB

                                            MD5

                                            a399ba72bdf477aa4ad828b5a3a6bc14

                                            SHA1

                                            5cd566c5929ff455209e4a648b88d188b9285d38

                                            SHA256

                                            d9fc2f960e2e7af89a0c1d297321f296619816b3647fe429e8dec654d2e08d44

                                            SHA512

                                            306b73ed791bf98d200dd7a7f5cd85aa22a4d6a16c51cf4ecfe898a24a35c62b9a0061dfa3632cdaa596d6d1a81986679589d83fbd28d271f74d13de67f30d93

                                          • C:\Windows\System32\VSSVC.exe

                                            Filesize

                                            2.0MB

                                            MD5

                                            be63f194adefea8c0241ab82eebab2fc

                                            SHA1

                                            2918d0311e14aa9147be7020c426dac46c4068d3

                                            SHA256

                                            9694aeccce895943da4798e81dd2a23cabb368a42dc0a5389e8ebc47afdf0f46

                                            SHA512

                                            b120123f29ad18ebc34725dd327ee582e2d42ece2aad018a7f840bbba1cff4346889b09d3007c89d8100bea646042feffe972e23f65e18fc1592adfe5d0e6c40

                                          • C:\Windows\System32\alg.exe

                                            Filesize

                                            661KB

                                            MD5

                                            ce6dd57db93ba299aff739bb0961e0b8

                                            SHA1

                                            1013bdedd7a2bb3066286eb1d0f9ff82f7fd6a8d

                                            SHA256

                                            20ae1187bc7d31b649c2d57e9cbb5ef84785bd6ca0f371ff2c28cff7f17ad9fe

                                            SHA512

                                            6e58409783b3fbb2403d63cd8055dd135c685f2e6a5ddb17f9117297a9a550fc4fdf73c72467fb9b550bbce39dc5a522741fb57f67675d438ca3fcad6faab02c

                                          • C:\Windows\System32\msdtc.exe

                                            Filesize

                                            712KB

                                            MD5

                                            8e056ff41c689842de8d5e5ed3345f13

                                            SHA1

                                            93e85617044a87684cc33bb7444512c4de842dd9

                                            SHA256

                                            1a3248a4fa67acca4dbdfe185f135072b8c75d4cef4a22b9ef09e3d444533ca1

                                            SHA512

                                            2fd5dbdf16dfb7c82e61d0d64836ce43c947fc097e7d2bc74917e972a4cf08732235e20a4809fea0cb5f13106171039531986e026b8ad330c29350582d576536

                                          • C:\Windows\System32\snmptrap.exe

                                            Filesize

                                            584KB

                                            MD5

                                            05f05f3e7e4afe81cc8416b3cdf28594

                                            SHA1

                                            772745310448ad916fed850a5aa4a71a066d72bc

                                            SHA256

                                            6d1f0687ad7a812d89e1c7845ee1729a34f1383076a13e443df0974910ae8ae6

                                            SHA512

                                            95b22415d722ad04127caa70a5b5bff2771d550fe54026bfe7207ae54477d9c774336b18efce19971a588c04daaf59f7af90be0b3177bd6166f38eb96ca5c4ee

                                          • C:\Windows\System32\vds.exe

                                            Filesize

                                            1.3MB

                                            MD5

                                            4b99303352c9005d11c7b52efe925787

                                            SHA1

                                            cc1b41c2f32c4e5cd1fab10fdb828337579655bd

                                            SHA256

                                            d7438c40c9f07e8b561641191bbf07989c4c72b148ac590f7ea89701b8d1907b

                                            SHA512

                                            b891df07db85a21ad23df4758c10276761d42f55c57a7c46ed0f7b07597344ce94c4536ef70e981b05ee161927d06d70baa12606c7d510df5f0afe4055d83024

                                          • C:\Windows\System32\wbem\WmiApSrv.exe

                                            Filesize

                                            772KB

                                            MD5

                                            cc2c95f7215b61dcf27f6156a076d0e8

                                            SHA1

                                            2772138efdcec8a54281d9367bde49efc3d4ca32

                                            SHA256

                                            b14fcfa90f990fb4ebcd5f1084afec401effe5aad41212682d6bdc7f40d8f13e

                                            SHA512

                                            ea0755d23897ba35db8b226fba9545a34a28ab02eb06774297a47c5a0a6e3060fdaefeb589d6d2fec42b31602ae30127cef96fed86c54058bc6d0ed17980d2a8

