Analysis

  • max time kernel
    156s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-04-2024 17:56

General

  • Target

    2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe

  • Size

    5.5MB

  • MD5

    bd102a580ca351b70cc7c6ea03a156f3

  • SHA1

    641e34e9330ae76ab3cf4902c86caf758bd950c5

  • SHA256

    b09a12c1dd4053b4d49d33bfb5ba49dcd288193933a5376b515f828cdbb12e85

  • SHA512

    4916ad6ec88e012d597fcbaac9b9d979119924b35e6ac1a99edd3eb23de8ad56287dcedd1e2a852fea00a8b975e656de8041a7e8233af31b23ce3628bb921612

  • SSDEEP

    49152:sEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfZ:aAI5pAdVJn9tbnR1VgBVmJ8t4C7

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4320
    • C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe
      C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2336
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
      2⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff2e599758,0x7fff2e599768,0x7fff2e599778
        3⤵
          PID:2796
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:2
          3⤵
            PID:1156
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8
            3⤵
              PID:3472
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8
              3⤵
                PID:728
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:1
                3⤵
                  PID:3400
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:1
                  3⤵
                    PID:4044
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4596 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:1
                    3⤵
                      PID:372
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8
                      3⤵
                        PID:2128
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8
                        3⤵
                          PID:3956
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8
                          3⤵
                            PID:3628
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8
                            3⤵
                              PID:3784
                            • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                              "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
                              3⤵
                                PID:4492
                                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff716977688,0x7ff716977698,0x7ff7169776a8
                                  4⤵
                                    PID:2464
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                                    4⤵
                                      PID:1364
                                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
                                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff716977688,0x7ff716977698,0x7ff7169776a8
                                        5⤵
                                          PID:2808
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8
                                      3⤵
                                        PID:4552
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:2
                                        3⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:6000
                                  • C:\Windows\System32\alg.exe
                                    C:\Windows\System32\alg.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Drops file in Program Files directory
                                    • Drops file in Windows directory
                                    PID:2312
                                  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:4848
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                                    1⤵
                                      PID:628
                                    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                      1⤵
                                        PID:1132
                                      • C:\Windows\system32\fxssvc.exe
                                        C:\Windows\system32\fxssvc.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Modifies data under HKEY_USERS
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4800
                                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        PID:3988
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        PID:4860
                                      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        PID:1132
                                      • C:\Windows\System32\msdtc.exe
                                        C:\Windows\System32\msdtc.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Drops file in Windows directory
                                        PID:388
                                      • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                                        "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                                        1⤵
                                        • Executes dropped EXE
                                        PID:1652
                                      • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                        C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:236
                                      • C:\Windows\SysWow64\perfhost.exe
                                        C:\Windows\SysWow64\perfhost.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:840
                                      • C:\Windows\system32\locator.exe
                                        C:\Windows\system32\locator.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:1320
                                      • C:\Windows\System32\SensorDataService.exe
                                        C:\Windows\System32\SensorDataService.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Checks SCSI registry key(s)
                                        PID:3120
                                      • C:\Windows\System32\snmptrap.exe
                                        C:\Windows\System32\snmptrap.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:5008
                                      • C:\Windows\system32\spectrum.exe
                                        C:\Windows\system32\spectrum.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Checks SCSI registry key(s)
                                        PID:5204
                                      • C:\Windows\System32\OpenSSH\ssh-agent.exe
                                        C:\Windows\System32\OpenSSH\ssh-agent.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:5332
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
                                        1⤵
                                          PID:5392
                                        • C:\Windows\system32\TieringEngineService.exe
                                          C:\Windows\system32\TieringEngineService.exe
                                          1⤵
                                          • Executes dropped EXE
                                          • Checks processor information in registry
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5456
                                        • C:\Windows\system32\AgentService.exe
                                          C:\Windows\system32\AgentService.exe
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5596
                                        • C:\Windows\System32\vds.exe
                                          C:\Windows\System32\vds.exe
                                          1⤵
                                          • Executes dropped EXE
                                          PID:5756
                                        • C:\Windows\system32\vssvc.exe
                                          C:\Windows\system32\vssvc.exe
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5848
                                        • C:\Windows\system32\wbengine.exe
                                          "C:\Windows\system32\wbengine.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5964
                                        • C:\Windows\system32\wbem\WmiApSrv.exe
                                          C:\Windows\system32\wbem\WmiApSrv.exe
                                          1⤵
                                          • Executes dropped EXE
                                          PID:6076
                                        • C:\Windows\system32\SearchIndexer.exe
                                          C:\Windows\system32\SearchIndexer.exe /Embedding
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5168
                                          • C:\Windows\system32\SearchProtocolHost.exe
                                            "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                            2⤵
                                            • Modifies data under HKEY_USERS
                                            PID:5340
                                          • C:\Windows\system32\SearchFilterHost.exe
                                            "C:\Windows\system32\SearchFilterHost.exe" 0 908 916 924 8192 920 904
                                            2⤵
                                            • Modifies data under HKEY_USERS
                                            PID:5636

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          fd0bd541eba501fb0d32eb775b929a06

                                          SHA1

                                          cb9332d4a451a8a2fe5fd3f552014649fe4232c1

                                          SHA256

                                          ba3210b5201790d71475051db081fb27e9c63289ceedbc47918e3af7178250ff

                                          SHA512

                                          bf0adb2bd4d0e85bf319216a0a11cb786838c18c59a27cc5dabaebc0cf56a550d6d91d25dcc5b6b2bb8b211d92747e8afcc2d2d42bba5a075aad444adb4f3f00

