Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 23:32

General

  • Target

    2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe

  • Size

    4.6MB

  • MD5

    794e9916daa5049668c601d7ee808a33

  • SHA1

    862e755c3497e3b923af5510f9bdaabc96204741

  • SHA256

    da5a993c30ab19e71939ee0d7ec9a9c2510ba8d4f02230fe754670b65d887e1e

  • SHA512

    4e64a4da59965aafdf772c8b8f8a19205b77d2ab84e3dd74d971f406876b8a8448f1a472c56dee5f037582018959e45cbf9f874cb93b84766c01ec133c66eb1c

  • SSDEEP

    49152:j6xt7epvKbqZDMX1ABvAao5h+GjsY3ttrGJzRIq4RBTkV2XNuBDGuMrkOwbFE1dk:E5sY3nGJzR8NfuBgmv5

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 21 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe
      C:\Users\Admin\AppData\Local\Temp\2024-04-07_794e9916daa5049668c601d7ee808a33_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.129 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x1403827e8,0x1403827f4,0x140382800
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2868
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
      2⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde7e49758,0x7ffde7e49768,0x7ffde7e49778
        3⤵
          PID:224
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:2
          3⤵
            PID:4644
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:8
            3⤵
              PID:4560
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:8
              3⤵
                PID:4760
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:1
                3⤵
                  PID:4260
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:1
                  3⤵
                    PID:2980
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:1
                    3⤵
                      PID:1724
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:8
                      3⤵
                        PID:1620
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:8
                        3⤵
                          PID:4068
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5200 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:8
                          3⤵
                            PID:4420
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:8
                            3⤵
                              PID:4492
                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
                              3⤵
                                PID:3496
                                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff692c27688,0x7ff692c27698,0x7ff692c276a8
                                  4⤵
                                    PID:5052
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                                    4⤵
                                      PID:4216
                                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff692c27688,0x7ff692c27698,0x7ff692c276a8
                                        5⤵
                                          PID:1420
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:8
                                      3⤵
                                        PID:3708
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1884,i,10584864452440658902,14119403586182038036,131072 /prefetch:2
                                        3⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:116
                                  • C:\Windows\System32\alg.exe
                                    C:\Windows\System32\alg.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Drops file in Program Files directory
                                    • Drops file in Windows directory
                                    PID:4348
                                  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:3092
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                                    1⤵
                                      PID:3988
                                    • C:\Windows\system32\fxssvc.exe
                                      C:\Windows\system32\fxssvc.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Modifies data under HKEY_USERS
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1480
                                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                      1⤵
                                        PID:2208
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        PID:3476
                                      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        PID:896
                                      • C:\Windows\System32\msdtc.exe
                                        C:\Windows\System32\msdtc.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Drops file in Windows directory
                                        PID:1672
                                      • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                                        "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                                        1⤵
                                        • Executes dropped EXE
                                        PID:3888
                                      • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                        C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:4052
                                      • C:\Windows\SysWow64\perfhost.exe
                                        C:\Windows\SysWow64\perfhost.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:3536
                                      • C:\Windows\system32\locator.exe
                                        C:\Windows\system32\locator.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:2380
                                      • C:\Windows\System32\SensorDataService.exe
                                        C:\Windows\System32\SensorDataService.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Checks SCSI registry key(s)
                                        PID:4808
                                      • C:\Windows\System32\snmptrap.exe
                                        C:\Windows\System32\snmptrap.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:2208
                                      • C:\Windows\system32\spectrum.exe
                                        C:\Windows\system32\spectrum.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Checks SCSI registry key(s)
                                        PID:1884
                                      • C:\Windows\System32\OpenSSH\ssh-agent.exe
                                        C:\Windows\System32\OpenSSH\ssh-agent.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:4412
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
                                        1⤵
                                          PID:2520
                                        • C:\Windows\system32\TieringEngineService.exe
                                          C:\Windows\system32\TieringEngineService.exe
                                          1⤵
                                          • Executes dropped EXE
                                          • Checks processor information in registry
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5232
                                        • C:\Windows\system32\AgentService.exe
                                          C:\Windows\system32\AgentService.exe
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5404
                                        • C:\Windows\System32\vds.exe
                                          C:\Windows\System32\vds.exe
                                          1⤵
                                          • Executes dropped EXE
                                          PID:5512
                                        • C:\Windows\system32\vssvc.exe
                                          C:\Windows\system32\vssvc.exe
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5636
                                        • C:\Windows\system32\wbengine.exe
                                          "C:\Windows\system32\wbengine.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5812
                                        • C:\Windows\system32\wbem\WmiApSrv.exe
                                          C:\Windows\system32\wbem\WmiApSrv.exe
                                          1⤵
                                          • Executes dropped EXE
                                          PID:5928
                                        • C:\Windows\system32\SearchIndexer.exe
                                          C:\Windows\system32\SearchIndexer.exe /Embedding
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:6088
                                          • C:\Windows\system32\SearchProtocolHost.exe
                                            "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                            2⤵
                                            • Modifies data under HKEY_USERS
                                            PID:5840
                                          • C:\Windows\system32\SearchFilterHost.exe
                                            "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
                                            2⤵
                                            • Modifies data under HKEY_USERS
                                            PID:5960

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          dbc83e0c09dc2219868615145b318aa5

