Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 15:11

General

  • Target

    2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe

  • Size

    5.5MB

  • MD5

    97d1f96c53654646b5bf3bb5cd1889ef

  • SHA1

    ad19c10bd9acf1f7824f263bde5c9857be0e37e1

  • SHA256

    1d808afe7bb3904ec9f9280d219f095bf544d28777b4ac98e4c7592826fef551

  • SHA512

    565650a2c86f6751996b2ef3e830e129628b218c05fa2edaeb527edfbc62cbe6d5ff23dbddc4e0d704658bb013cb32b50db6c7772b41487879b1338249a4ddc0

  • SSDEEP

    49152:NEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfG:xAI5pAdVJn9tbnR1VgBVm465tUV

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 26 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 32 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Users\Admin\AppData\Local\Temp\2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe
      C:\Users\Admin\AppData\Local\Temp\2024-06-02_97d1f96c53654646b5bf3bb5cd1889ef_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:3692
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
      2⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9f20ab58,0x7fff9f20ab68,0x7fff9f20ab78
        3⤵
          PID:1904
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:2
          3⤵
            PID:3708
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:8
            3⤵
              PID:1544
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:8
              3⤵
                PID:5008
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:1
                3⤵
                  PID:3196
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2908 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:1
                  3⤵
                    PID:2812
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4248 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:1
                    3⤵
                      PID:5304
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4408 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:8
                      3⤵
                        PID:5452
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:8
                        3⤵
                          PID:5472
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:8
                          3⤵
                            PID:6052
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:8
                            3⤵
                              PID:444
                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                              "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
                              3⤵
                              • Executes dropped EXE
                              PID:5536
                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
                                4⤵
                                • Executes dropped EXE
                                PID:5608
                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                                4⤵
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of FindShellTrayWindow
                                PID:5812
                                • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
                                  5⤵
                                  • Executes dropped EXE
                                  PID:5800
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:8
                              3⤵
                                PID:5568
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1916,i,2667242311850054629,2650861576574583738,131072 /prefetch:2
                                3⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5424
                          • C:\Windows\System32\alg.exe
                            C:\Windows\System32\alg.exe
                            1⤵
                            • Executes dropped EXE
                            PID:4528
                          • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                            C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                            1⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Drops file in Program Files directory
                            • Drops file in Windows directory
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2628
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                            1⤵
                              PID:5060
                            • C:\Windows\system32\fxssvc.exe
                              C:\Windows\system32\fxssvc.exe
                              1⤵
                              • Executes dropped EXE
                              • Modifies data under HKEY_USERS
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2204
                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                              1⤵
                              • Executes dropped EXE
                              PID:940
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                              1⤵
                              • Executes dropped EXE
                              PID:3992
                            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                              "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                              1⤵
                              • Executes dropped EXE
                              • Drops file in Program Files directory
                              PID:548
                            • C:\Windows\System32\msdtc.exe
                              C:\Windows\System32\msdtc.exe
                              1⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Drops file in Windows directory
                              PID:2128
                            • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                              "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                              1⤵
                              • Executes dropped EXE
                              PID:4388
                            • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                              C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                              1⤵
                              • Executes dropped EXE
                              PID:1252
                            • C:\Windows\SysWow64\perfhost.exe
                              C:\Windows\SysWow64\perfhost.exe
                              1⤵
                              • Executes dropped EXE
                              PID:3984
                            • C:\Windows\system32\locator.exe
                              C:\Windows\system32\locator.exe
                              1⤵
                              • Executes dropped EXE
                              PID:1012
                            • C:\Windows\System32\SensorDataService.exe
                              C:\Windows\System32\SensorDataService.exe
                              1⤵
                              • Executes dropped EXE
                              • Checks SCSI registry key(s)
                              PID:2580
                            • C:\Windows\System32\snmptrap.exe
                              C:\Windows\System32\snmptrap.exe
                              1⤵
                              • Executes dropped EXE
                              PID:2192
                            • C:\Windows\system32\spectrum.exe
                              C:\Windows\system32\spectrum.exe
                              1⤵
                              • Executes dropped EXE
                              • Checks SCSI registry key(s)
                              PID:4336
                            • C:\Windows\System32\OpenSSH\ssh-agent.exe
                              C:\Windows\System32\OpenSSH\ssh-agent.exe
                              1⤵
                              • Executes dropped EXE
                              PID:8
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
                              1⤵
                                PID:5004
                              • C:\Windows\system32\TieringEngineService.exe
                                C:\Windows\system32\TieringEngineService.exe
                                1⤵
                                • Executes dropped EXE
                                • Checks processor information in registry
                                • Suspicious use of AdjustPrivilegeToken
                                PID:216
                              • C:\Windows\system32\AgentService.exe
                                C:\Windows\system32\AgentService.exe
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3484
                              • C:\Windows\System32\vds.exe
                                C:\Windows\System32\vds.exe
                                1⤵
                                • Executes dropped EXE
                                PID:2612
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4848
                              • C:\Windows\system32\wbengine.exe
                                "C:\Windows\system32\wbengine.exe"
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:388
                              • C:\Windows\system32\wbem\WmiApSrv.exe
                                C:\Windows\system32\wbem\WmiApSrv.exe
                                1⤵
                                • Executes dropped EXE
                                PID:2184
                              • C:\Windows\system32\SearchIndexer.exe
                                C:\Windows\system32\SearchIndexer.exe /Embedding
                                1⤵
                                • Executes dropped EXE
                                • Modifies data under HKEY_USERS
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:316
                                • C:\Windows\system32\SearchProtocolHost.exe
                                  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                  2⤵
                                  • Modifies data under HKEY_USERS
                                  PID:3940
                                • C:\Windows\system32\SearchFilterHost.exe
                                  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
                                  2⤵
                                  • Modifies data under HKEY_USERS
                                  PID:4124