                                        • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          91f2ef5bfbf6835630774bb7743425ef

                                          SHA1

                                          d6cc06e613d6bb0a9cfa377cd2b6cdb59dbac182

                                          SHA256

                                          7c4be35e1c9772b8fa18d6b44160b859a9e0450788c7b13a21e34861a915a812

                                          SHA512

                                          963b2220ca9122ab47f4ca6dca4e5375a9b13be25a3c9a733796e29d3859474ea20cf4474a8accd9aecee01492510c12b94d96f8bfcd3cbe9bfdbe877a7c5990

                                        • C:\Program Files\7-Zip\7z.exe

                                          Filesize

                                          1.7MB

                                          MD5

                                          6b3fa34d5b22c3418c0cd32d704f3e26

                                          SHA1

                                          be75b8df9212eb7ebe81011633d4605cc809f23d

                                          SHA256

                                          724e002c2a984a0c42585bed174464492a2014f010e53f5efcca494a8e7b7b05

                                          SHA512

                                          aa3a50c3633ea9e8ba5cf49a84d9114348be278a984ee6306b6747db7125fa9337ec490342fd33778979d4e69beb3d60c4f4e9d8ba0a97a9c861518646b18374

                                        • C:\Program Files\7-Zip\7zFM.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          2daf149f33f2ba2972fe1f8d039a0df0

                                          SHA1

                                          2c77575ffbdf6a49482d17d63de1df97a93cda11

                                          SHA256

                                          83532591d57f78a95d558d1874b5bcb7eb4f79cc1c6f4a8b57110c6c79150695

                                          SHA512

                                          78d257286b4c365ee316e78d8a231add58e928bec94516e3c817179922b33ab146dd435dcd25aa1ad6454a3f31d7e85713cf422046762bf332b6c02e3e086948

                                        • C:\Program Files\7-Zip\7zG.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          10f5f9a257cfde0017bdde88948ff39b

                                          SHA1

                                          b92dd01b9bca91657355d2828a8798b97f1ae613

                                          SHA256

                                          0e64f8252cbac6e13704ef8824299b8e60c252498b48ac0414a5a9907cf3ed86

                                          SHA512

                                          d7391bfa11a8603cdb05372581c900b07fbe963ba3d581b3b8cfa6d0a696ae45dd6768e3ec8503336963e518ca41c67e8b6f7dee520d4d787ac5e8178141e85c

                                        • C:\Program Files\7-Zip\Uninstall.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          4e8b7995a8e212c53817d87cc372ade1

                                          SHA1

                                          d27617f1fe93ada940d83c40c726abe09837b83c

                                          SHA256

                                          54572db295c6ce84c8c984774ad8d999a778140a458caad5976f6c618980635c

                                          SHA512

                                          794e5e6d3f315aa985f649504f1d006cb6f436edf7d9ea45b3ca258c79e0e4a87584570bdee3af7aa20bda6dbce712e09bc2ea4f990c44fea900730f1e0a4cd1

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          60adfcf92fc545bc8b292270ea2633c6

                                          SHA1

                                          e7515700f08b8d2ae11eda1a536dde0a95ee8133

                                          SHA256

                                          1069a6a5163a05c839246e31bb4fbab1cfaf89355211096a90fe6dba5815c7f3

                                          SHA512

                                          72a08c8f2fdfef9b8a2c55cd7e3043ea9786025f562b67a9f63ca779b2a99c9ccc8d7f2764c49373a763fceb24b6cfa88a402121377297b3c0d209706f1847b7

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                          Filesize

                                          4.6MB

                                          MD5

                                          3d29f6e5968476aee431d50dda622fab

                                          SHA1

                                          e7286d56d9368584ff5a75f676e4c0f8b617319f

                                          SHA256

                                          baecd021917d6d4c0728db00c707ad13a5bae3eb36bdecd4b46110f1b2d9bff0

                                          SHA512

                                          0fd439f776f7d72623a613e4217d7a00f8ba67a9e384edd25602c215e2cdb6d4e4580239ddf02f090ff15d157fca2e3b7bc15c78abbfc03e9aeffc123ed45c23

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          82e34b87dbe32994edefb43363c53deb

                                          SHA1

                                          31e9d9ddaafc847d5c8b6b3903bd9ae3a38e5330

                                          SHA256

                                          a1fee4e9930dfac1fecd990fb24dcecb39b16a402c2788baa681a5efd6444217

                                          SHA512

                                          26a2515d73658a4b3b89c99442b69ece6decbf32c8660b764d181b9d735c2998ee097b25d01507520238b10c38747cd7faa8d54502155d969ce98aedfd1ea06d

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                          Filesize

                                          24.0MB

                                          MD5

                                          194b83c33121f907cc36a9d000a8bed2

                                          SHA1

                                          3e450315c0445240de5fb02462778f61315f8065

                                          SHA256

                                          7471a167e04a3f16ab28507c7b2f2e05b2266ee23d23514340d403d884377159

                                          SHA512

                                          701ccada604e869dca8b1392cf0c9e5b6a309201ecbcad8d1b12359de0d0347214e7ff645a55689ceb9cac4dbbf413e789043082a75fc82ee0856e3aeeb807d4

                                        • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                          Filesize

                                          2.7MB

                                          MD5

                                          2fea14b1b0a28807e6e2838a76fc42e0

                                          SHA1

                                          5119a191833e717b0b93610e13703dc32b357414

                                          SHA256

                                          5312f4c208199ca5cdea8decb50ecfe9a627a940419f94bc32fcdf0b1ce56548

                                          SHA512

                                          75940dc82e9f976211df90a17a877ec5222961e3cd748bd569ee3565a7a76435064ca331f621bfe237809c42cbc70784a7f3580bf32690b37e822522c374d476