                                          SHA1

                                          d70edf2777bb3ae04f97e2cd5a7f87f8591d2720

                                          SHA256

                                          9835105a059d0de674c9009fc5fbfa1bab3144d25ac951280a49a8a3d202e18a

                                          SHA512

                                          855535ca3ed7d57a9aa44d27ec675cac75f66fd375f29b77ae9ae910357c6d0eae6997fe95397ed2336c42ff3863019f6dcf3f3f49794ac41ea5a7cdfb90d21c

                                        • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          ef3af397d8a9e160739e42062f1a4516

                                          SHA1

                                          27accab279dc7f091d24e41949548ff8e1a3d7ea

                                          SHA256

                                          55008034c29d5d2b4fe6171a207a020b17243b75800c4aee41a3e35d0c57ac58

                                          SHA512

                                          5143e79653444f9eac57c2f188a8059bbe50983b255f6197337e377fca0522b7ab76287c7a9f309f7f1bc829583558cabb70127c45a51a0c1a0fec7e2482228d

                                        • C:\Program Files\7-Zip\7z.exe

                                          Filesize

                                          1.7MB

                                          MD5

                                          abda4cdcd5d468ce35aa0adc2581523e

                                          SHA1

                                          b19cd19587d1df2d82a25aef4761f18c0d71e3c7

                                          SHA256

                                          ddea419e70768ee2ec6ee8fec1bf3ef153898678c3d51ed3ffaafe0f165b9921

                                          SHA512

                                          df1f81a8fafb5365c51ee53eeee37200f8cba57287a536738c017f2752cf69ca0097303c583f4c1bb9118b39a8635345cc91ac435d43b00945c8cd4c354c3bf6

                                        • C:\Program Files\7-Zip\7zFM.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          ff88ddb76092519ec05a4c1c13c8c2af

                                          SHA1

                                          4175f7c444f88fc6535c435f4f8c63e38a48e40a

                                          SHA256

                                          f73293604d077f020de6cf3ebd424f3ffa282c26a6e28d78963157b28f6a02d4

                                          SHA512

                                          2d16dee3df36a68faaef9ab84bd31b3ca698f10514369b4d561a0dd6ee600d5b88259291417e64275109f5f6f0b2f153937f3749cdd8afee4a43a50ca4f3b215

                                        • C:\Program Files\7-Zip\7zG.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          05c7acfec3b44f3bea95771c22727cdd

                                          SHA1

                                          5559a7fe640ee5e9f7f18965d42e5113d126f766

                                          SHA256

                                          59bd73f051a5fad688f1ed366b8ae390a1a6da9f7dd1c9f18d4179e10474f925

                                          SHA512

                                          6d5ddf546f42b9b58698bd7a7d3c8f0f4f4e775a21d3293ce42166666bef716163b8af2e21c09f01cb8f3fd641c136223360e84aae455337b815207b997d845d

                                        • C:\Program Files\7-Zip\Uninstall.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          90115a70153ed4b7419542d2c8c5a0c9

                                          SHA1

                                          dd80f799c3955d2cec931430cd48cbf042f4454b

                                          SHA256

                                          da3c686e05eeb5cd12edbccc97b9014e745bbe0dceda34c47b82c8d3f6ff9aa8

                                          SHA512

                                          fcadf5cf9c8e6862a7383113be9bc546f44d707f2e32b36b5b7f1da69a2f158892220f699b6c33009b15eeef53794909b0cce3616a048463032785fa5b7f0490

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          af47a21eb96bee928a3db11bf0098ba8

                                          SHA1

                                          e133ca56186d9e72319415289b33ef312861b87b

                                          SHA256

                                          85c607fb573bfe37278d64bc471ff3991af355b27c44ab106139288cf49c58f6

                                          SHA512

                                          3c5aefa2783ec642e6fa6ab6b2683d78ccf106173a3436edf682308e5c993884e8336f448bc68950bfa235cca5c3a035c6f46be8a6f39faffc7edd9d0c348d84

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                          Filesize

                                          4.6MB

                                          MD5

                                          c5362ef629b6c00622bf8d20d44f354e

                                          SHA1

                                          91535faa27a5d0a1f8893f8bb5393e6dc278143d

                                          SHA256

                                          8e33141e77392a1bce08838b860fbfd8af88208ed37f97e5e73ce79d40af2c40

                                          SHA512

                                          ba51785d444c079901e6cb7c5026e76e970fabea3adae3c5084fc5f8ededda2b6dcefcd629a20b401cc6f1984ee3ee6bb3b47ae4d3499a255b40271ca094d01c

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          4969de0764eff35b6c9821fb0dd76bbc

                                          SHA1

                                          58d6ad48e59220f1de3d2ef54f35ddc30e417548

                                          SHA256

                                          aacb40de918f5868b3cc77de5916abae1d82741838a9385dc71834f37f7bf2a3

                                          SHA512

                                          d6dfb2d5863d645f1c9bb489ff20924477e443fc531fc6a8a200e4437e314d0857fcddd0d2473e1ced0aae09f847a5efdab5243f59280464921169ddfd52442d

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                          Filesize

                                          24.0MB

                                          MD5

                                          e3712a427a0851aa67dc6ed470bae1f8

                                          SHA1

                                          fb94dbb66d1edde5df7f5aad958285f2a4b7136c

                                          SHA256

                                          f520ad408998503014740c5b5701ba7a2c9e0c4046d62f1290fe55dd1c5feff0

                                          SHA512

                                          802c6fe7dec43e6f26fcd11c76ddcfdb170c93818766c60928c726851881ed3aa8db3c87c9ccc25dae91a33915918d1d0aa994213094fb167f167143e97ae05e

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                          Filesize

