Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 16:52

General

  • Target

    2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe

  • Size

    5.5MB

  • MD5

    bf1dee869fb9420e75609ce2d49b2f3b

  • SHA1

    461a52ec8d952e6bd03c11291f4961ca407670cf

  • SHA256

    11881b281e509627e79578ae40a45e79942c54e0b2c16fd6c4ee574cd7c63685

  • SHA512

    dbc723fa9a6cfd49d525e61945e8e3420749d159f1b6ca7cdc1a41052a1aa756f18201c4cd5b9c6c488a5a93547a64ce571768df81812b95cd3b1e97c47056b7

  • SSDEEP

    49152:vEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfb:LAI5pAdVJn9tbnR1VgBVmcEnW6at

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4124
    • C:\Users\Admin\AppData\Local\Temp\2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe
      C:\Users\Admin\AppData\Local\Temp\2024-04-07_bf1dee869fb9420e75609ce2d49b2f3b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2e0,0x2dc,0x2e4,0x140462458,0x140462468,0x140462478
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:796
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
      2⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba3629758,0x7ffba3629768,0x7ffba3629778
        3⤵
          PID:4656
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:2
          3⤵
            PID:5096
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:8
            3⤵
              PID:4872
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:8
              3⤵
                PID:3884
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:1
                3⤵
                  PID:1772
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:1
                  3⤵
                    PID:2248
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4124 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:1
                    3⤵
                      PID:2748
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4044 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:8
                      3⤵
                        PID:3672
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:8
                        3⤵
                          PID:3400
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4784 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:8
                          3⤵
                            PID:1496
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:8
                            3⤵
                              PID:4112
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:8
                              3⤵
                                PID:2008
                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
                                3⤵
                                  PID:4560
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7821b7688,0x7ff7821b7698,0x7ff7821b76a8
                                    4⤵
                                      PID:5452
                                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                                      4⤵
                                        PID:5504
                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                          "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7821b7688,0x7ff7821b7698,0x7ff7821b76a8
                                          5⤵
                                            PID:5536
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=956 --field-trial-handle=1732,i,17578526530994966991,16607945560624501360,131072 /prefetch:2
                                        3⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:5196
                                  • C:\Windows\System32\alg.exe
                                    C:\Windows\System32\alg.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Drops file in Program Files directory
                                    • Drops file in Windows directory
                                    PID:948
                                  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:4876
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                                    1⤵
                                      PID:4520
                                    • C:\Windows\system32\fxssvc.exe
                                      C:\Windows\system32\fxssvc.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Modifies data under HKEY_USERS
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4104
                                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      PID:2420
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      PID:1544
                                    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      PID:3984
                                    • C:\Windows\System32\msdtc.exe
                                      C:\Windows\System32\msdtc.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Drops file in Windows directory
                                      PID:3608
                                    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                                      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                                      1⤵
                                      • Executes dropped EXE
                                      PID:1872
                                    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:556
                                    • C:\Windows\SysWow64\perfhost.exe
                                      C:\Windows\SysWow64\perfhost.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:4060
                                    • C:\Windows\system32\locator.exe
                                      C:\Windows\system32\locator.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:2628
                                    • C:\Windows\System32\SensorDataService.exe
                                      C:\Windows\System32\SensorDataService.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Checks SCSI registry key(s)
                                      PID:4408
                                    • C:\Windows\System32\snmptrap.exe
                                      C:\Windows\System32\snmptrap.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:4344
                                    • C:\Windows\system32\spectrum.exe
                                      C:\Windows\system32\spectrum.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Checks SCSI registry key(s)
                                      PID:1044
                                    • C:\Windows\System32\OpenSSH\ssh-agent.exe
                                      C:\Windows\System32\OpenSSH\ssh-agent.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:2912
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
                                      1⤵
                                        PID:3900
                                      • C:\Windows\system32\TieringEngineService.exe
                                        C:\Windows\system32\TieringEngineService.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Checks processor information in registry
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5144
                                      • C:\Windows\system32\AgentService.exe
                                        C:\Windows\system32\AgentService.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5276
                                      • C:\Windows\System32\vds.exe
                                        C:\Windows\System32\vds.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:5368
                                      • C:\Windows\system32\vssvc.exe
                                        C:\Windows\system32\vssvc.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5648
                                      • C:\Windows\system32\wbengine.exe
                                        "C:\Windows\system32\wbengine.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5868
                                      • C:\Windows\system32\wbem\WmiApSrv.exe
                                        C:\Windows\system32\wbem\WmiApSrv.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:5984
                                      • C:\Windows\system32\SearchIndexer.exe
                                        C:\Windows\system32\SearchIndexer.exe /Embedding
                                        1⤵
                                        • Executes dropped EXE
                                        • Modifies data under HKEY_USERS
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5128
                                        • C:\Windows\system32\SearchProtocolHost.exe
                                          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                          2⤵
                                          • Modifies data under HKEY_USERS
                                          PID:5796
                                        • C:\Windows\system32\SearchFilterHost.exe
                                          "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
                                          2⤵
                                          • Modifies data under HKEY_USERS
                                          PID:5968

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

                                        Filesize

                                        2.1MB

                                        MD5

                                        5c8b0e37c55a9d4d916930aedac25b01

                                        SHA1

                                        e65ac733a862bf175e79044b477710baf11ebd2a

                                        SHA256

                                        216b7e0fa665a7473e9a4447ad7c0b96f6e072a41ec5d30b1a1badab10732c56

                                        SHA512

                                        04ae7afe3daa84d8487a17e02e70cf4dd3d86de1baed6af698d3984d8103aa4ac2170d0843eb49d2968d420adf01d8d2ec9e984f365aedd972e8fd75bc8eed53

                                      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                        Filesize