                                        • C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

                                          Filesize

                                          1.1MB

                                          MD5

                                          1b77cf4c0597eeb9c03ab7d0d3275f76

                                          SHA1

                                          babfc88e1b0fe7a2d25b043629f43333e76979e7

                                          SHA256

                                          347fac8aa73b9c4bfbf997cb8a819a8e649df07450a2a6010be11a1e41c98c0d

                                          SHA512

                                          27b0b6c326764317cc9f8c0791b4b83c5db6af71d79a748df7926412e55a6c31698bd37ba1f62c1b106bc1de25d5066354611a5621054463ef4c22e80d0dc52c

                                        • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                                          Filesize

                                          1.4MB

                                          MD5

                                          3b85682be2f8720d48bed76e1d5feb22

                                          SHA1

                                          6d76817f71dc218dd053720fa737db9efacf395e

                                          SHA256

                                          2ac57c94f5a9d090d49472ec731b2cd264c3bd4c01dabe91709b388497e27410

                                          SHA512

                                          3519385a47501fe03987d744bd758e415a998a4f1dfca86d10e6eb7268f787e301d3a6f16819635cfbe62a4a4da408d8d0c1994ad16a7f8a695d5459526ebf23

                                        • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          5b65264d0675507a4bf51eb202e03995

                                          SHA1

                                          1af5bd66be2865436f5b0e9bd0c02c29c1c50d23

                                          SHA256

                                          9c682715a36c400188f14f0cee5b69d8785ede70b2aee7f49752b364b84baf2c

                                          SHA512

                                          a03b79bd79bc98e2c9e1ad0bea6abd32043b121a7739b80bb11705ad7742abae9ae78ea52a376570ee870dcd6767385ff9c52a8b5db0f15b6b1b1ff12fbf309c

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

                                          Filesize

                                          4.8MB

                                          MD5

                                          803d5a1d08d377c274dd3d3853ec8194

                                          SHA1

                                          3efc8360693de14f3ee57244a7daddc581b19a85

                                          SHA256

                                          1b64a7c8aa54894f6790e1b9f96eb28283407f20e9af2b254617272c2ba1735d

                                          SHA512

                                          d026add4a471ba4dcccaf7ff4ae7b37817f65ba8bf22356b70a167fe7ffc2dde9b2d63d7cc6c241536919626f5da078e00646b24eb0e3bce66504fc766e5348f

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

                                          Filesize

                                          2.2MB

                                          MD5

                                          18c47151b2fda60ee8ff6c91c0c7a0f2

                                          SHA1

                                          faa813fa3ad0e9e6c5c88ca39acb3036b2cbb6da

                                          SHA256

                                          e5a0ae67becf98806b1ed82850f95b0e1ece287c07c29cd8db3672ae74c16140

                                          SHA512

                                          7b75d519bf583b8c67c96b053267cf5c61f00d5dd025fb50b54eca8cf616fba6784690d35c43be10c90fe5bcc425ce949ace472e88579b0c219868f7a338256a

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          e37c8d96afb9fc32fffd9e8c5b23ef0f

                                          SHA1

                                          f964272bdb6cb9804056d3cda9bd918cb5df5d7e

                                          SHA256

                                          d639c63d04ac077cd55797721fcf4f29f05ccf9af4b9b8bd13f82d1b23fb08b4

                                          SHA512

                                          ad9d1c9269bf5e2cbc6140db0800ae342bd9c721bf90216272287aece1a5c4c768dd5f38ef6395aee281be821249a5f80dd503a9655db0d17f46922b8f758ac2

                                        • C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

                                          Filesize

                                          1.8MB

                                          MD5

                                          6106cc789a1ddc2adbce091df21740d8

                                          SHA1

                                          bf18e9a73a1509b9c3b751920c7f5f04f787ec42

                                          SHA256

                                          a17a42c80423fb9c12eee5b20429a2a6d5e00ebf549c83b657cad368e2d24f0d

                                          SHA512

                                          122c527e31e2da6bfc91e7089dd5efea15edf785527295b00765ab6ecf70aebec9e2c222e803ce4a2badc051fd607ed90b8482f56410bfd4a31719899fe7cc36

                                        • C:\Program Files\Google\Chrome\Application\SetupMetrics\cf16d6ec-d24d-4c9b-9f05-9eacbc19eda6.tmp

                                          Filesize

                                          488B

                                          MD5

                                          6d971ce11af4a6a93a4311841da1a178

                                          SHA1

                                          cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                          SHA256

                                          338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                          SHA512

                                          c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                        • C:\Program Files\Windows Media Player\wmpnetwk.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          2bbfe5cab991a87f1d710d4e5c85796a

                                          SHA1

                                          2be8ade6f1f5500a525f18d3a45c09ec1145d750

                                          SHA256

                                          17f2d7aaabcb505ac0bd1fbbab4a9df09d812e087d75d1ced9aaf63dcd78ed60

                                          SHA512

                                          90d078650a8946e86717828ff79c0a3608b4b65a20a40f93bdfdba51f680bf4e353997d5c7677aef3f2ddb5d9372bace577af5a3e91b65e7d2cfdff193d050b3

                                        • C:\Program Files\dotnet\dotnet.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          fcecf57d3d4cd49faa1c1654da8ff0c8