                                          2.7MB

                                          MD5

                                          fc15185ee90329f17c624965aa9fc3b2

                                          SHA1

                                          eb939b524e5b54bbd70883aa1a0a76338c189ff3

                                          SHA256

                                          7420b4ba76b224d497e567a59a9dfd6e40012b404c0f464d6d63383397741dfb

                                          SHA512

                                          1973174ed3f0a91e8e9f216871e441142b6cd424196434e4987317af0f9806720b832c714c04188fb6abdf53c3e52f6c141dd2fc9e5151155afe0bb196b0a06c

                                        • C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

                                          Filesize

                                          1.1MB

                                          MD5

                                          63345e407a27275735f077548ae9998e

                                          SHA1

                                          1b7c2ec2a3e5dc663239ee88913906c149e93bd6

                                          SHA256

                                          24ead244884da2a5fbf092c52e24e94f5fd1e58d206e6c0b579ccf1fd69f9d54

                                          SHA512

                                          51c582d39ff5cb551b618f67aacceeac707a589d81b80e005b3688d346571068b482b800400900e5addcb476d6d3028c2d2d39238cda31268dd604acb76cd6b4

                                        • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                                          Filesize

                                          1.4MB

                                          MD5

                                          42d12d8ad65526cfd270ad04251ef3b0

                                          SHA1

                                          c593c1493ff793eb5d4675f6d0cb00777d03ad98

                                          SHA256

                                          6019334bf578cb9e5e4c12e8cad83b062301ec3cff4c0f9b10ab1ff581175164

                                          SHA512

                                          24d4b35814599ec249de1c696ba147e3f9396706635a2ed13a8a9c923136205de1fb1929e7c4bea1a719758ee5c5702d239a147864164db573f4460d6634e06b

                                        • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          788d67abac5443986b527b3ee8f846d5

                                          SHA1

                                          4fdd3adf829f94c4cb6f5689351ab61536c8e7f9

                                          SHA256

                                          0d71f772562f611b896a06cfc564a06b2df0b9a1cf7ea4dba733f5bd44429c12

                                          SHA512

                                          88f58c40bba23e57ef9dae6abe69591449762de649dd57006d59d90996cd0b0e083ecef8075fe15f188bb89187f2ee01f22205b9ea1e5fa494b0eeca116a14e5

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

                                          Filesize

                                          4.8MB

                                          MD5

                                          c6de1d50bca8eb9444fee7472da8bbdc

                                          SHA1

                                          90f07975433364c82e45b14ac857f3208e8d51e3

                                          SHA256

                                          47556bbf3b1a1d857bce9c2e5225b074ba8084785484fe45216d435809093971

                                          SHA512

                                          4f265af270b9d3551a384bb749727691ad01ff161cd59c930f46494217e557286a8e8ec19083e93ea915a7970bf1af54e677584f33b88fb5b4af1c39c4c8b755

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

                                          Filesize

                                          2.2MB

                                          MD5

                                          4dd1322845b1e74fe121e61624576c4c

                                          SHA1

                                          e031c1e29eaec68d7a60393bcd980e50a7f19f16

                                          SHA256

                                          47480ef982e318a330391b672e2b9e5b9bf885ed2626ca4ee2a4df8ba265cf5f

                                          SHA512

                                          593383e29fa121f900b8e345483f585666ba09d087e90d5974f883fb716bfa6b5c213e598a03428e2132fbc820b846335fb6826ec7a474f379d1aa8925db69c1

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          a94f117e3fb1bf1ece252fc160d2035a

                                          SHA1

                                          a529e42d80de61c29697e7d0b612bea02cdd3c5b

                                          SHA256

                                          f96b9fa8918be8325627a0d9b1ba1281dfcf8605ac44047590b1c57646bb8cca

                                          SHA512

                                          4c1bf677cdfb928752ef50086a5067eec9820b13386792cacc9f7fc3e60a2ca3c23dc773cc6405927c5f3ceb5acbe536b5c7b9c4cc05664077f1b48633b034fa

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

                                          Filesize

                                          1.8MB

                                          MD5

                                          651d995292fa9b0ac2d5039e3a905d28

                                          SHA1

                                          c7497f12aa804e92f9748fdcb20395932abc10f9

                                          SHA256

                                          b71c9ab589008a43ca48e09ae975b7ddd20a27205f70bb1927ea734eccca9602

                                          SHA512

                                          c340e35592560ca0fb5776a069fcfd08c4fa402194df75e2ed4184bd37fb4ad1a42169344c9237699265f365007898abb78c19a61ec37cf65b73b6de4f05be49

                                        • C:\Program Files\Google\Chrome\Application\SetupMetrics\b528c53c-7403-4b0e-8968-abc5934a22e1.tmp

                                          Filesize

                                          488B

                                          MD5

                                          6d971ce11af4a6a93a4311841da1a178

                                          SHA1

                                          cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                          SHA256

                                          338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                          SHA512

                                          c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                        • C:\Program Files\Windows Media Player\wmpnetwk.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          b728511624599a53d504afadef95b199

                                          SHA1

                                          83e7d54da91e09dabc0dfd62cffb5bc22017e08a

                                          SHA256

                                          73af2337029f778175acb36a82025a4a39504676e4f29dc2e347a4233aa94a35

                                          SHA512

                                          6ae7e7152c792d671beb082dc4bad1ecd39783fc926e823197f28cd55bd9f0fe063e2e8ae09136a75d9fd5fd55ac69a52845dc69897bb2e8f7dcaf5ff111d7dc