                                          • C:\Windows\System32\wbengine.exe

                                            Filesize

                                            2.1MB

                                            MD5

                                            f7725d77d2b623e46f736b26ecbe6473

                                            SHA1

                                            a692a0815586849f46f33d813c0d2aacb41452e4

                                            SHA256

                                            b0616e2f9af58b273f3488a96658bb017556dda9ce3c61e123f4e7612b2bfe42

                                            SHA512

                                            ed2f6752ba416adf721576a0c47f74c7fc7c9002905aab5ebac3951097224c725c28a4949d34148d3cac466ef9a711f1a4d3c82ed3fcefae3cba84009b84561a

                                          • C:\Windows\TEMP\Crashpad\settings.dat

                                            Filesize

                                            40B

                                            MD5

                                            a57e00e7b64144dba402c6db0f7ad149

                                            SHA1

                                            51a33fa8f038784838ba3a6c0fd16cfccf49de55

                                            SHA256

                                            26345f4eaae9348eb9da6a4c6101dc723a2cd58c0f15d93f5c1ee628b6957fd2

                                            SHA512

                                            a9d626fbae4b1da4d41e75520ebb2eee98cd2a4b9dfdf5f264e574b61f1acbf34c0bca6b1d3e1212ce37c8935a50817c47539b03030e1665a7dcc3a18dffa739

                                          • C:\Windows\system32\AppVClient.exe

                                            Filesize

                                            1.3MB

                                            MD5

                                            3c9ffcc4703fd8e228384991555874a6

                                            SHA1

                                            9dab5687636b778a0ba744fdd454fb1b83848d84

                                            SHA256

                                            5efcacc19255e18d26d854304686bc215fa019f61160f9fc876e5cee9033c8ad

                                            SHA512

                                            da32b137102ca08abc965adced04d41975961ddc946fa9f4474246ce73b531c5b9ee7425eaa7cc825e9f28e1db6d3eefa6c297c3abd89596fd011ff44bc84545

                                          • C:\Windows\system32\SgrmBroker.exe

                                            Filesize

                                            877KB

                                            MD5

                                            039b42da581968c25f573ea9d66f2748

                                            SHA1

                                            af896c8897b013d70f652e667305c56ef9596ecb

                                            SHA256

                                            c280213a17229c98e1024808538070d7afa46b99dd1d0507d7e12802e0c8ace6

                                            SHA512

                                            a7e60f213c9dd9293cf0e8fe054946aaea4c587b14f65ab3cea868304b004222fc7092b46bf597e920494a96d7ef8ab98381bece3552a32ba9d2601c66d0accc

                                          • C:\Windows\system32\msiexec.exe

                                            Filesize

                                            635KB

                                            MD5

                                            6361d0973b09fa8bec96b3384b176f03

                                            SHA1

                                            8a2908fc6f6dd3f36364d221560b17b1ba667d29

                                            SHA256

                                            4a39586ecca00882e59061f20b38fccbe809d9854e39e521493e24c514487956

                                            SHA512

                                            69d4cba974fe2eb11b9b3675a10ec185999f8cfe68a7ab19eb44bd6ead7abc1fc8fb68a53b29a1f940452ea02368b346870ed4f6245d4447208c48373a865863

                                          • C:\odt\office2016setup.exe

                                            Filesize

                                            5.6MB

                                            MD5

                                            bf63f3667f1306e6300a218197b469d0

                                            SHA1

                                            e497b7e74e333d542b435f1fafa4f0f1a14bbfa5

                                            SHA256

                                            57f8ab4ce137968eeff6c40d96420fc2dd83280c2203492c8021689cd51e4815

                                            SHA512

                                            70f99997046b60e203fe683f73fdff79c67f4bad1c7e1872f8e822f86da6a19ecd0aba510b3f2baf5656c7ed93742d83f7d8eb5a128655f7592a392a9a542a6b

                                          • memory/904-272-0x0000000000550000-0x00000000005B0000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/904-251-0x0000000140000000-0x0000000140102000-memory.dmp