                                          SHA1

                                          7ea430319b2e4d4691215e912a13896ec19a19f4

                                          SHA256

                                          df432a8d7c03f14813ded3015482c3c4069bb245cbe9ad2a8bcb620fd8100539

                                          SHA512

                                          192ac54aef6417cdfc84a49185de50e812734c15bebc5b1a6fc381b5dbf08c14708b830a2769b5139a8126fb01e2494d55f461ebed8b1bc7885ed52148530e94

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9a18a37a-3fbf-4e81-8720-3faa94faa09d.tmp

                                          Filesize

                                          2B

                                          MD5

                                          99914b932bd37a50b983c5e7c90ae93b

                                          SHA1

                                          bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                          SHA256

                                          44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                          SHA512

                                          27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                          Filesize

                                          40B

                                          MD5

                                          b605879e08d2c37a89e0a7cf9cebb008

                                          SHA1

                                          547075286a6e5e6a304912cef29adf2a5379458d

                                          SHA256

                                          2a7688cdba662e4017878b44e559b7bf4889f2b32ff1c6ed70e020a2738e662a

                                          SHA512

                                          f18fb8e2df93b18cb2359c651e1dbbaf73225ff16912cec7dda24ef3e82d921690aa0690ca493375536159d8aa9ab660e45e2abe4cdbeaaa368f6f69bc090fe0

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

                                          Filesize

                                          193KB

                                          MD5

                                          ef36a84ad2bc23f79d171c604b56de29

                                          SHA1

                                          38d6569cd30d096140e752db5d98d53cf304a8fc

                                          SHA256

                                          e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

                                          SHA512

                                          dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                          Filesize

                                          1KB

                                          MD5

                                          63661c4e5302388dc76d0ae91f9d8323

                                          SHA1

                                          29e8247d3dd856a5f25071acfe18210cc3fd15d2

                                          SHA256

                                          7f470303f952e248ed892301c6e592893ac3ca4d73bce863c1cd74ff3b16cbae

                                          SHA512

                                          1628af306b7c3fe5a0570be8c321150ed371cd71626b31d6f01d3c66045c4352319f1758cd034e9df40cb480e9234189596a0dd088dc50295e51827367290edb

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                          Filesize

                                          371B

                                          MD5

                                          58fe4ad02115421621ebce35417eccd9

                                          SHA1

                                          16ad03a0b0376e3d1036079f9b58da9b6dedbb30

                                          SHA256

                                          22edfe9f9d1018bb27baaf881418832c6c1ab5283ae58ac7fac43eb22e9f4923

                                          SHA512

                                          d8ad022aaedc9427dcad08c5ec2a64f23456c37b91ce1c14c120cbfe16323e59a76afb419641d172640dd4cc447d6eac4d80bcbc6182b8f4e546323aac6e5998

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          4KB

                                          MD5

                                          3276277cc4d05a6942e701bd5a434d51

                                          SHA1

                                          3d9181d715669e9f1b2dc3806e9d0cc937be9068

                                          SHA256

                                          191217edc262514f19fe3fd87fa2429cdf51d34c4130a9392af4b39ae99869db

                                          SHA512

                                          bc66d1fe2dcf640187ad0a68d497ff374710df40822c523e3736b2f3f6683d3d600d600b72fee59a3be8d5b22bb05580e2dea0bea40c9cec852c7676796b821c

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          4KB

                                          MD5

                                          28460536bc0f62a291685d86234338cf

                                          SHA1

                                          6bc4a9c6a83b129a722dc5dd2289011ef50d179c

                                          SHA256

                                          ffad73395d38777f9ed0ff4dbced0fb171647205e205f66144cf5c67e234b51f

                                          SHA512

                                          fa6e69a0cd0b5910c9a54b89ec88909ea150899002ec867971ec77e66dd67879ba73cdf0fd5bd414e6d93e7bfdf00ba59accd180803788195e1feaf385fd7d20

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                          Filesize

                                          5KB

                                          MD5

                                          61d62558438ede7f331006d34e03811b

                                          SHA1

                                          a92136c0536b60b9b0295188d74efad47b341da7

                                          SHA256

                                          339f06c205888f7134889bec5087f44338402c9f58b2602162b5e6ce04d7fc54

                                          SHA512

                                          7168c4913abcadb8acdf223bccf0f39e8c498f1b24ddf125b05255fa718b596975de8ff904dda811cadd78f7c04717376ecf99b5111615545ef75e6d6dc117e8

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57a103.TMP

                                          Filesize

                                          2KB

                                          MD5

                                          ef3aac392c0d75f931c89cbb67985e0f

                                          SHA1

                                          ce61a9a0890645f7551e4188f0dc09b324f56b63

                                          SHA256

                                          474bd435e067162d7364e95374e0fc4f6be9ea3202017cdb1eb05a7876f254ec

                                          SHA512

                                          22f026e8146699fdd24911bff6f5cfc0ea1cc131bd378e973e8fca5fc479c8eda9764b7a3a1acd9bbcf6f6cfab8763c04fe6c9a56e1b8e9ffd6316ed11c34703

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                          Filesize

                                          15KB

                                          MD5

                                          fb9702eb916b957cbfdb38e281d99358

                                          SHA1

                                          da1121c1efff024754ea3056574a46ef94973304

                                          SHA256

                                          02e72f7b6a350f2bc411db4ad199faa1ca1f54cd3fe59e19b0ae82c4ed07e104

                                          SHA512

                                          7c60540627cf906007af28960a9b830535c5abead53997a6e6fa0fc22f3ff49d6158fd5840cbda50c7a01cd5c634b01d788c9db25e6109ea4f216a9802544970

                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                          Filesize