                                        • C:\Program Files\dotnet\dotnet.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          325696c6650a04a3045a6732de5feca7

                                          SHA1

                                          6ba23cc2395a59e95e20f078e60c90226075027d

                                          SHA256

                                          a5ebbbb28fa807ae690e886b9e467f44fc87a43cb5fbb4fe1417514aecbcd429

                                          SHA512

                                          5b4584f6f2d72ada6462c077fbb7024eb77166e6d679e4862253a1da480af31dbc757f5366de45d3dda644aa3c55f431ecf2ebab457d3ef91670b30addfb4a25

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                          Filesize

                                          40B

                                          MD5

                                          b605879e08d2c37a89e0a7cf9cebb008

                                          SHA1

                                          547075286a6e5e6a304912cef29adf2a5379458d

                                          SHA256

                                          2a7688cdba662e4017878b44e559b7bf4889f2b32ff1c6ed70e020a2738e662a

                                          SHA512

                                          f18fb8e2df93b18cb2359c651e1dbbaf73225ff16912cec7dda24ef3e82d921690aa0690ca493375536159d8aa9ab660e45e2abe4cdbeaaa368f6f69bc090fe0

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

                                          Filesize

                                          193KB

                                          MD5

                                          ef36a84ad2bc23f79d171c604b56de29

                                          SHA1

                                          38d6569cd30d096140e752db5d98d53cf304a8fc

                                          SHA256

                                          e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

                                          SHA512

                                          dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                          Filesize

                                          1KB

                                          MD5

                                          ea97088988e106c4bb602af83b1ff405

                                          SHA1

                                          89f24c6c308f7440f2ee601924148fa6165f8bfa

                                          SHA256

                                          04be5bd32ee0e48fe2da6d02106cf6fa62ae8d299dbfb70eddc5c105ea7b1340

                                          SHA512

                                          9653dd1c9f99cd8414811e734eb6805b8f3dcc0b6715ba08f052a5953a95e85133c27629370f1319797f5c4ebc7e4a8eee454a5e75bfd84ee5539fa5547f2616

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                          Filesize

                                          371B

                                          MD5

                                          2737d83a82cf5038772aa0ad5ba159e3

                                          SHA1

                                          44c6096b8fca5ba11a6d58c494d354e885b2457f

                                          SHA256

                                          39ba171ae002ac8441683b5bdc33b3f33251fa6eac88031b6ea1b347c8c90023

                                          SHA512

                                          fd1b92705dcbb5166880e2fdb11a6b437029a323d1af77b8a9bb758abc24fa7407c36b8220eda15bb7e5ebb086cb2ba541be3dab608fa1da42fb3b6dffd8c036

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          4KB

                                          MD5

                                          c9e152f4ea812ff0ee70fb1487e4f8d3

                                          SHA1

                                          65a1e23a042fb35fb67b754f26424c0f4cbd4f52

                                          SHA256

                                          9c12fb7525b5503fb6f29048f599c0d9bd21d3b3314b5338006ec01c2ebcf194

                                          SHA512

                                          6d44123f2cefd5ca2c177560882772f3d04d70a8541758b02e90ebccbac9a4ac1643411faded968b68b2bec8e6e0703cbb3b84dd1ae40ed74a5806a3485422d3

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          4KB

                                          MD5

                                          e866c1f1c23aff0b82bd4c1baf74400c

                                          SHA1

                                          9747f08b200659b642a066c9a4ddabd4d9047d93

                                          SHA256

                                          7812450cc7ecc61f6c35f9d3d689f8306f24500d1809c1378bbcf34740904bd5

                                          SHA512

                                          66008e2663962c1edc09199198f08fa36eecc318a8046c558727d28186dd04e50bbf3fc164e2656bafca8b577047cd22cc2c62664d8284091d7992964c437cd4

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          5KB

                                          MD5

                                          2d3ab12528fd84f35c3115a7be174497

                                          SHA1

                                          38e249ae4970923f4ac6a73eeaea67c437360085

                                          SHA256

                                          1f03cfeb90664609ba793ffbec211be5262c3b7f2b180f56539fa4c22e4fcafa

                                          SHA512

                                          f7e5bb6859aaf6e2d4e3fbf0a681a27d2709bfcbc587c4fbb675048f492a271ffede0b080d03a150cf7030ea07de88bf92078e583b9f3124fea479d52ca770b8

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578a6d.TMP

                                          Filesize

                                          2KB

                                          MD5

                                          ef3aac392c0d75f931c89cbb67985e0f

                                          SHA1

                                          ce61a9a0890645f7551e4188f0dc09b324f56b63

                                          SHA256

                                          474bd435e067162d7364e95374e0fc4f6be9ea3202017cdb1eb05a7876f254ec

                                          SHA512

                                          22f026e8146699fdd24911bff6f5cfc0ea1cc131bd378e973e8fca5fc479c8eda9764b7a3a1acd9bbcf6f6cfab8763c04fe6c9a56e1b8e9ffd6316ed11c34703

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                          Filesize

                                          15KB

                                          MD5

                                          e7719b4094a8bc68d5066e8308202121

                                          SHA1

                                          7973db360a9a9c15dc6bc76ea735394f1c6a6635

                                          SHA256

                                          71a1baf3328193f4b4aeec9f8a4a97135a81494b5619307df51a2f97f21a5193

                                          SHA512

                                          5a1e5147a118d9a6aa7540b79284a8e501c8ba468918f6d8d0afe1724cbdb0fd6489fd578af1ca62b9dd66d49a5b05125b9029d5ab3a0d50226c1d5caf5d5e3b