                              Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

                                      Filesize

                                      2.1MB

                                      MD5

                                      23a36da077ae5df0642ffe349264aaa1

                                      SHA1

                                      1d43a8546595613b0d60274989d4f02dcaee4053

                                      SHA256

                                      9d91e70183e24240bc1d45f7f821dcef61c04a9890568fe477a4b4c55a38758d

                                      SHA512

                                      2b27cf63e9197f0945952f1a73375f6d2c05762c2e9f719a8366cdb172013c2cdf332dbb5591954d0ef3f0e8844cbfa13e9477cb9f271588662a1069d1dcbc7a

                                    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                      Filesize

                                      797KB

                                      MD5

                                      c959bc20c705f9077a1faef1ad6dbee9

                                      SHA1

                                      a7fde4d696cb106c995acca58c98b84ff09b1893

                                      SHA256

                                      23529a84f5f207c27b17f3831edad0a543282aa448cb0fcbe721fca7c3bc0d57

                                      SHA512

                                      f91b57402192faaf19716cd7e6bac5dac935683d5acb2fd516c0ca3f7befd1534c301175cd03d66b80da536e28001d8f9e0e02d15a5cc14d4f7bca99718ea889

                                    • C:\Program Files\7-Zip\7z.exe

                                      Filesize

                                      1.1MB

                                      MD5

                                      b2bfd33023e9cecf2ccc60f1ff4f52a2

                                      SHA1

                                      65732597ebcb937789732492b45b9228403d8c8f

                                      SHA256

                                      254e739cc9cf79e6758556b5cc25ecfe514ec415ad2b6a5bbb5117d0efaa35b3

                                      SHA512

                                      dadebe504b3ad042365f4333e2286a4f461854ed840c9488cd7b4da20eb6f1185ccbf253b05301a7ddbb5f9a07a8aecfabaf39a2a629b15dbd0c422d5746e456

                                    • C:\Program Files\7-Zip\7zFM.exe

                                      Filesize

                                      1.5MB

                                      MD5

                                      7218c9382ebbdd7edc4810450c5a16fb

                                      SHA1

                                      7d3e942597a460d77a1db4dc225c0903536b50b7

                                      SHA256

                                      650ab61ed139b69495893eae4a876c8017a42571231ca70f3d1a07051c762064

                                      SHA512

                                      f5b76cdbed6f9c3a066b639a3f1679949d3ab01338eb3ef304d7dc5faf581d212933a1b27c2ea78bb39ef0e782f0aff4d4ea03b8fc7ce04c486ad67588cd426e

                                    • C:\Program Files\7-Zip\7zG.exe

                                      Filesize

                                      1.2MB

                                      MD5

                                      c1b9e50aa1a6db4f60a28c75e8c7017a

                                      SHA1

                                      61378341c8cc94a43b3e27743089607dd36be0af

                                      SHA256

                                      7f85866c8cc0d4a4f69d035bbf01c9b62c6e5ef34ca26ef6417d9182804cd77c

                                      SHA512

                                      820c4cfa486ecd62f3e97ce71fd87d188f56a5a592b3165b10519c68c9a12c9d02d1a6d5d141cf0894628d47965d0b2dec8cf96ab0a4fd6f9f29281a0ecd8c8d