                                          260KB

                                          MD5

                                          6d8964d92187bf3aec183f806d0d5873

                                          SHA1

                                          9fa7a8fb813a4e96620458d5e71406bfbed34f72

                                          SHA256

                                          76badd1688fdfab7434574f96b42a798f2c3f9c1c60759b94436dd46eba064b0

                                          SHA512

                                          3fdd1331ccc83719634a8b597da2d068247d2e1be3043dc482936323e0bb3154d1202c6848ace6007aa2843928e5220831ca1b7143330f898fde39b66a59d4ae

                                        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                          Filesize

                                          7KB

                                          MD5

                                          643ee415eea6e9253034428146d8497d

                                          SHA1

                                          aab4ce792eeedac3e5741a38bfe2b8943511790e

                                          SHA256

                                          ab6e6bbfd6e7fc54a09cc8f7689b4d97c1a7f3540e5daee6d2d6e1315c091d1d

                                          SHA512

                                          ef715c433ff0ff5c76bf1a5e26a07e9579a12e3ddc1326ec761704ebc35d1f22434339e545d7357add20d41e50de507f82eb469036aba3591e9f9a327471371b

                                        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                          Filesize

                                          8KB

                                          MD5

                                          42a192cc9e49b4c238a379ac993dd318

                                          SHA1

                                          79bf314b162a0b2a02c9b76d0e419124d11ec945

                                          SHA256

                                          faa55389e7110a8e6be510ecf9c6260469bc7e4ebd246fc1ed18ca3d7c41002f

                                          SHA512

                                          fb4994327588d0de87dc20316907a2491f572f0c8859fd9a5c20b1c9667ac935a7623560cd10c1bc958a52ad12abb5e638894662947b1fc542998e2627117ab5

                                        • C:\Users\Admin\AppData\Roaming\5bb03ad2a644d7f.bin

                                          Filesize

                                          12KB

                                          MD5

                                          71526bbce90b3b7bc7f10922e8cfa1a4

                                          SHA1

                                          05b812e41e3428e8c6e3d54c9ade329f2b15a421

                                          SHA256

                                          51c7c210d10455b0b9870f0269322f9e5da34bed868bc714d9933cc153aa34c9

                                          SHA512

                                          03c9dc6e3b4e52b17b244336031f6c1526091f8b82b008224769dde432a278a8a2a300471d6856d6dafe2c7b02158dbe0da9694145943940e675799ba21f4ca3

                                        • C:\Windows\SysWOW64\perfhost.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          08ae5860ecf2045f6f89f7251c6e7440

                                          SHA1

                                          38abc9b49483d12480f2d741ce5290281c1a2911

                                          SHA256

                                          8bbeaf5100ee159d74ac50f6972fe05c7a152db6d16369a425317e747ea90a51

                                          SHA512

                                          2311156bfe4b7b400c5b011bcdf82d787fcbee22269d3e5f64d72230d94b8f237617dff6164e7cab7c76ddcae2f4c1b914c829a81a63a9d23c191b0d83c767f8

                                        • C:\Windows\System32\AgentService.exe

                                          Filesize

                                          1.7MB

                                          MD5

                                          87745c40b6b378fd6ef6a21d69bc7aeb

                                          SHA1

                                          76b13d2734b9cd3727dfb5bbeaeaf76afb591e07

                                          SHA256

                                          8681d483d666b913dbf19bf365ff0163b9d331eef4cfeea010bfbf1ce455c37a

                                          SHA512

                                          207442165d3d92aaf58eba3c9b746631e6327aa9036d901d703ed49c1297e82a2baf2b0a51dc2b3aa85b1ff3f91de392222a8f91cd845c7bf7cbb55b4d9694b2

                                        • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          c1202524ecbf527e5ea6d4103fa6ae81

                                          SHA1

                                          bccd1a4acdb0703afac1096e4cfeee554ff0d6f6

                                          SHA256

                                          c7d33d8aeda31a7c145488b3cfea849cab464e98fe8e4d40adcd07927a3c5abc

                                          SHA512

                                          39022496f4ef66c7073cc15751c845dbc138ead791947a8f5c4d31ea803f14b7a648691551c0ee37d15c5559c80e4360bd84daa67e9c1a743c56fcbecd73169a

                                        • C:\Windows\System32\FXSSVC.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          5e6476b1a83b4a6c16dd04357b12b9bd

                                          SHA1

                                          72d4d10baced2869ad7b46badbc1b0809dd0caa5

                                          SHA256

                                          7b8d7c8069640164358b0f3a908acc1b5e884f9f8fa0db800d897933ecf9fa5e

                                          SHA512

                                          a821f9d52530ba2cd7588e0e20c3735f1c6b55a9f40a152eb781407412663438ca4a1a8a9166b1178689c39f20f76cd475b3bcbf50d3b415ef475913e4db9ba5

                                        • C:\Windows\System32\Locator.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          8abeb7425549e9075f5acbcfef3873bf

                                          SHA1

                                          85e732e6da251c7899047d9b83cca5a82a8a9e84

                                          SHA256

                                          2aea71e4634184187893bc7ebbebb2979e611d32f6157e8900eea63dbdaa46c6

                                          SHA512

                                          a09350f83b04abedafc50fa3f47b57fa7a655e79c3178dc65efd0ed32bbbc5ef01d58bc7e5b85bb095a2bd525881b4199445eebd35f41a4af91bbbfb96785e94

                                        • C:\Windows\System32\OpenSSH\ssh-agent.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          d71cd6071ff4ec63df0953fa1777238a