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                          Filesize

                                          260KB

                                          MD5

                                          e12fd91db9ba2d0aadb1d20f203e05b5

                                          SHA1

                                          84f61e18ce3b5a38579be32c3bc4391d250692d1

                                          SHA256

                                          0164264b5250faa31c17e77a4a310cae7e571e32e6210d15d788ed14e2df09a8

                                          SHA512

                                          561f38d0e8c2459ebea9f4f6184007a994ccd3d90ff9867bbaeef379ef42ede2302e6d78cb46e4fd6a0e770600df7f9fb8cb3d39e42a369b8aaf5918205b0bec

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                          Filesize

                                          2B

                                          MD5

                                          99914b932bd37a50b983c5e7c90ae93b

                                          SHA1

                                          bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                          SHA256

                                          44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                          SHA512

                                          27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                          Filesize

                                          7KB

                                          MD5

                                          9a6e2c685a142ef53639bedacafd0797

                                          SHA1

                                          24be0856246d03dbbc328ff9d71681f0a066d68a

                                          SHA256

                                          34b2b095a7a944547d230b4ebf102a22e22cebffe712189da4bbfa968e5d929c

                                          SHA512

                                          38a9e968cd481d8b2f8bc7bd830efa8a56368fb8e5a41dacb458ce65c0c650c70d3b2b4e8c37f7446cb6a4284550148cb2446a62352ada567a279bb78bdb7890

                                        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                          Filesize

                                          8KB

                                          MD5

                                          dfdda1520b2f922d2ee38b65a066b5e5

                                          SHA1

                                          e613431382376da0a017ae5324253972705a53e1

                                          SHA256

                                          a4bf4a78c5081fd0630ae09c5b9d7747395c39bc076f92c61fbcce18fa2cef11

                                          SHA512

                                          8f29922786e303cf9d63811687ad87c77b690085099f714179d6fdf9d4b620811917c968e98c68ac27068cfab38341b57ffd6372bb888709dd2858df78f3ad3e

                                        • C:\Users\Admin\AppData\Roaming\4ffea5862a644d7f.bin

                                          Filesize

                                          12KB

                                          MD5

                                          a057f12c3dfa4eb694d40e674c4c27c2

                                          SHA1

                                          4347c64fffd9dc4f148dea7897b026745965bfed

                                          SHA256

                                          bdeedde83ea1190015f6a78ead7171d1d28f9167b2c463ba72510a407feb4069

                                          SHA512

                                          c90f2fea517acb3f44b5ac8b3242b9183950e8adb5e0d86be4b7be3a7ccdbea4676223677fe2df0980c784a171ebfb49b843407f678d9b7b8cbb5987a01b08e6

                                        • C:\Windows\SysWOW64\perfhost.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          9e25c5192f1d9432d34ca21de20c89c8

                                          SHA1

                                          0c24c745edbdfaf5b37f116acf59290a2b265cc9

                                          SHA256

                                          ecf49cf1d35684ad3d926d6911dd1c40fe64b49aa06b90eee0de89bae20509d2

                                          SHA512

                                          89cd81a480b47efa308036b538f8d8df28650e2ec7d5feadc4810ea7562ff98b10c5b2c7033085f067dcdbe92208263047b2bcf2eef302ae8e70910f398388fa

                                        • C:\Windows\System32\AgentService.exe

                                          Filesize

                                          1.7MB

                                          MD5

                                          5fd03f897f855dd72ca9ebfd2ee7b0dc

                                          SHA1

                                          e310bf354b723ba5c65248c7456ec4b34fe76c18

                                          SHA256

                                          202f0bb2794e1f45af04146d4830cded0915dbdfa8963c216a1b68966eb4666e

                                          SHA512

                                          a50e8b30ce828f9c684854512ef9ce3639ea001b37071dd186f53030bfe70869bbdfc86a3c751866f4dfaa43c02314391bf1f34627aced40e268d293c630c67c

                                        • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          1e8bda18bc5d0f77de8462a1bdfcf8f5

                                          SHA1

                                          9eba223cf9fffba81fac549f50b1d3a42df33072

                                          SHA256

                                          a21976e212602b227ab10542e23ad4cddb6da2051cf1b58579a2a3e7933a912b

                                          SHA512

                                          ff4f354411538653b022a9bae911fdd471bce353884e5590c01d68b5623ed905fd951ccebec0cafd79bb6a8338a5c822b2fadb0cd6d0a4e30bb0fc95e28ac7d7

                                        • C:\Windows\System32\FXSSVC.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          577eebf8bac1ffbc212b1fdf9b372190

                                          SHA1

                                          92a7c7a54e1199d7d6df2d0899e26ef998fc5362

                                          SHA256

                                          750b3f67d570d413839277bf760adb7d28baaafcb96752fb71d2db8f959b09d7

                                          SHA512

                                          fcf32c6ace083d0a10a4d4d1675c63234d602ce491c1ee707996ccaf0b0060335fbd46598aaa98d0c8b81b401f0675da9aea197c8352446c5b922701f5e7baa9

                                        • C:\Windows\System32\Locator.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          a6136b8aac5bf24ec660c931be9f828e

                                          SHA1

                                          acda44b46536ce01db61b87270e2bc995a2009b7

                                          SHA256

                                          2c147b928b48fccc66ed22b748fe35146ca4b484b334bbb500c2124f45dd8770

                                          SHA512

                                          b86b328272e24511dfe3445f50f9ef1dd470cfd163a2a8c279bede0bae613c31bbecc0e5b9f8756d425bf04843d5790d4124fe55c69cde9a106dce247387472d