                                        781KB

                                        MD5

                                        f248ed9594dcdf079d745ebcdf1ec4f5

                                        SHA1

                                        10eee739c2d5d251d3c6fa74c65fe1905080a09e

                                        SHA256

                                        8051682fd7ca0d5c0e243fdb4a3256a1d3094a983b4f6c28c5d86a47ebe26287

                                        SHA512

                                        5911ab026bbd1fd7e28af13c6dbf947934db27b636dfbdf196021eca072b4852095234554a7d8a04d96f198c9f89f865f3c826e16c22198aa263d6755bb3ead7

                                      • C:\Program Files\7-Zip\7z.exe

                                        Filesize

                                        1.1MB

                                        MD5

                                        42f39a5029974af53155dd6297a10b5a

                                        SHA1

                                        03b546da8c9699af2e23a0e540e82c1a004b1745

                                        SHA256

                                        45607adfcb8b48a1f8536bc41d3230c0d422ff5e77fdcf95d89587ad6ad0ac67

                                        SHA512

                                        9c245f18384d4db8a787c20dc1a31083423347e1053a4b94e71f59f60d9924378f5b2ee015facf615ad1e661944923ab9835b974ae0112fdce60fb0caa8d5230

                                      • C:\Program Files\7-Zip\7zFM.exe

                                        Filesize

                                        1.5MB

                                        MD5

                                        86e6e494ab3a76df0957bd1d2dd513c2

                                        SHA1

                                        b180f21795200b4175018bc3744a42f92925d68b

                                        SHA256

                                        cb573ac66ddc8dddb6177e76db6332fbe69bdcffcfcbe7e000c3c6cb4c6695c7

                                        SHA512

                                        ebba93a847633e801284035d2ee77d979e83b973eb1da5235da32f338609d33319c4097efce843bad35fb08f8196bb788534e425a87baa22ef950441e2ad747f

                                      • C:\Program Files\7-Zip\7zG.exe

                                        Filesize

                                        1.2MB

                                        MD5

                                        d64b48e82a78f7ca1fee9821621fe79f

                                        SHA1

                                        44ed07374dc5e8c51b5dc63945d9cacaa76d825a

                                        SHA256

                                        2d4579403b419a1337b79e5b8e92160a975172344283baea0d3c30e1ed21edf0

                                        SHA512

                                        354acddb3fc66d26ccf2f9826b0777f99abddffcd89e6e6f3c1710924791f5ef96e8b8d275d7b7338d527e188086803a775e38124e3b640b345e90d13559524b

                                      • C:\Program Files\7-Zip\Uninstall.exe

                                        Filesize

                                        582KB

                                        MD5

                                        3c8eb6c15bb879d168fcf88339260775

                                        SHA1

                                        419c9a399f3e4b6c6d05c5a87c261f31885cf8ef

                                        SHA256

                                        f60b61a53fe6d8ee8ee41213c760c5ea81378f67bf7fd1d3ef727477c0d71027

                                        SHA512

                                        42ea2fff09672a3cfe173e9d9ef0190c216c38ab58636ebe5f8ec40ad80abc033fe31e663617083ef783c6de82018a5ea444d429b4a9d339a3e404273b0d41e8

                                      • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                        Filesize

                                        840KB

                                        MD5

                                        74cf5943f2f54f055dd022adca407e41

                                        SHA1

                                        991e62eb0271efbc6d6753e4978533014b4262d9

                                        SHA256

                                        acd4a6fe367a0d1493465f95ff4e6b1f3e9b91bb36baed6d72cf971fbd02fafb

                                        SHA512

                                        4b859ef1c6c6c566adf6959b992d0c456cb823179d370ccff8233819941275486ad89d0e92a7134a53305ff536df22537daacde77f8d11811153b28d8ce05a1b

                                      • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                        Filesize

                                        4.6MB

                                        MD5

                                        325843e0126e3cae074ac52dcd2fa272

                                        SHA1

                                        1d84b7ea32fe0c4e9c79210c72c94acfd84cb530

                                        SHA256

                                        89d72404d3fb827299c0b6f631444ca840d370478a28a734edaffd168af80f1e

                                        SHA512

                                        0a2062c1ca77a61eda6dda1f57ab1a8d0f069222ed59704dbfc2f7f91a42eae1d83a69fc46a144c6d448b78ab2f705db374017711fcfc8ff5476bae4c841ca84

                                      • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                        Filesize

                                        910KB

                                        MD5

                                        25038a3b6f49b2be50e0c985348b0e1c

                                        SHA1

                                        447b542830e611a7f593dea0b4f4a84fb686823b

                                        SHA256

                                        7bc108ecab1e6c7fb8c9049958f8608ea6dc47ceaea54eb6c80b6cf430cde9d2

                                        SHA512

                                        3977282d116fe3d779b8fd0b06023ea8d4973637d8afa5423f7ca7dcb9da037b68a5c9734843d697cb687166eba08fd91a25efeb07f64db9af1af6a4e4f24508

                                      • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                        Filesize

                                        24.0MB

                                        MD5

                                        327c073abf2fb18b4a90e75226b7cc1a

                                        SHA1

                                        05ae2a8b24336c0508b7a3a075e869c9420d7a9a

                                        SHA256

                                        4e24b1c572feb9361430847233d543da381bcbaf9d43d15d75bd74aed9900f3b

                                        SHA512

                                        77cda1519aa663e27429363f31a79d704ebf26945ad1ea28c7adae735f9d0e8eae4e7fdeb6162d1f90f1481385314a00f389b44ba027c6bff4719975abf7c665

                                      • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                        Filesize

                                        2.7MB

                                        MD5

                                        e4d79f727f2e2287d3f1e54daa5c97f9

                                        SHA1

                                        56a29c2c17df8414bda7ca7fd6c2ec510e6371cd

                                        SHA256

                                        d86c0c970629cff52ef617b5c63fe6b503bc179f30e7808158e748fee9d85927

                                        SHA512

                                        a4e321d28b4efb1be6bb2a5c0d404174b33eecc28dd2013ea583ca93ca390b71541db753eac8176f2fc18fb99b40eed7d94d8f8f01effd24dffc80f49ae9d749