                                          SHA1

                                          f5f14b079443bd3ae34424607e5eebd30f3f11b1

                                          SHA256

                                          c258786b8623b14eb8be14148304a8e3c61cffd54debd8bf51178d967f2cb6a7

                                          SHA512

                                          003c8c824b013838b13200490449b8784e257bce9f05647646052f4dd8ecd718f41a62cc2cdaae150ce0904308b96f75f063172e737fe9fcc0c12419d296f419

                                        • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          b14f2a95214cc5a6918768cc506323d5

                                          SHA1

                                          dcdbeb4feaa9384ea93794ef62af0174f4974dad

                                          SHA256

                                          9d977c7633553a18dd927191e0034577566ac91a0e42cc1ebf9c9d93423ce983

                                          SHA512

                                          33629b89b2860d9b3bd4417eb85504c8fda57c35d94005bf0a09faa3cc67c3c112eada5dadb823ab99108b68b004bb69b38ec26de20ef173ee93a227a502b0e9

                                        • C:\Windows\System32\SearchIndexer.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          8a2c34ad1c40d4a2fac5c68b4f2814ae

                                          SHA1

                                          23adbbc9a13e747e0116e5d6acab834f915c00b5

                                          SHA256

                                          0e3945dc5ef439003863bdf9842941de03b7fed15042c857969d1e50bd078e4d

                                          SHA512

                                          a75cb030d5f960fe588f130ded2c572666d04906fa4c20c4d3c4b8e51083b926a6ece43c174ca8e0ddac9bc121c98d12771e83b920b3cf4448ce693f518f6093

                                        • C:\Windows\System32\SensorDataService.exe

                                          Filesize

                                          1.8MB

                                          MD5

                                          085f487da3809ef3c4bb0cc2c0819fc5

                                          SHA1

                                          e3ac233a0d4ed477744e314163a8fcb6ae8b6a25

                                          SHA256

                                          8f4e7a45ec83b98a35b678aec08a5b96e4ece4442dae044bebcdc8c50072250a

                                          SHA512

                                          b7c5f3f45f5641044f13bbe207f204236ea373d2a3b3477733b835af4c2155ee0163eaf15b2c55ce617612fa604f9400b9d3ae788e46c2dae70b7b50073c74ae

                                        • C:\Windows\System32\Spectrum.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          e8ffc05554d1f0444d2d7bd39118d58c

                                          SHA1

                                          1fd47226df7b2660272a18de09db414191800820

                                          SHA256

                                          2aeec5c52971a8c8c6e304051a555ea6f2a4f29c108559124bc4b7ff6e90095d

                                          SHA512

                                          5ed909ee58c83e1a043eb10828cfb8e7b4579d5176cb521d057158c8c51d7a6cc32c896534a0973fd0c3fd0eccfc2d281242ff7f137b8d19237f9f262e6b7fd4

                                        • C:\Windows\System32\TieringEngineService.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          b2a967e63d136d0d6462bf86506a87bc

                                          SHA1

                                          216678b63ecb6949b2b0ec42bbe5758e6c8f7f13

                                          SHA256

                                          bed432d2f5dac64a0186b06e1217073c09db6f142e3af3ace66171d4c79c460c

                                          SHA512

                                          d46bbc4289af8f6d4e5b95f52cbb9d23b5dfc51bdb911f9fdd2969adeb0b84bdd03eecc85207dd49c54218a98597da12fb1de8f5801f4ed5cf18b4d457bab17c

                                        • C:\Windows\System32\VSSVC.exe

                                          Filesize

                                          2.0MB

                                          MD5

                                          96543b2940e0bb7c904dbe6bc2b2f8b2

                                          SHA1

                                          7b2522981fe7667d81f3bc6284f96a3ad5821e95

                                          SHA256

                                          74049b31e2b63416b4ab2c7add56322e30c2ace6bdf150165944f4a8535acde9

                                          SHA512

                                          4b4e8c452b5143952989847d4fa0f12a547f73177584bbeceff5a0eb1a54a6b74e8ed3c476cb33fe647f9ace0de5b578d4e0fb33aa09d630a1ffd20b57b5cf48

                                        • C:\Windows\System32\alg.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          8236bd47b5ada0c83723f4175a9a3ce9

                                          SHA1

                                          3b14c3feaf69186c1519b9d2a75bb6acbe79bb86

                                          SHA256

                                          4604e76f719fc08ca2b481eb5928f3eb0c30dcaf6854ebad3311951a9cdc5525

                                          SHA512

                                          297fb27ddbb88ee00faf8e5209471c38e89805c4afa948f618f5b2d1ae1a1e04a68bd3f8b2493c69fa862c804115e491fb0beac21090b043e24d4a0d3e0ec481

                                        • C:\Windows\System32\msdtc.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          b419aebed06d8366cfc0fda3897ac689

                                          SHA1

                                          d13a516a65c889d85a1205555e733d0576b8fee3

                                          SHA256

                                          9cf93946d169189bfd43804465a6501b873657db91780fe9de942b3a299c4f8b

                                          SHA512

                                          8fafd0bbedab38322987d2158d918f153d276a21ec6b001af2a6949bd7007529a0fb29b31f6864ed78037f73dcae98b74ee478454de7cff2f7bdf69dc2f74a77

                                        • C:\Windows\System32\snmptrap.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          6d265669f1cd384e47f85ceb537e3332