                                        • C:\Windows\System32\OpenSSH\ssh-agent.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          675cf2973f751e6e5441f7eab6872d49

                                          SHA1

                                          1fa170065ec826695ffce91d487a5467e2c3a5d0

                                          SHA256

                                          4d627264ae1518a1af89cf234e0eba472c604448f7445cdd953863fe5a509e80

                                          SHA512

                                          b300665802047ce6dda749e5f34af9901df465c0c99bd41b87b438ecafb044a4ba8353c78483d4c6acd769a4cec7bf40b039c9a58afbfd3757fe92852bba28bf

                                        • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          1d546a61711cf9cc9bb1c9b34ec17e4e

                                          SHA1

                                          d3eff03c113295492911be95905afc9a4b4d9a46

                                          SHA256

                                          5d3fca1426750577870565141924d2f7e999a4ab5b0a6e5e27d020a46625fabd

                                          SHA512

                                          537edd044d98816e5b2b0bbdfdf779b430b56d1b7e7caa2c8f950207b765e34fe8105e0f63140fb6abba4ecc616a8f54a69307f19fa7a5a2994dede2b644460e

                                        • C:\Windows\System32\SearchIndexer.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          d0748d2a4eb2e545f7551b1c3275ad9b

                                          SHA1

                                          3abce5d99b78b3b0bf76a40685f5bf6075bc343b

                                          SHA256

                                          e444009f1798e970c99a0c55c2f50c075b1524980bf5a2df47386c834869938a

                                          SHA512

                                          831d83ee1480c2cd7d4e2317612e6a475f48638dc5d4f2d8f3d50e49547578789d774156a7360c2b65b988e4b687c39ffe21789dc838cd9cc7390efc602c6f17

                                        • C:\Windows\System32\SensorDataService.exe

                                          Filesize

                                          1.8MB

                                          MD5

                                          46f0c02c32c58ee239011a4becf86111

                                          SHA1

                                          90a0c541e5c6f193f27b7ea755b1c4f238113ee6

                                          SHA256

                                          a03da6f2cba1d68a93e5b2d9cf042e6d11fdf48dd2565f31828228251b11942f

                                          SHA512

                                          ffc93a0b3cfa48a20361220479ffb7fe99f4a7ae7dadcf475501515551ac1cbf2765504fda74f1509aa33507f6575abf4b58c09d5691eeb6cadcae2a8ac56694

                                        • C:\Windows\System32\Spectrum.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          885209da3b7924e5db9d7e27f15c4922

                                          SHA1

                                          5f8a98889aeaadd0ec58cafff5be8536d15e33fc

                                          SHA256

                                          a1eb34bb8f4f118297d723aad352d3a98e9122c9612021ac9d4151e40892e364

                                          SHA512

                                          dc17522db54e4a412246336945ae839358393a43dc5867b71fb345741025648f57be97f6e6986b4ba10589b8b5769149a9989513f856c5949db315f1426a407b

                                        • C:\Windows\System32\TieringEngineService.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          6f8e561e36607c6307e7c59790005960

                                          SHA1

                                          c0172d31b05a926982452b47a46ba44e94df96b6

                                          SHA256

                                          218bc5104ef8b63a3abe2fe474f3054f10caf89342a9b5d908f6cb4063586bae

                                          SHA512

                                          4a2a24737e118c6e3df8c407bf76f4b1b6bcdd0902e329967a2913df1400054a8fc81363a1b9c5213a8b8500c3ac8e88e245db1dd3a0c60c1bf8941f2d4f9695

                                        • C:\Windows\System32\VSSVC.exe

                                          Filesize

                                          2.0MB

                                          MD5

                                          d3d696796931dc7a5485ad96fb5bcfe3

                                          SHA1

                                          f34ef1e0df6286dce8ce6970080101bb9dd85f4a

                                          SHA256

                                          ea6188e900d29210f0394c5705586fad3cc9b6a441ffa86347d4accb5532ee53

                                          SHA512

                                          9e01a249c2da82b1b3d8b94e934c305b5c11780607aa53bfc92015982d85dd5bda58138dafbcea3c450e2998025fd577155e4a465db7e602ef5a131115c2d93c

                                        • C:\Windows\System32\alg.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          d9290d674fd905112932e1f283064cb7

                                          SHA1

                                          8742a81f9ae65bc13efd8860bb71595eaf89a198

                                          SHA256

                                          4587b9e0933a702efbf813f7396d191b3997248e8ffc064c1d8a4e60473e1115

                                          SHA512

                                          f42291d5ae6bf232cf9900f24bd2d6fd38f0531ee2f94382c273cca2b20dad7512eb2182ff89ac40ac75a2eb2e92b6fc64150a2aa2edcbf61c9a0bd23eb8b400

                                        • C:\Windows\System32\msdtc.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          40ae17f569d1c71b89710e3f7b737297

                                          SHA1

                                          71d594ec9892800d18bef5634e968bc8ceed11ab

                                          SHA256

                                          bfcb63dd8fbcc51a4c692a0572b79d4741cc31a172a21ad82bbd88f6bcbb36a0

                                          SHA512

                                          097b8f65abbf633212d453afc32c11c12317f0ce9d98bbb37a75426488a22bd7302e9095e1e2444e9614f2391ca270064f502ae31e36290a1213200c6cb2ed7c