                                            Filesize

                                            1.0MB

                                          • memory/904-333-0x0000000140000000-0x0000000140102000-memory.dmp

                                            Filesize

                                            1.0MB

                                          • memory/1408-52-0x0000000000680000-0x00000000006E0000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/1408-130-0x0000000140000000-0x00000001400A9000-memory.dmp

                                            Filesize

                                            676KB

                                          • memory/1408-41-0x0000000000680000-0x00000000006E0000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/1408-42-0x0000000140000000-0x00000001400A9000-memory.dmp

                                            Filesize

                                            676KB

                                          • memory/1472-205-0x00000000006B0000-0x0000000000710000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/1472-198-0x0000000140000000-0x00000001401D7000-memory.dmp

                                            Filesize

                                            1.8MB

                                          • memory/1472-291-0x0000000140000000-0x00000001401D7000-memory.dmp

                                            Filesize

                                            1.8MB

                                          • memory/1564-160-0x0000000140000000-0x00000001400AB000-memory.dmp

                                            Filesize

                                            684KB

                                          • memory/1564-169-0x0000000000BB0000-0x0000000000C10000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/1564-224-0x0000000140000000-0x00000001400AB000-memory.dmp

                                            Filesize

                                            684KB

                                          • memory/2100-116-0x0000000140000000-0x00000001400CA000-memory.dmp

                                            Filesize

                                            808KB

                                          • memory/2100-127-0x0000000140000000-0x00000001400CA000-memory.dmp

                                            Filesize

                                            808KB

                                          • memory/2100-112-0x0000000001A60000-0x0000000001AC0000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/2100-121-0x0000000001A60000-0x0000000001AC0000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/2100-128-0x0000000001A60000-0x0000000001AC0000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/2136-153-0x0000000000900000-0x0000000000960000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/2136-145-0x0000000140000000-0x00000001400CF000-memory.dmp

                                            Filesize

                                            828KB

                                          • memory/2136-209-0x0000000140000000-0x00000001400CF000-memory.dmp

                                            Filesize

                                            828KB

                                          • memory/2284-240-0x00000000006B0000-0x0000000000710000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/2284-320-0x0000000140000000-0x0000000140169000-memory.dmp

                                            Filesize

                                            1.4MB

                                          • memory/2284-226-0x0000000140000000-0x0000000140169000-memory.dmp

                                            Filesize

                                            1.4MB

                                          • memory/2836-191-0x0000000000700000-0x0000000000760000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/2836-278-0x0000000140000000-0x0000000140095000-memory.dmp

                                            Filesize

                                            596KB

                                          • memory/2836-184-0x0000000140000000-0x0000000140095000-memory.dmp

                                            Filesize

                                            596KB

                                          • memory/3264-28-0x00000000020E0000-0x0000000002140000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/3264-34-0x0000000140000000-0x0000000140592000-memory.dmp

                                            Filesize

                                            5.6MB

                                          • memory/3264-6-0x0000000140000000-0x0000000140592000-memory.dmp

                                            Filesize

                                            5.6MB

                                          • memory/3264-0-0x00000000020E0000-0x0000000002140000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/3264-7-0x00000000020E0000-0x0000000002140000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/3312-98-0x00000000001A0000-0x0000000000200000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/3312-107-0x00000000001A0000-0x0000000000200000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/3312-97-0x0000000140000000-0x000000014022B000-memory.dmp

                                            Filesize

                                            2.2MB

                                          • memory/3312-171-0x0000000140000000-0x000000014022B000-memory.dmp

                                            Filesize

                                            2.2MB

                                          • memory/3344-249-0x0000000000400000-0x0000000000497000-memory.dmp

                                            Filesize

                                            604KB

                                          • memory/3344-172-0x0000000000400000-0x0000000000497000-memory.dmp

                                            Filesize

                                            604KB

                                          • memory/3344-180-0x0000000000620000-0x0000000000687000-memory.dmp

                                            Filesize

                                            412KB

                                          • memory/4044-70-0x0000000140000000-0x0000000140135000-memory.dmp

                                            Filesize

                                            1.2MB

                                          • memory/4044-56-0x0000000140000000-0x0000000140135000-memory.dmp

                                            Filesize

                                            1.2MB

                                          • memory/4044-67-0x0000000000800000-0x0000000000860000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/4044-64-0x0000000000800000-0x0000000000860000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/4044-57-0x0000000000800000-0x0000000000860000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/4148-307-0x0000000140000000-0x0000000140096000-memory.dmp