                                      • C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

                                        Filesize

                                        1.1MB

                                        MD5

                                        d92695843b950ebebad858cb427e5abe

                                        SHA1

                                        a32776340c68384f098342382e9d9f6da031a195

                                        SHA256

                                        e25737c266a391fb082891567152ca86b19469336a2fb1293d1c087606b28f4e

                                        SHA512

                                        09dbdd1bb68283ed7d690d71be3b6a2b20bbdbe0bcd261a0543e1b40a5681f1487fef9993d81fa27ae9b1039077a320f5c5ea4c3e18278aa920a3eb14b0333e1

                                      • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                                        Filesize

                                        805KB

                                        MD5

                                        9c0557c9b2dfac168617a69f6aa966c4

                                        SHA1

                                        05931e6db7bf123fe0436555e6fc223e3993d4b0

                                        SHA256

                                        f950d50936739a3f3b242e8cbe5fbba11c5c21a3180262a3b16bc35b855b3ba7

                                        SHA512

                                        6c907a348c3611a5555cb012444cccc15dd0cad607d454e415681c17fc1de287511b9994b64223c9e899f256a04b3db7d111b37e8987a75e5c059a0ee3c3e8b7

                                      • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

                                        Filesize

                                        656KB

                                        MD5

                                        9dc3414faac6280f5c133eb1be832a2c

                                        SHA1

                                        7e0e402f61fe76314f616dba9b470adfc47b648f

                                        SHA256

                                        0f532f65f131c3e567bf85b7f6b83a3921708cec6cfc286a9c259b3667bc0763

                                        SHA512

                                        42acc3eb7e3868112286f03ec0cba74b1cd3161a7a6567502beb384cd37073fb3e952a285297017ee70ddd5cfdfd6f509d3881690c1e9206106a3ab220f4d82b

                                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

                                        Filesize

                                        4.8MB

                                        MD5

                                        d9f836bcf3696987d21c35413f738274

                                        SHA1

                                        add511d0e2b73582906c2ea243b7e6036bb3eaba

                                        SHA256

                                        2b38a5afccf17e9da5b7f6f9074a82e1533d77dac00b65c31b90073930e458b5

                                        SHA512

                                        d37a2212d1f7a94656d526eca5d3f1f33bcd21bbaa7504ebc50bca50960b04ad0d9f385b41df09ab78d0b2aea9ee751846f077dde4ff80fa2ac24ab8813c16b1

                                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

                                        Filesize

                                        2.2MB

                                        MD5

                                        0b72327bd8d05e9dfe8f2332fad3d522

                                        SHA1

                                        51b1661eae048b528d7b55f98bf76a3c7b79ae75

                                        SHA256

                                        791766abc26431d5fa6528ecbee92fce7d43ac0a53c7c418bbdc18f06faabd4a

                                        SHA512

                                        b2823db4adae83f2164d4361073ca5cfa7f34ce6ae3a64ed6248638725ec84b52c4cf979039223613bb61079ce371ddabfa5a0a156e7c2050e9a7cbea1454523

                                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                                        Filesize

                                        2.1MB

                                        MD5

                                        9ce8e578014c87e4fcf1f008bb1b0fda

                                        SHA1

                                        0457c5a7d0235cb7a43102c6478c5e6cef812201

                                        SHA256

                                        a8fce78fb907f6070ee133e15a0ca6eaa7f329ae35e7d00422412245c1305d0c

                                        SHA512

                                        11c91487e29a738fcf92bfff122c2a578b85d80073519449bcb09462a56872d18ed278f3bfb337affddd72fa56be8c9cdad841f8b7e1125bb5d8953bc247f299

                                      • C:\Program Files\Google\Chrome\Application\SetupMetrics\980b4edc-1e42-4d6c-bddf-2fbc2dc45499.tmp

                                        Filesize

                                        488B

                                        MD5

                                        6d971ce11af4a6a93a4311841da1a178

                                        SHA1

                                        cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                        SHA256

                                        338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                        SHA512

                                        c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                      • C:\Program Files\Windows Media Player\wmpnetwk.exe

                                        Filesize

                                        1.5MB

                                        MD5

                                        f4329d28354f519f70167598f20caf31

                                        SHA1

                                        683dc078156c3d86b0524afdb7cd0fdc2ea1c997

                                        SHA256

                                        b401b133609a97271c975077560ffafc7eed57003a49c443ce424d6171517a07

                                        SHA512

                                        a4238208e7ff44093f9b3ef87760b57bedf3f59db867ac89196f22c4c35d9823471da78f36fc8282023dca012d8b1472c9de8dc81a8ef737ac3c450240534156

                                      • C:\Program Files\dotnet\dotnet.exe

                                        Filesize

                                        696KB

                                        MD5

                                        8b9628da3c9fa0b80bf14d1e5bfd5425

                                        SHA1

                                        f6c44d52ce5b3efb8d857ddaf067a9e00a87b4e2

                                        SHA256

                                        e15b6c0cc413c3d9e75accf7e305eef7a31b513c9e7a554a0c1307ef2e415b65

                                        SHA512

                                        8d56137e80fd8641ca810db22be6b68478692e98d713348b1f11a5058f18d73682bf94cbb0bb3344c5d3181f8445915727c99d3c2e467c3f3b8f41b6ed74e1ca

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                        Filesize

                                        40B

                                        MD5

                                        99cc49358cfa3628888247c84b312722

                                        SHA1

                                        72df90d4341e204b5d695a65f8f0575d75d6d342

                                        SHA256

                                        570055b300595d9bee19cd486aec73f2e432043cc1a510b5075bc55da6b32757

                                        SHA512

                                        1b3f0129c396f2e582b6e1316e622f9faf71776e5878c95e71a961e4851f9aa90b651f0e3c3d406602c79f377776df5c8353578f44673359088ba16998fd614d

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

                                        Filesize

                                        193KB

                                        MD5

                                        ef36a84ad2bc23f79d171c604b56de29

                                        SHA1

                                        38d6569cd30d096140e752db5d98d53cf304a8fc

                                        SHA256

                                        e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

                                        SHA512

                                        dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                        Filesize