                                        • C:\Windows\System32\snmptrap.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          3ca420a828ef5acfe6dca28c11af23ec

                                          SHA1

                                          ae66e2eec5b60d10de54e4b866e77dd2dc342cab

                                          SHA256

                                          2539250ae20dd295182fa09f0a777b4e4a3483b391231b9e8a3952a178e5c342

                                          SHA512

                                          2a3ce65b884cafa53a5d20dc42036341528b3b21141e7707eac2e6d832e91f083c65fc0c7ab7b43f5997ca574fee2e76d3631f52a8ac2d870c3bc67a6d1cbb6c

                                        • C:\Windows\System32\vds.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          1567f0443b8d5f6d65e3477fdcffac41

                                          SHA1

                                          99de43a0936be61f4de5d6468bc8e8915463df1c

                                          SHA256

                                          9d80c3bb7cd792e5b06281ce1d6a57e7c3342a9a4226cb163991ca1704e715e0

                                          SHA512

                                          45dc41d06f04203b69ac1923426686935a97f5d45392ab44be1806ee3c79e4fdbfef6f985cebddfa6843f948f18f7e2c6afaa590020a0b7a5731e08dd33e2593

                                        • C:\Windows\System32\wbem\WmiApSrv.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          1a949116a7d0600a631224eb475f6d93

                                          SHA1

                                          f5ebb95ec24a86201bd60bda552cb7115597b794

                                          SHA256

                                          2e20676403f885b324ae039c718773cf71d7e5d97777da786cdb17f2723bbd9b

                                          SHA512

                                          c94d78e0af8fe31148240365d5a14c829cbc9ff00b0516228aadcc0e2481519ace7a888d5664b8ce405722936c0fd434850fdb4cfd1651932c1cc348f84d92dd

                                        • C:\Windows\System32\wbengine.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          1c3f4fced755f1f3358963a8a5ff12ee

                                          SHA1

                                          41daafcd0be6f39d4b1358517a700e2b6a0ee966

                                          SHA256

                                          4f1c0c041470811fbd8792f56753ede673fde8e60f85bea113262af42be3a29b

                                          SHA512

                                          1c800a85d5df15d493304e83be329517e2588c920a503d0d4774a5d27a8040c3217fae5ea3784e58021ada8f140c35f080c22ee1c2e9bc4f2e3ccc25a2986cb3

                                        • C:\Windows\TEMP\Crashpad\settings.dat

                                          Filesize

                                          40B

                                          MD5

                                          7806f070ee1bf48d945790a0c2a61355

                                          SHA1

                                          cd3804e5db65628f5a3c0a8accbcb6d10544280c

                                          SHA256

                                          6520df12afb6e96315f15e8777e8deeb8b25d5ac72136065c7d5accda00cd895

                                          SHA512

                                          c1c368d258f84828a08885a6c25894d96da5f1bdb66ae2828bf764213827289c4df027188338fede003a59c8bcdf64ab3eaceb0d20e62c8ec8620c921901c7bc

                                        • C:\Windows\system32\AppVClient.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          16f6f91b7d49355fc7593f04363cde08

                                          SHA1

                                          a5f3808de24407a309aca600129286d41cb974a6

                                          SHA256

                                          347e4afdac373dca9b8b2816dc74575ea531c9a999aae1224484a7ec89cc2eaa

                                          SHA512

                                          81efbc15461aab430426d1a8831e33fb759c32504636062f315bab44b74d768f9ed48531c84be3ff5894ab985b2f9bdb0fd88b6a7fb6dd759b5f3c8e2c3885d7

                                        • C:\Windows\system32\SgrmBroker.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          bfa08a606cb34a5237669088cf5fe428

                                          SHA1

                                          7d9aca5f02812c961be1a66261dbbfb921c17309

                                          SHA256

                                          bc280c36eb7ea699c46a11269da3b78bebf8930bdcdf038f921f3484f4221851

                                          SHA512

                                          29b14ca0e3cb39f11996fdec8c1e38fafca19b66d6afbd5a372b266ce205bc68f41348dc430d9ba46f1140e2e29a77e9c5839c5082ab8605acefde2e9a3a1a63

                                        • C:\Windows\system32\msiexec.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          6aada40d1a10b2559fa8d47ccfaebc40

                                          SHA1

                                          0b083ef8351423cf0308fa12481ca80779a94e24

                                          SHA256

                                          728f34a15b000fdf0666deee942c2d7f0805b1ff745edd7e93ee5d7cebaefb90

                                          SHA512

                                          6e3979544fa87642a16451e92cd9544e155c1b21bb05f05f28c164844cfa2221efceb823150523cabd6dc996e348aa9da0267941407f1720800df9da73a85f36

                                        • C:\odt\office2016setup.exe

                                          Filesize

                                          5.6MB

                                          MD5

                                          65852d6c85b571f93f0e4b3fa04b7e28

                                          SHA1

                                          854518490c34dbf3040342ec4fb9ade6ee3223ac

                                          SHA256

                                          bb023db70e6fb718aa51d6db2bdfdcd3c50c207b8999ce009ce325b6b97b8383

                                          SHA512

                                          693468ddd6702dd079001140bedd66d8d520aaab9b6248ecbc88d74e851d88817ef640bb19afbf014927ef04f625905076459880177c6919257c4eea25d2f157

                                        • \??\pipe\crashpad_228_SEWYEUMTJLQLNDBR

                                          MD5

                                          d41d8cd98f00b204e9800998ecf8427e

                                          SHA1

                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                          SHA256