                                          SHA1

                                          221dd4be9b8744b994acc46474873319ee02986a

                                          SHA256

                                          2843a82de12073581cd55129b6c6ee6c11f76a5c65cb15da4746eaef2d0e691b

                                          SHA512

                                          fade63625472d8d8f01adc5d5e5717cd3d98924565da37dae0a0b11168689c74687ddc2a8ffbd6aa4ab5b836cfd77a514c286d4e7e02cf30b21b2545b0b425a7

                                        • C:\Windows\System32\vds.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          75390610779b05b609e31ea468dd933d

                                          SHA1

                                          dcb5a13cc5eaa2fd41fcfdcf99d1674ad4babaa9

                                          SHA256

                                          de37b54e38fa765fbd33bb4678c186eeb1665071c972aa7802280756f1acb681

                                          SHA512

                                          a7cd543800ffc20bd40ff594fe844838cd94bc760d739d874e9e5ed707f798d07cbbcc56a289c22670a6189dbf5014e3b0d48360a65601511d469aa67baf2966

                                        • C:\Windows\System32\wbem\WmiApSrv.exe

                                          Filesize

                                          1.4MB

                                          MD5

                                          09122134c83e1a33f90dcae78c8c79a1

                                          SHA1

                                          2e4e502f72b0f03509508d7937dfd4d5f1f0dbd2

                                          SHA256

                                          2be2b2468dce00aadb58200064b2705f0b0d3fb24f7b154d81ccd69bd169ba61

                                          SHA512

                                          10bc35a1d6c77499db76d0f3b41fb8a10475609d3cd5a8d81d84f482cbeb389f538ed1866f91e636b59dcca0c1923fa963ff7e022dc7d85e43403c7becac920e

                                        • C:\Windows\System32\wbengine.exe

                                          Filesize

                                          2.1MB

                                          MD5

                                          82b38a747d3fa178a6d918b338774767

                                          SHA1

                                          42b5a778399f0f76fbf369a852e56bf7932c6373

                                          SHA256

                                          1ec5d443dd18d4b98cfd0415a70ce9fe535bea3f0bde4c23dcd119a0d49082d6

                                          SHA512

                                          c5f52890b309fa32d78cd9c04dae9fd6743946efb1ebec3613c0623a3871b3b23c14f47a27179394e59856c59f39abbea954edd015602742ca5dda6ca6fcf541

                                        • C:\Windows\TEMP\Crashpad\settings.dat

                                          Filesize

                                          40B

                                          MD5

                                          7806f070ee1bf48d945790a0c2a61355

                                          SHA1

                                          cd3804e5db65628f5a3c0a8accbcb6d10544280c

                                          SHA256

                                          6520df12afb6e96315f15e8777e8deeb8b25d5ac72136065c7d5accda00cd895

                                          SHA512

                                          c1c368d258f84828a08885a6c25894d96da5f1bdb66ae2828bf764213827289c4df027188338fede003a59c8bcdf64ab3eaceb0d20e62c8ec8620c921901c7bc

                                        • C:\Windows\system32\AppVClient.exe

                                          Filesize

                                          1.3MB

                                          MD5

                                          674bf7c8517e58085a13ef4f58d43e36

                                          SHA1

                                          ea058d2b71842d0355ecc5462718023c2d0679ea

                                          SHA256

                                          34ae48dd7f03016e2353e9cda6c9dfcdc8eb0ec9d6b50e4d57f06b2e808bfe19

                                          SHA512

                                          b17210920c7f676c137574bbc80b332b1a9d9c96b64d335bd42e2b849961f3ff070a187f6691097e87c7620f863567aff2e5ceaf3802895091020122403f9113

                                        • C:\Windows\system32\SgrmBroker.exe

                                          Filesize

                                          1.5MB

                                          MD5

                                          0cb513e936a6c6bd36c49baab094b096

                                          SHA1

                                          8d817b27d8ac91cf072b8e21303c48170f938d03

                                          SHA256

                                          0551d47db53fbd80891e483c521bdd195e3ae170901fb9a18b2523ba84b1b6d4

                                          SHA512

                                          ddb792c26018aa77e3300a2eec1b7b5191501e388bd268289d4871e7877e36ba88790c43742dff798a8d502903b35bb4a8b04f421e59ef85d87aefe5cc086d84

                                        • C:\Windows\system32\msiexec.exe

                                          Filesize

                                          1.2MB

                                          MD5

                                          ba10d0b41b6c7c934cb99d2635a78240

                                          SHA1

                                          7f164422a9087d79e25ed7b0ff4f2b72b4953b6b

                                          SHA256

                                          6332cdc72a45ba860fae2c6b9605216c39cddd926eb179db87872648aaaddc86

                                          SHA512

                                          53c86345f6ba818f20966246b68aeceac091652215c19129812825fee9d1041590b14ced1e5346fbca48138176a78bd11bebad1e4d195c67b50aad7bd5304c6a

                                        • C:\odt\office2016setup.exe

                                          Filesize

                                          5.6MB

                                          MD5

                                          9bb61b707fbd4071d1735f0529008136

                                          SHA1

                                          3e22239bf7d7867965d013e9ea07cac5feccb28a

                                          SHA256

                                          f81056e812b5677b26981f70e541054aecf5cde782c347a40a82c3eebf1e40a1

                                          SHA512

                                          4fca0e6051bfc917b24a77b135b9f4438b902c28b500122246ea9f1f5932661b259d82f2781597509918c7d0e8fe7173bce4225e732e93641f1c7fa76661ec4f

                                        • \??\pipe\crashpad_4596_XTXEZVSUQJFOQMUD

                                          MD5

                                          d41d8cd98f00b204e9800998ecf8427e

                                          SHA1

                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                          SHA256

                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                          SHA512