                                        1KB

                                        MD5

                                        584fec8ba309fc50b9e653e1d30d30fb

                                        SHA1

                                        20290c3b9f5c7112c4919f728e18affc220a138b

                                        SHA256

                                        edf0022640f95d89ab22621d1124eea0292395536b40dae899a0759018ed2240

                                        SHA512

                                        750cf50a1e702bb16a437b39121e419475db7cae6e0d11ee073e1412928e4ef7ab9e8e799fe564d316036ff0dda57d2d59e283955e4be7c2ef3d25dedc2905e5

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                        Filesize

                                        371B

                                        MD5

                                        23032e6d5ff19285d2c9b29580789cb7

                                        SHA1

                                        8f74abaa52eacb674b327be83f64f5bff60ad603

                                        SHA256

                                        7ad25cb4f98aea36a99411b1e4415cf6e8ad5a6147a499666e602b67f8d8b7f0

                                        SHA512

                                        44b5726f5a410be02cfe35cf01e02b52f4497a5c28f07a1ec8a63327a1c16964405dfced2f42cba17ece0ae1eac58e90533f01fddc5ae0ec6b43850d13cb048d

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                        Filesize

                                        5KB

                                        MD5

                                        219848934c7bc5d5c2dd693c05f45ee1

                                        SHA1

                                        83d4c1dc2a568f898bb0f1a4d1355846b15b47bd

                                        SHA256

                                        3aa3f7f7751450254bf58b2606348aaf63705847da8b01c3b818fa0587102c45

                                        SHA512

                                        6093671348411630139ca3de0c67eecbaa1e86d403becc23cb7bb4fa4b2c82b2cb3fe0640b3b4b42d5eec8bc7175de2a851c0107c809699b99a8a1b64654c818

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                        Filesize

                                        4KB

                                        MD5

                                        389bd40470f961d69adc704eb6dfc783

                                        SHA1

                                        a7f3504cc61a49d0e3055551280eec7f8585c802

                                        SHA256

                                        98fe2ca00d44c10d0e9dc12beb4cbb8ae88b3639460af17c79bec4d543d66b94

                                        SHA512

                                        3c09b868daf1e05bd9abf5ebdbf6f9a8373595b3b16add7332c3cbae6d693f457d570ca6c29d36fb9d2792411af1fb747d3bff4a43cdd96ea69dbf2877802cfc

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                        Filesize

                                        4KB

                                        MD5

                                        8315e9745444bf4842c6264b29147817

                                        SHA1

                                        366b5bd1e67d986c54cc40257cdf26a4681ec401

                                        SHA256

                                        9254c8bd49d70174885270fed159fc69103b4a4b7b50401e9fa425c2113b4620

                                        SHA512

                                        4042eacba7fff35d8b1a49f5e01e6726c570abb1069c7c8f287447eb7c6c7230a82a79c7e9a84546dbb6d89ecb5b60c9eab795e68e6aa5c52b7d82bd44d29b1e

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57753f.TMP

                                        Filesize

                                        2KB

                                        MD5

                                        9789813c7b351abcd4b4cc4821874f82

                                        SHA1

                                        3c3839cb1e6fcbd66f3c6dfc092f3aa49c057c03

                                        SHA256

                                        899961eb96b3c34c8a0b0bed8f6e6d81c5979592af5cc0144590b71e394bf7b2

                                        SHA512

                                        9c8dce395a863812d3b050b5068e97301309e46ae0c69f6ee0f8539f3dd453d269bfe4865d4afc6a8518e4b85ac49f8901fc937ca19da27a1e5bd178e3774a76

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                        Filesize

                                        15KB

                                        MD5

                                        4194d6ab4034ad5a68eae2941b179828

                                        SHA1

                                        61d9260bb4511ca1bb5d9d3026487da671870e6d

                                        SHA256

                                        3bd5dd4c9f3ebcb9899977c29e593fa134b8c92c525784202d4df6a3231fcd63

                                        SHA512

                                        f800e7a056a928ba3c5664f930309a259f5b3fe7aacd830d7c0482c7655eca9a9fc0517bd471e237447834c2542492ab87e0fb82e8c43760a09345235faa9e01

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                        Filesize

                                        260KB

                                        MD5

                                        cb492611da93ae9f392f6f7ed42bb3fc

                                        SHA1

                                        bdfb6c438d8876b59dd22471ce534d178fa3eb86

                                        SHA256

                                        aead10e836c78f55dd0ad7eb3e766098a48a135ee9932ec2222d82e2c45bcc6e

                                        SHA512

                                        5df400ec36b17a12cf4e8bd241cc4c7dde64f1e593c658cf477fe142c123fc9c06a82c72372ecd13ad8171e21cd27ee246c738e65892f55d9dd4ab03ee34098a

                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                        Filesize

                                        2B

                                        MD5

                                        99914b932bd37a50b983c5e7c90ae93b

                                        SHA1

                                        bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                        SHA256

                                        44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                        SHA512

                                        27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                      • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                        Filesize

                                        7KB

                                        MD5

                                        da6e21f45e3f2c8f273e1e4ea4edc817

                                        SHA1

                                        0578ff7701701ff4f690b59067d173fa2ae5873e

                                        SHA256

                                        6f75d1555172d616b34f94e0711e3249114c3f088570a19e981c7301b79265e4

                                        SHA512

                                        3cea070981126d06518955739cec546dbd85e7597ba55ac20b604d10e25273ab55433cba31585bd0e8f8e2c972bbf36ad395d099c7f0a7a23590288f1fe58ac4

                                      • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                        Filesize

                                        8KB

                                        MD5

                                        4f77bbc6975075394a9d8a42ad713c5b

                                        SHA1

                                        3862b4f4d42aec8d2c2261e39a7a74f3437154e8

                                        SHA256

                                        30b5facb44a6bc3c388f20fbf1b0ce8e3a3db5a5eff84cf59ff0d44723e23183

                                        SHA512

                                        6105f066b02494dc71cadda34d9d796565288825e4d2ec9b493cd09a838821656c4fb606815fd791a87fd487b6edaa7f6e2f468c10bdc2c6e3bfb5a7e2ab6310