                                    • C:\Program Files\7-Zip\Uninstall.exe

                                      Filesize

                                      582KB

                                      MD5

                                      9f0d3e7e6cc4a254b1aad3d4cec2c033

                                      SHA1

                                      4afb3dfe83a8592678b5a7c504177f906f6adc61

                                      SHA256

                                      70de2b7b6a67b832f806abebb42187831c2e456be1c41abd9c404cff16c9773a

                                      SHA512

                                      d4447e1a50fbf4c31476575e14da32507851ee9eb055ee3c582a39f1a60b02908e5352371e17a36fac28fc1142ec303074393ac0412db6dff641c4b21cbc97ea

                                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                      Filesize

                                      840KB

                                      MD5

                                      7ba2e3c352656116f1e119fd492a3cb3

                                      SHA1

                                      eca1e5bc6a5d85de393d9fc72e7d9f57043c056b

                                      SHA256

                                      a65a702fd528b7ab8d3dc9f4795549fc7e812124c672794a28b3878a719bbe7d

                                      SHA512

                                      bb934c96f97ccd3be331a7cf6f71c2cd37946cedc25991380ea7b0e9ac4248294d13e9ffb25de3dae25d4a746c1f365f6e2bc1f4ab8a59b000129bff8a0be333

                                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                      Filesize

                                      4.6MB

                                      MD5

                                      c42ca6f9c1fd91a5e88a82cb54068a5e

                                      SHA1

                                      2e09fdf3a63cf5f47dd430e40c72adb25e400f96

                                      SHA256

                                      9aef9106d6c2d5b49896692155a6f35648f13719686deacee1b0b579baf15502

                                      SHA512

                                      c8d127f3cec09450b4c392a76d5c8506aa84908f02b78a8e451b87c7a19ad99f30ff5f23eeb86c111523ed5ab0ad330824c0ca50fe029897211098a0786600b7

                                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                      Filesize

                                      910KB

                                      MD5

                                      7c68be008309b9ebf0a4dabca02b22cf

                                      SHA1

                                      7a08914bb7fd7051003a8bf08f509a9479076135

                                      SHA256

                                      9c12531c6159feee3b79b6105eaf3717054143f08a831e477bdebdc5114cb850

                                      SHA512

                                      a1a06afd395352e26328e82d49ecd5c0a378cec77e815b87f10d5ec43bec67ef11ea8cc730dccc61fcd62bd23df0cca66c12e34a2279dadb0c85b23907ca62f1

                                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                      Filesize

                                      24.0MB

                                      MD5

                                      f86e710cebb888d3ab0801ea50fbde9b

                                      SHA1

                                      576ec57e180099562ae25fd6bc490b7562128a49

                                      SHA256

                                      1afdd6315397f0082a77d5a953cee73f664dc926b3ea2d1964b167044106d493

                                      SHA512

                                      5817dc3145cab02bc525a263f89d76e731f496ea5ffac5dd3b0f4dad7740424ac75da31b391d957a7b8eab8b122abd981eea1f9f8b9ed8efbe3b93c6136d191e

                                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                      Filesize

                                      2.7MB

                                      MD5

                                      64b1e722d325913c90d1efe56d3f6d6e

                                      SHA1

                                      65095c059fe7c730d502a57b22e0e5423da96e22

                                      SHA256

                                      184ef85384b4e632616a0f9f3fa6b0f1f7c17a06745d0d7e9d8d84f11973df2c

                                      SHA512

                                      8c68791f680b7f8faa7dba1ba4e62ce370a9913447b3912a375837398ed7aa386b9c6c8ef8ae2a8ffb5eedad6d3b9b681b2240246700fc92eb941f19a99d4229

                                    • C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

                                      Filesize

                                      1.1MB

                                      MD5

                                      5c9787687893805a183e9afed994b4b8

                                      SHA1

                                      4413506677e8cfa119aa689a972d3036edffe6f0

                                      SHA256

                                      b381b5ab203da4bae44ecdd8b99920a02deef02b75fa0f10b2ffe78c858cc4e6

                                      SHA512

                                      a715867aa8b357d1d6322f73bc9e313cb28cdddf779d10cca683efffb2e38f73a30d58150308fd283e9be0d6f81f3d1ab2e7a871df4ce1f995b088d16bf40a2a

                                    • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                                      Filesize

                                      805KB

                                      MD5

                                      a72e632427a141a3fc12651be5306ae1

                                      SHA1

                                      e57479d168b2957ed547f275be3c41b581808a21

                                      SHA256

                                      82527d55dcbbad9e89ff4b9b786ef1bd3529b7a8b1ab2c580f1a502e59606d4d

                                      SHA512

                                      a69cb96981e3166fd7bca66f6303a845ff980cc8d8baf81820338feab12a33a8d576860868e0290f2e89600b9df32fdc7ffef2f9ec75521d5711df987ca98acd