                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                        • memory/236-180-0x0000000140000000-0x00000001401EA000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/236-185-0x0000000000BC0000-0x0000000000C20000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/236-262-0x0000000140000000-0x00000001401EA000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/388-242-0x0000000000D90000-0x0000000000DF0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/388-142-0x0000000140000000-0x00000001401F8000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/388-147-0x0000000000D90000-0x0000000000DF0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/388-234-0x0000000140000000-0x00000001401F8000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/840-207-0x00000000008B0000-0x0000000000917000-memory.dmp

                                          Filesize

                                          412KB

                                        • memory/840-193-0x0000000000400000-0x00000000005D6000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/840-275-0x0000000000400000-0x00000000005D6000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1132-129-0x0000000000C00000-0x0000000000C60000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1132-125-0x0000000140000000-0x0000000140209000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/1132-121-0x0000000000C00000-0x0000000000C60000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1132-136-0x0000000140000000-0x0000000140209000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/1132-137-0x0000000000C00000-0x0000000000C60000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1320-230-0x0000000000730000-0x0000000000790000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/1320-222-0x0000000140000000-0x00000001401D4000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1320-288-0x0000000140000000-0x00000001401D4000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/1652-161-0x0000000140000000-0x000000014020E000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/1652-248-0x0000000140000000-0x000000014020E000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/1652-173-0x00000000007F0000-0x0000000000850000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2312-41-0x00000000006E0000-0x0000000000740000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2312-32-0x00000000006E0000-0x0000000000740000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2312-33-0x0000000140000000-0x00000001401E9000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/2312-122-0x0000000140000000-0x00000001401E9000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/2336-103-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/2336-20-0x00000000020E0000-0x0000000002140000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/2336-13-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/2336-11-0x00000000020E0000-0x0000000002140000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3120-236-0x0000000140000000-0x00000001401D7000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3120-244-0x00000000006B0000-0x0000000000710000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3120-301-0x0000000140000000-0x00000001401D7000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/3988-84-0x0000000140000000-0x0000000140237000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/3988-85-0x0000000000C50000-0x0000000000CB0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3988-177-0x0000000140000000-0x0000000140237000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/3988-95-0x0000000000C50000-0x0000000000CB0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/3988-94-0x0000000000C50000-0x0000000000CB0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4320-8-0x0000000000900000-0x0000000000960000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4320-23-0x0000000000900000-0x0000000000960000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4320-26-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/4320-2-0x0000000140000000-0x0000000140592000-memory.dmp

                                          Filesize

                                          5.6MB

                                        • memory/4320-0-0x0000000000900000-0x0000000000960000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4800-88-0x0000000000D90000-0x0000000000DF0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4800-73-0x0000000140000000-0x0000000140135000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/4800-74-0x0000000000D90000-0x0000000000DF0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4800-80-0x0000000000D90000-0x0000000000DF0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4800-92-0x0000000140000000-0x0000000140135000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/4848-48-0x0000000140000000-0x00000001401E8000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/4848-47-0x0000000000690000-0x00000000006F0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4848-55-0x0000000000690000-0x00000000006F0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4848-139-0x0000000140000000-0x00000001401E8000-memory.dmp

                                          Filesize

                                          1.9MB

                                        • memory/4860-105-0x0000000140000000-0x000000014022B000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/4860-101-0x00000000001A0000-0x0000000000200000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4860-115-0x00000000001A0000-0x0000000000200000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/4860-192-0x0000000140000000-0x000000014022B000-memory.dmp

                                          Filesize

                                          2.2MB

                                        • memory/5008-332-0x0000000140000000-0x00000001401D5000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/5008-252-0x0000000140000000-0x00000001401D5000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/5008-257-0x0000000000500000-0x0000000000560000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5008-342-0x0000000000500000-0x0000000000560000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5204-346-0x0000000140000000-0x0000000140169000-memory.dmp

                                          Filesize

                                          1.4MB

                                        • memory/5204-264-0x0000000140000000-0x0000000140169000-memory.dmp

                                          Filesize

                                          1.4MB

                                        • memory/5204-271-0x0000000000720000-0x0000000000780000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5332-278-0x0000000140000000-0x0000000140241000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/5332-359-0x0000000140000000-0x0000000140241000-memory.dmp

                                          Filesize

                                          2.3MB

                                        • memory/5332-285-0x0000000000DA0000-0x0000000000E00000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5456-290-0x0000000140000000-0x0000000140221000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/5456-373-0x0000000140000000-0x0000000140221000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/5456-297-0x0000000000890000-0x00000000008F0000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5596-308-0x0000000140000000-0x00000001401C0000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/5596-330-0x0000000000C10000-0x0000000000C70000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5596-325-0x0000000000C10000-0x0000000000C70000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5596-329-0x0000000140000000-0x00000001401C0000-memory.dmp

                                          Filesize

                                          1.8MB

                                        • memory/5756-334-0x0000000140000000-0x0000000140147000-memory.dmp

                                          Filesize

                                          1.3MB

                                        • memory/5756-343-0x0000000000C10000-0x0000000000C70000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5848-348-0x0000000140000000-0x00000001401FC000-memory.dmp

                                          Filesize

                                          2.0MB

                                        • memory/5848-356-0x0000000000710000-0x0000000000770000-memory.dmp

                                          Filesize

                                          384KB

                                        • memory/5964-361-0x0000000140000000-0x0000000140216000-memory.dmp

                                          Filesize

                                          2.1MB

                                        • memory/5964-369-0x0000000000BC0000-0x0000000000C20000-memory.dmp

                                          Filesize

                                          384KB