                                      • C:\Users\Admin\AppData\Roaming\8ecaba9212d07ad8.bin

                                        Filesize

                                        12KB

                                        MD5

                                        692611ee9f5fa6ff4025ab76ecfad47f

                                        SHA1

                                        2a35a6dde3a5c2f6c6e59dea96503d10346c51f5

                                        SHA256

                                        5bd2f7f14bb15a758bcc0e03be1772acf3bd28e082208006c6da7877c1e9be15

                                        SHA512

                                        d7e37bf8074ad897595bbbbac770858f744d6726ac7831e60f94671d3396dfb407137f306487cd37d0d88b8cc35461ffdb57310410f5c6b386681dae7ecedb38

                                      • C:\Windows\SysWOW64\perfhost.exe

                                        Filesize

                                        588KB

                                        MD5

                                        1a1816feff673e0dd478ec569951178b

                                        SHA1

                                        493de1066ec36263fdd1e3ef77a3c483fb7c5f96

                                        SHA256

                                        f22559e2d5b91fc08af27804e15f78b644552dd1f63f9b3091904f79229cb482

                                        SHA512

                                        edadf28026fd7da51c2a6b50d818d9659b86463637c714c5c5ff11db29e8e97f82fdfbe56052c9802c30bf063fdb97717fe3caecc6b36d24607d33ee7aaa25ce

                                      • C:\Windows\System32\AgentService.exe

                                        Filesize

                                        1.7MB

                                        MD5

                                        a0da5c9e078288fb39bed0b0fe76d8c3

                                        SHA1

                                        15fb1694d3fb444b378e0b7e9d653df9b3113c2a

                                        SHA256

                                        8301197a7f290c189a8f79c39217a14b7ebda15be82ff5cf259cfc3fb2384374

                                        SHA512

                                        bb763ae909b2f168a270e82f64479a654d537427a75919f35ac28b0b86325890803aa19356f8175c31cba3949206e23b074a91d7900cc984d0e4639c35e4bf44

                                      • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                        Filesize

                                        659KB

                                        MD5

                                        1000bf31cea15585a96478f5b0e8ddd3

                                        SHA1

                                        67cefddc34d4e4c0e7c9ad6e74fa4e25af9ee2fa

                                        SHA256

                                        7a4c25dab510222486c351d686a28b7142ef909f96e8bb5d6f03ea70f4defa37

                                        SHA512

                                        c2ecb2602f4c683ceabde44e700cc14af40ca8225ca80f17af859bbc133c52ee42fcc5e771d101517cd0bf09165bc8cfb9e8f6f127ad19e5cb04ae1fb309bf31

                                      • C:\Windows\System32\FXSSVC.exe

                                        Filesize

                                        1.2MB

                                        MD5

                                        58e6692ce6821555052ecade576d9ed1

                                        SHA1

                                        1fc05dddab4bef91ade904b868b5559bee86f60f

                                        SHA256

                                        66ee5580f4fa17e9b88cb79fb13a4491c5fa2e091b751ef3d13d605957a9b51c

                                        SHA512

                                        5baebb7e925742df9d401c81c546d3f5b73674332097c783de5c4a10215f82fe867978e037a3bc79e9431c0fdefe80e47f220ef3275a708754297f5ae9c19dc5

                                      • C:\Windows\System32\Locator.exe

                                        Filesize

                                        578KB

                                        MD5

                                        949ea057e36e4a7dad3f2c658e79582c

                                        SHA1

                                        89a7fb975f830e160b1545346d2aaf009d211980

                                        SHA256

                                        8f84695456135f5f0ec5b2a6e4e8611b0a9d6ff4af69bccb153ebed604dd2713

                                        SHA512

                                        f7a4cc25938e0d984b0cd45e4f016c916135d0219e4dfa7382725116b92460a1cb450c884f70ff20876e66c2ad9766623769bded0d63a8c88e4e42f33116a6ea

                                      • C:\Windows\System32\OpenSSH\ssh-agent.exe

                                        Filesize

                                        940KB

                                        MD5

                                        ec855f66842c14818e169584c401179b

                                        SHA1

                                        6bd3305b015f861bc24457fe25b3af92dfcd5a02

                                        SHA256

                                        406f7f03ecb63ea781ad1cc524dc16ff9587938db3426fc0fce3954e1bfff4a4

                                        SHA512

                                        29ab8fa58eb963bd93c9688e55028eca233b6219cf616216433718bd541eb736fb9d75378f9d9520905700b0b6716517f333389b7c53ab0fce5b9b670641c966

                                      • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                        Filesize

                                        671KB

                                        MD5

                                        01a7237888df8103f19427bdf4f9eac3

                                        SHA1

                                        9394d1a9d2ffcc94cd01ae83f65efcce902c9852

                                        SHA256

                                        2eae546fd01fa27c9a50c950cc12915432814083f7cac253c4ee4a6149f5603d

                                        SHA512

                                        7548ec8e5574f6cbfd9d03b4a3b3b5e9ba2ff84a81eada33037239f46c2642dd3bbe1c727e50ced19799b9cd6fad09c2ba5989dec34192509f335e83ddc8a94f

                                      • C:\Windows\System32\SearchIndexer.exe

                                        Filesize

                                        1.4MB

                                        MD5

                                        bc610c3571a963635f42addbe4d36c90

                                        SHA1

                                        5bf00034726192b6f153660cfd267df1e5587011

                                        SHA256

                                        5a3d50758f444f12ca7e8e346a2786412b08d611e98665f5dcd5a97bb28ca90d

                                        SHA512

                                        ce7f81877a34c6c1fc0bc2f658c27e4b0b94f09011e2d4521123d433fbfba9951e45f4da4ac57dec18d5534a7949b7c34ccfec1242553d7fe49c67742a998a0b