                                            Filesize

                                            600KB

                                          • memory/4148-211-0x0000000140000000-0x0000000140096000-memory.dmp

                                            Filesize

                                            600KB

                                          • memory/4148-218-0x0000000000500000-0x0000000000560000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/4556-72-0x0000000140000000-0x0000000140237000-memory.dmp

                                            Filesize

                                            2.2MB

                                          • memory/4556-71-0x0000000000C60000-0x0000000000CC0000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/4556-102-0x0000000140000000-0x0000000140237000-memory.dmp

                                            Filesize

                                            2.2MB

                                          • memory/4556-99-0x0000000000C60000-0x0000000000CC0000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/4556-78-0x0000000000C60000-0x0000000000CC0000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/4736-21-0x0000000140000000-0x00000001400AA000-memory.dmp

                                            Filesize

                                            680KB

                                          • memory/4736-20-0x0000000000710000-0x0000000000770000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/4736-36-0x0000000000710000-0x0000000000770000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/4736-113-0x0000000140000000-0x00000001400AA000-memory.dmp

                                            Filesize

                                            680KB

                                          • memory/4736-35-0x0000000000710000-0x0000000000770000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/5016-19-0x00000000008E0000-0x0000000000940000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/5016-11-0x00000000008E0000-0x0000000000940000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/5016-12-0x0000000140000000-0x0000000140592000-memory.dmp

                                            Filesize

                                            5.6MB

                                          • memory/5016-108-0x0000000140000000-0x0000000140592000-memory.dmp

                                            Filesize

                                            5.6MB

                                          • memory/5024-132-0x0000000140000000-0x00000001400B9000-memory.dmp

                                            Filesize

                                            740KB

                                          • memory/5024-195-0x0000000140000000-0x00000001400B9000-memory.dmp

                                            Filesize

                                            740KB

                                          • memory/5024-140-0x0000000000CF0000-0x0000000000D50000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/5336-285-0x0000000000800000-0x0000000000860000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/5336-281-0x0000000140000000-0x00000001400E2000-memory.dmp

                                            Filesize

                                            904KB

                                          • memory/5336-346-0x0000000140000000-0x00000001400E2000-memory.dmp

                                            Filesize

                                            904KB

                                          • memory/5336-355-0x0000000000800000-0x0000000000860000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/5472-299-0x0000000000C30000-0x0000000000C90000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/5472-305-0x0000000000C30000-0x0000000000C90000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/5472-293-0x0000000140000000-0x00000001401C0000-memory.dmp

                                            Filesize

                                            1.8MB

                                          • memory/5472-304-0x0000000140000000-0x00000001401C0000-memory.dmp

                                            Filesize

                                            1.8MB

                                          • memory/5620-309-0x0000000140000000-0x0000000140147000-memory.dmp

                                            Filesize

                                            1.3MB

                                          • memory/5620-316-0x0000000000BE0000-0x0000000000C40000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/5728-321-0x0000000140000000-0x00000001401FC000-memory.dmp

                                            Filesize

                                            2.0MB

                                          • memory/5728-330-0x00000000006B0000-0x0000000000710000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/5860-343-0x0000000000BF0000-0x0000000000C50000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/5860-335-0x0000000140000000-0x0000000140216000-memory.dmp

                                            Filesize

                                            2.1MB

                                          • memory/5964-347-0x0000000140000000-0x00000001400C6000-memory.dmp

                                            Filesize

                                            792KB

                                          • memory/5964-356-0x00000000004C0000-0x0000000000520000-memory.dmp

                                            Filesize

                                            384KB

                                          • memory/6100-362-0x0000000140000000-0x0000000140179000-memory.dmp

                                            Filesize

                                            1.5MB

                                          • memory/6100-370-0x00000000005F0000-0x0000000000650000-memory.dmp

                                            Filesize

                                            384KB