                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                          SHA512

                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                        • memory/896-118-0x0000000140000000-0x0000000140209000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/896-116-0x0000000001A70000-0x0000000001AD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/896-111-0x0000000001A70000-0x0000000001AD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/896-102-0x0000000001A70000-0x0000000001AD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/896-103-0x0000000140000000-0x0000000140209000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/1480-95-0x0000000140000000-0x0000000140135000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/1480-59-0x0000000140000000-0x0000000140135000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/1480-60-0x0000000000900000-0x0000000000960000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1480-80-0x0000000000900000-0x0000000000960000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1480-91-0x0000000000900000-0x0000000000960000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1672-123-0x0000000140000000-0x00000001401F8000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/1672-130-0x00000000007E0000-0x0000000000840000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1672-217-0x0000000140000000-0x00000001401F8000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/1672-122-0x00000000007E0000-0x0000000000840000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1884-337-0x0000000140000000-0x0000000140169000-memory.dmp

                                          Filesize

                                          1.4MB

                                        • memory/1884-249-0x0000000140000000-0x0000000140169000-memory.dmp

                                          Filesize

                                          1.4MB

                                        • memory/1884-256-0x0000000000700000-0x0000000000760000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2208-244-0x00000000006E0000-0x0000000000740000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2208-236-0x0000000140000000-0x00000001401D5000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/2208-319-0x0000000140000000-0x00000001401D5000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/2380-213-0x0000000000520000-0x0000000000580000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2380-290-0x0000000140000000-0x00000001401D4000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/2380-206-0x0000000140000000-0x00000001401D4000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/2440-2-0x0000000140000000-0x00000001404AC000-memory.dmp

                                          Filesize

                                          4.7MB

                                        • memory/2440-7-0x00000000007F0000-0x0000000000850000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2440-0-0x00000000007F0000-0x0000000000850000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2440-40-0x0000000140000000-0x00000001404AC000-memory.dmp

                                          Filesize

                                          4.7MB

                                        • memory/2868-12-0x0000000140000000-0x00000001404AC000-memory.dmp

                                          Filesize

                                          4.7MB

                                        • memory/2868-101-0x0000000140000000-0x00000001404AC000-memory.dmp

                                          Filesize

                                          4.7MB

                                        • memory/2868-24-0x00000000008D0000-0x0000000000930000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2868-11-0x00000000008D0000-0x0000000000930000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3092-46-0x00000000004C0000-0x0000000000520000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3092-54-0x00000000004C0000-0x0000000000520000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3092-137-0x0000000140000000-0x00000001401E8000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/3092-45-0x0000000140000000-0x00000001401E8000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/3476-93-0x00000000001A0000-0x0000000000200000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3476-94-0x00000000001A0000-0x0000000000200000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3476-86-0x0000000140000000-0x000000014022B000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/3476-84-0x00000000001A0000-0x0000000000200000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3476-177-0x0000000140000000-0x000000014022B000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/3536-261-0x0000000000400000-0x00000000005D6000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3536-187-0x00000000008F0000-0x0000000000957000-memory.dmp

                                          Filesize

                                          412KB

                                        • memory/3536-270-0x00000000008F0000-0x0000000000957000-memory.dmp

                                          Filesize

                                          412KB

                                        • memory/3536-178-0x0000000000400000-0x00000000005D6000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3888-242-0x0000000000800000-0x0000000000860000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3888-140-0x0000000140000000-0x000000014020E000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/3888-144-0x0000000000800000-0x0000000000860000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3888-234-0x0000000140000000-0x000000014020E000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/4052-247-0x0000000140000000-0x00000001401EA000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/4052-163-0x0000000140000000-0x00000001401EA000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/4052-172-0x0000000000BF0000-0x0000000000C50000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4348-31-0x00000000006D0000-0x0000000000730000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4348-113-0x0000000140000000-0x00000001401E9000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/4348-17-0x00000000006D0000-0x0000000000730000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4348-19-0x0000000140000000-0x00000001401E9000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/4412-350-0x0000000140000000-0x0000000140241000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/4412-272-0x0000000000EC0000-0x0000000000F20000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4412-262-0x0000000140000000-0x0000000140241000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/4808-302-0x0000000140000000-0x00000001401D7000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/4808-219-0x0000000140000000-0x00000001401D7000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/4808-227-0x00000000004E0000-0x0000000000540000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5232-364-0x0000000140000000-0x0000000140221000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/5232-292-0x0000000140000000-0x0000000140221000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/5232-297-0x00000000008A0000-0x0000000000900000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5232-372-0x00000000008A0000-0x0000000000900000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5404-316-0x0000000140000000-0x00000001401C0000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/5404-303-0x0000000140000000-0x00000001401C0000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/5404-310-0x0000000000B70000-0x0000000000BD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5404-317-0x0000000000B70000-0x0000000000BD0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5512-329-0x0000000000C60000-0x0000000000CC0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5512-321-0x0000000140000000-0x0000000140147000-memory.dmp

                                          Filesize

                                          1.3MB

                                        • memory/5636-347-0x00000000006E0000-0x0000000000740000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5636-340-0x0000000140000000-0x00000001401FC000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/5812-360-0x0000000000690000-0x00000000006F0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5812-352-0x0000000140000000-0x0000000140216000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/5928-374-0x0000000000500000-0x0000000000560000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5928-366-0x0000000140000000-0x0000000140205000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/6088-379-0x0000000140000000-0x0000000140179000-memory.dmp

                                          Filesize

                                          1.5MB