                                      • C:\Windows\System32\SensorDataService.exe

                                        Filesize

                                        1.8MB

                                        MD5

                                        2075558869066d4a8959783df4dc4352

                                        SHA1

                                        1076498d5e9abf048fb3b66ccf4c60b5a0d6f157

                                        SHA256

                                        ad396fd775056453def4767fd5db8097e4230681286df110643e32289355a99d

                                        SHA512

                                        df6c96e706948e8e3adf711afed941dc1569b5095374ae9eee4914a5eb69e28816e94e0b5e3da8a3db1facf1f421a9329f8c7428644bb8a5c4933ab2a75c2b5f

                                      • C:\Windows\System32\Spectrum.exe

                                        Filesize

                                        1.4MB

                                        MD5

                                        cd4265bac7c3bf8bfba468c226a744ff

                                        SHA1

                                        7fecda0ea69002c96fa434a6f99e8f4d12513e10

                                        SHA256

                                        0febf3c8922111df031892948b87eba9a1d86def6eba46190c027cf43d284fca

                                        SHA512

                                        d960ea9c299f166b61ec84a9fa799bfdab3048ed2e138e4c41097d080bad6cd27fbba956c640b73cda70bae0f86d3994e7bb72ce2567c1101fc7098c9ea8df73

                                      • C:\Windows\System32\TieringEngineService.exe

                                        Filesize

                                        885KB

                                        MD5

                                        384b0b47e3c5cb5500dd297f087facc1

                                        SHA1

                                        1a7d073afbcf764e7cbc3e7b3380bea2b1fafc1e

                                        SHA256

                                        8f74377f5a477bdb423a83adb25692e7bb7a2a0efcf9368f50016be2068da4d2

                                        SHA512

                                        93d07c86b9d51b1bc348acd10c524435346f66216337c7d5dd759ab8ffea87973f04e3e03eb3be485d888c881abf668f8b629ecb0233504c439db4af91c0db75

                                      • C:\Windows\System32\VSSVC.exe

                                        Filesize

                                        2.0MB

                                        MD5

                                        11b566ad9caa9cf88c763ecf89585dfb

                                        SHA1

                                        0d8705ac0f1361243bad99edd54037106df3b391

                                        SHA256

                                        31deeddd26327e93b8fd32904684e27cbdb996269b863792a752747ea0bb2b2b

                                        SHA512

                                        470b31a606965c2d688e13bbaa5559154ee5d401c8666ea283f52f434544d0764c5d8f7c2b5a3146a003ab7df6a873c01e73c1dc707e2652bfa0887f77091fd3

                                      • C:\Windows\System32\alg.exe

                                        Filesize

                                        661KB

                                        MD5

                                        ab926501235361b6f069552c9f366c01

                                        SHA1

                                        b1cb6c2dcd29d892ded814f0c49e835eacc27464

                                        SHA256

                                        6c5dda75bd71387c746be6222dd06959054cc6d145b375d68be89106d28e5424

                                        SHA512

                                        c8e37528fd831fa5ac98037caf90a046a53ae249e29ed80cc8a21bd1f9ff1a10decc0eef5ad707e3e883683e7c4bc6be42a5e5cded47f1ddac6e0ca58e467044

                                      • C:\Windows\System32\msdtc.exe

                                        Filesize

                                        712KB

                                        MD5

                                        e7f2c6e4bfa9077a09e71ee339071f56

                                        SHA1

                                        c0d12ee0e7d485e891c97db459194961e57a082e

                                        SHA256

                                        956eb8b90cfb5d3b92e9f256e24a4791c9a19ae683b27067fc4af8be395087b5

                                        SHA512

                                        807a47f6a953e0e187109ef9222e777d1895815ac139c9eeb32fb62e1b6acb8fa021f1e42e2d67963f00d811672d9123b4f9b1950639cb6296eb0e14c8e836e5

                                      • C:\Windows\System32\snmptrap.exe

                                        Filesize

                                        584KB

                                        MD5

                                        cb687b0e6a515f52ae677e9cf5b8c444

                                        SHA1

                                        fbad7090f6bc74d2a7b3f2f75877b3d703a58d2a

                                        SHA256

                                        a1f6523d8da1ed912847f52e941fa5d3ab8b4d15d276da8025f2af83db310d90

                                        SHA512

                                        4d4912e03c36d0046d5471448c4c5a1af31f57b60804c433bd5c41e2247f5e7edd16072513028930a30d2a72a946911fc2103efea0d4d96ff838d07fe536cfed

                                      • C:\Windows\System32\vds.exe

                                        Filesize

                                        1.3MB

                                        MD5

                                        b740b69ecab43de9637fb1cf599f4595

                                        SHA1

                                        2f67106523102b9a6194fe12be10e24c824cef36

                                        SHA256

                                        93c94d1bce95eef4d67336c700f1743f6ec67b7352b3bf518c27bc8bf6b0f3bb

                                        SHA512

                                        0e1a3bd01b53acde267ad4e7b31f9bf48fd2fc362ddb668b921e5491baa385fc9958d0b8ac940ea36b3826bfc67b644a254c57374a5e097114381a4c88dc0988

                                      • C:\Windows\System32\wbem\WmiApSrv.exe

                                        Filesize

                                        772KB

                                        MD5

                                        0902ece5f3e7d12ace86806ff8478492

                                        SHA1

                                        33371a6c1ff2b7ed354eecefc95fbc89b296fc06

                                        SHA256

                                        f2035ed089951e5c76e775a90d3f13fb6d9a452aa5c58c364b689690658ff3c1

                                        SHA512

                                        35a758e8fc980e46503bdfdf2c5ffdded08fad60f9edb30f04e13aed018f651c3e8aebbd6215a1aaf2cf621d8e6e6c18299c0beecc67cf2b85c67985733de3d5

                                      • C:\Windows\System32\wbengine.exe

                                        Filesize

                                        2.1MB

                                        MD5

                                        43329761c19dac3daa8b1caff0254f0e

                                        SHA1

                                        06d24143744a6e92f12084cd445a9c409125fcbb

                                        SHA256

                                        da1343c54507f4132bf2a7a1b7fd84cc638c63e0ffc683533b53ce685cf3d38c

                                        SHA512

                                        9be8134c130b43f2875faef2226c163e16588c64b0374f960083cf206eca6d48ee0d0f1a94eb8d7e43fbd1005777e290cd8c4425719f0c4d089b458c597301d1

                                      • C:\Windows\TEMP\Crashpad\settings.dat

                                        Filesize

                                        40B

                                        MD5

                                        a57e00e7b64144dba402c6db0f7ad149

                                        SHA1

                                        51a33fa8f038784838ba3a6c0fd16cfccf49de55

                                        SHA256

                                        26345f4eaae9348eb9da6a4c6101dc723a2cd58c0f15d93f5c1ee628b6957fd2

                                        SHA512

                                        a9d626fbae4b1da4d41e75520ebb2eee98cd2a4b9dfdf5f264e574b61f1acbf34c0bca6b1d3e1212ce37c8935a50817c47539b03030e1665a7dcc3a18dffa739

                                      • C:\Windows\system32\AppVClient.exe

                                        Filesize

                                        1.3MB

                                        MD5

                                        d6fa0e89590e09711fe190213cb5362c

                                        SHA1

                                        ea99a3b9f1e0f4a0a4ff30864b619424e214d72a

                                        SHA256

                                        6f647f3e2cbec40208c184445e60894c098702d14050c18e491377ae14162750

                                        SHA512

                                        c33febf6d263b307bf0e288ea11b3e85e0211079c40462a690d140f4a2babf7e0f0ed19b6b631b7d7ea7f167e42ad506b4716f57a14fda2e7ee1dd6a1adcf598

                                      • C:\Windows\system32\SgrmBroker.exe

                                        Filesize

                                        877KB

                                        MD5

                                        e74a56f2b86ff2917d3b369b8c42cd64

                                        SHA1

                                        d35812704a918e80e073ab62df2fdfff4bb2e5d9

                                        SHA256

                                        52c8fcba7b00466578020e92cb759b1f927ea24946b2f1c9a8fd9e76a63303ec

                                        SHA512

                                        1eddadd79d9ebd63a8cf5ef582af503677624ac5a191b314c98a9e875370c2cec4477550e549552c0d051cb6effff6278aa645e3fe109b83f2f54fd87a091bdd

                                      • C:\Windows\system32\msiexec.exe

                                        Filesize

                                        635KB

                                        MD5

                                        d5376d475fa57b37b25ed6f4c5613106

                                        SHA1

                                        83b133191bc6d5c11de056137b2ba93d525f349e

                                        SHA256

                                        55d7d8f042656b7d7795ec314b7c69148614c8fff5a8ec2e14dbe6b8927f3f0a

                                        SHA512

                                        750985362eb546d8a1cc9158aeed92684882d7f15d5cd404452448634f09e240c1594b0fa8d191fb69faed114767f8b56ae68e07dd5ae9677eeb30e0e605f0b6

                                      • C:\odt\office2016setup.exe

                                        Filesize

                                        5.6MB

                                        MD5

                                        a6d2fdf61a421e099c6577a1f3e6b0ef

                                        SHA1

                                        dbccdd095caf6965a5509bc2929c3256f486827c

                                        SHA256

                                        b58b0ccd98230dc4bcb0667c70d4376887fc1f6edb342634653f24a3918e3ed7

                                        SHA512

                                        12128044f47e1b6c2a243bbe3072ad0169ac749b641d071a2e2624ea4f21bb6379c0f26bc10c4e21be00f06e87c63a4cff98942053f00b438e97bc1d160c4002

                                      • \??\pipe\crashpad_4548_BPFCVMOWKUVCOQVE

                                        MD5

                                        d41d8cd98f00b204e9800998ecf8427e

                                        SHA1

                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                        SHA256

                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                        SHA512

                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                      • memory/556-177-0x00000000007A0000-0x0000000000800000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/556-239-0x0000000140000000-0x00000001400AB000-memory.dmp

                                        Filesize

                                        684KB

                                      • memory/556-168-0x0000000140000000-0x00000001400AB000-memory.dmp

                                        Filesize

                                        684KB

                                      • memory/796-93-0x0000000140000000-0x0000000140592000-memory.dmp

                                        Filesize

                                        5.6MB

                                      • memory/796-12-0x0000000140000000-0x0000000140592000-memory.dmp

                                        Filesize

                                        5.6MB

                                      • memory/796-24-0x0000000000820000-0x0000000000880000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/796-11-0x0000000000820000-0x0000000000880000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/948-28-0x0000000000520000-0x0000000000580000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/948-108-0x0000000140000000-0x00000001400AA000-memory.dmp

                                        Filesize

                                        680KB

                                      • memory/948-15-0x0000000140000000-0x00000001400AA000-memory.dmp

                                        Filesize

                                        680KB

                                      • memory/948-16-0x0000000000520000-0x0000000000580000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/1044-330-0x0000000140000000-0x0000000140169000-memory.dmp

                                        Filesize

                                        1.4MB

                                      • memory/1044-248-0x0000000000750000-0x00000000007B0000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/1044-242-0x0000000140000000-0x0000000140169000-memory.dmp

                                        Filesize

                                        1.4MB

                                      • memory/1544-106-0x00000000001A0000-0x0000000000200000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/1544-97-0x00000000001A0000-0x0000000000200000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/1544-180-0x0000000140000000-0x000000014022B000-memory.dmp

                                        Filesize

                                        2.2MB

                                      • memory/1544-98-0x0000000140000000-0x000000014022B000-memory.dmp

                                        Filesize

                                        2.2MB

                                      • memory/1872-221-0x0000000140000000-0x00000001400CF000-memory.dmp

                                        Filesize

                                        828KB

                                      • memory/1872-161-0x0000000000810000-0x0000000000870000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/1872-152-0x0000000140000000-0x00000001400CF000-memory.dmp

                                        Filesize

                                        828KB

                                      • memory/2420-104-0x0000000000510000-0x0000000000570000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/2420-109-0x0000000140000000-0x0000000140237000-memory.dmp

                                        Filesize

                                        2.2MB

                                      • memory/2420-71-0x0000000140000000-0x0000000140237000-memory.dmp

                                        Filesize

                                        2.2MB

                                      • memory/2420-86-0x0000000000510000-0x0000000000570000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/2420-70-0x0000000000510000-0x0000000000570000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/2628-202-0x0000000000500000-0x0000000000560000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/2628-267-0x0000000140000000-0x0000000140095000-memory.dmp

                                        Filesize

                                        596KB

                                      • memory/2628-194-0x0000000140000000-0x0000000140095000-memory.dmp

                                        Filesize

                                        596KB

                                      • memory/2912-345-0x0000000140000000-0x0000000140102000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/2912-265-0x0000000000510000-0x0000000000570000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/2912-255-0x0000000140000000-0x0000000140102000-memory.dmp

                                        Filesize

                                        1.0MB

                                      • memory/3608-206-0x0000000140000000-0x00000001400B9000-memory.dmp

                                        Filesize

                                        740KB

                                      • memory/3608-136-0x0000000140000000-0x00000001400B9000-memory.dmp

                                        Filesize

                                        740KB

                                      • memory/3608-147-0x0000000000D30000-0x0000000000D90000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/3984-113-0x0000000140000000-0x00000001400CA000-memory.dmp

                                        Filesize

                                        808KB

                                      • memory/3984-129-0x0000000000CE0000-0x0000000000D40000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/3984-128-0x0000000140000000-0x00000001400CA000-memory.dmp

                                        Filesize

                                        808KB

                                      • memory/3984-120-0x0000000000CE0000-0x0000000000D40000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/3984-112-0x0000000000CE0000-0x0000000000D40000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4060-253-0x0000000000400000-0x0000000000497000-memory.dmp

                                        Filesize

                                        604KB

                                      • memory/4060-181-0x0000000000400000-0x0000000000497000-memory.dmp

                                        Filesize

                                        604KB

                                      • memory/4060-263-0x0000000000720000-0x0000000000787000-memory.dmp

                                        Filesize

                                        412KB

                                      • memory/4060-187-0x0000000000720000-0x0000000000787000-memory.dmp

                                        Filesize

                                        412KB

                                      • memory/4104-69-0x0000000140000000-0x0000000140135000-memory.dmp

                                        Filesize

                                        1.2MB

                                      • memory/4104-63-0x0000000000830000-0x0000000000890000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4104-65-0x0000000000830000-0x0000000000890000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4104-57-0x0000000140000000-0x0000000140135000-memory.dmp

                                        Filesize

                                        1.2MB

                                      • memory/4104-56-0x0000000000830000-0x0000000000890000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4124-36-0x0000000140000000-0x0000000140592000-memory.dmp

                                        Filesize

                                        5.6MB

                                      • memory/4124-0-0x0000000001FE0000-0x0000000002040000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4124-32-0x0000000001FE0000-0x0000000002040000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4124-7-0x0000000001FE0000-0x0000000002040000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4124-1-0x0000000140000000-0x0000000140592000-memory.dmp

                                        Filesize

                                        5.6MB

                                      • memory/4344-224-0x0000000140000000-0x0000000140096000-memory.dmp

                                        Filesize

                                        600KB

                                      • memory/4344-310-0x0000000000710000-0x0000000000770000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4344-298-0x0000000140000000-0x0000000140096000-memory.dmp

                                        Filesize

                                        600KB

                                      • memory/4344-230-0x0000000000710000-0x0000000000770000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4408-213-0x00000000006A0000-0x0000000000700000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4408-281-0x0000000140000000-0x00000001401D7000-memory.dmp

                                        Filesize

                                        1.8MB

                                      • memory/4408-289-0x00000000006A0000-0x0000000000700000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4408-207-0x0000000140000000-0x00000001401D7000-memory.dmp

                                        Filesize

                                        1.8MB

                                      • memory/4876-135-0x0000000140000000-0x00000001400A9000-memory.dmp

                                        Filesize

                                        676KB

                                      • memory/4876-50-0x0000000000580000-0x00000000005E0000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4876-43-0x0000000000580000-0x00000000005E0000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/4876-44-0x0000000140000000-0x00000001400A9000-memory.dmp

                                        Filesize

                                        676KB

                                      • memory/5144-270-0x0000000140000000-0x00000001400E2000-memory.dmp

                                        Filesize

                                        904KB

                                      • memory/5144-276-0x00000000006F0000-0x0000000000750000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/5144-359-0x0000000140000000-0x00000001400E2000-memory.dmp

                                        Filesize

                                        904KB

                                      • memory/5144-367-0x00000000006F0000-0x0000000000750000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/5276-291-0x0000000000680000-0x00000000006E0000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/5276-295-0x0000000140000000-0x00000001401C0000-memory.dmp

                                        Filesize

                                        1.8MB

                                      • memory/5276-284-0x0000000140000000-0x00000001401C0000-memory.dmp

                                        Filesize

                                        1.8MB

                                      • memory/5276-296-0x0000000000680000-0x00000000006E0000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/5368-311-0x0000000000BE0000-0x0000000000C40000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/5368-299-0x0000000140000000-0x0000000140147000-memory.dmp

                                        Filesize

                                        1.3MB

                                      • memory/5648-333-0x0000000140000000-0x00000001401FC000-memory.dmp

                                        Filesize

                                        2.0MB

                                      • memory/5648-338-0x0000000000640000-0x00000000006A0000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/5868-347-0x0000000140000000-0x0000000140216000-memory.dmp

                                        Filesize

                                        2.1MB

                                      • memory/5868-354-0x0000000000C00000-0x0000000000C60000-memory.dmp

                                        Filesize

                                        384KB

                                      • memory/5984-361-0x0000000140000000-0x00000001400C6000-memory.dmp

                                        Filesize

                                        792KB

                                      • memory/5984-369-0x00000000004F0000-0x0000000000550000-memory.dmp

                                        Filesize

                                        384KB