                                    • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

                                      Filesize

                                      656KB

                                      MD5

                                      8fca91fcd0c26339e12e06616d8faf30

                                      SHA1

                                      189b7a83cf742757ce94f02354bd29f3dd490a49

                                      SHA256

                                      0186b2a25ee5a1dad093f812ae0339e4bfbaa602405ef85a9e7d47bb79b366d5

                                      SHA512

                                      ccf1999e5e2e4c851e5e2e5c6ce0500fda7400c02e16e3e00c783a2a0cb6fd59217f097c49d8d631abe3fcfd8323d5abca824ed79fce38bcbaddc5cbb9c3725c

                                    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

                                      Filesize

                                      5.4MB

                                      MD5

                                      481dc98abd74a4c44b50bf6cad7621f1

                                      SHA1

                                      130418530f5bee022161407085987b80a7ab0d05

                                      SHA256

                                      b078dda553c15c6087a1b2ce37bea54c460cf8b71bce86e329cbce395b20341b

                                      SHA512

                                      7820d48083276bf48ae1c4867fcb9ac6ed6679e80e2c532931a779138e466a22704fee71a7af263391e6b3bf513e554c8ee0d1334535d912de90e70045d210ec

                                    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

                                      Filesize

                                      2.0MB

                                      MD5

                                      18afa065ad42a92f7b0549d8ac6dbcb8

                                      SHA1

                                      61475cac54904177ac69975f586322f78d47a1a7

                                      SHA256

                                      96e5078dc04b9f19738a5f6f10bc908f29b61590d20cf84fb618c99a021e2f6a

                                      SHA512

                                      0a3e403af446b5da91d0fcc2d7adab2e2164ceec2f6888645e6ce95612a32e3264daa9eda0a3a1e3c15a4297ca625cab30e5dd7a9a3943b6c1de52166baf9cfa

                                    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

                                      Filesize

                                      2.2MB

                                      MD5

                                      9db9f39b04e421e4f846c7a0dabb328a

                                      SHA1

                                      65e248a451909f76774ee0339f721b10f4e3d8b4

                                      SHA256

                                      d4c46735bb65364d49ceca28ac3aa103dfe1bc7bb329715aec07919368d06e35

                                      SHA512

                                      b53701cce9b4594c3b538c83f8e4da29bd1d4b95107e6345d8b990f703666525b115727681a37750045447da15831e19945215129e91d52e001464df2de870b8

                                    • C:\Program Files\Google\Chrome\Application\SetupMetrics\29929433-b077-47fb-aa06-9aeb8ece3b48.tmp

                                      Filesize

                                      488B

                                      MD5

                                      6d971ce11af4a6a93a4311841da1a178

                                      SHA1

                                      cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                      SHA256

                                      338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                      SHA512

                                      c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                    • C:\Program Files\Windows Media Player\wmpnetwk.exe

                                      Filesize

                                      1.5MB

                                      MD5

                                      59a8d391d358f4ff3b74747107161818

                                      SHA1

                                      62e43ef88930d24df4fa4a7b8526c78105074dab

                                      SHA256

                                      e62eb905335fb0a4220a4cb07093db6c571181a6138dbfca5c65822e048c2dd7

                                      SHA512

                                      7def566e97a8443eba5b6ae559c41da87452699143bc3d08517700d87b704173fee1e3c79aacb5c6f3cccdaacad5a0901b7bde00f71b8c2baf530d5fca2439ba

                                    • C:\Program Files\dotnet\dotnet.exe

                                      Filesize

                                      701KB

                                      MD5

                                      d7d96d98f71e8309771ffe4fe6e6d6d8

                                      SHA1

                                      c2c4f1e9ba805b3c42b4c86cfe34c3e3a408c68e

                                      SHA256

                                      5e2b3d74e4ca5e0158b4c82d29ec2f76caa6058a27f9889950018a21502ae1d4

                                      SHA512

                                      6d0050539d650d258845abcebd13cdea31f5c43a395a873976dc0e4a72c70db20d4e2de451e88b2ae4844ed5eb65f98dee4a401175a0fe427f498018ffaa2052

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                      Filesize

                                      40B

                                      MD5

                                      23e6ef5a90e33c22bae14f76f2684f3a

                                      SHA1

                                      77c72b67f257c2dde499789fd62a0dc0503f3f21

                                      SHA256

                                      62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790

                                      SHA512

                                      23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

                                      Filesize

                                      193KB

                                      MD5

                                      ef36a84ad2bc23f79d171c604b56de29

                                      SHA1

                                      38d6569cd30d096140e752db5d98d53cf304a8fc

                                      SHA256

                                      e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

                                      SHA512

                                      dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                      Filesize

                                      1KB

                                      MD5

                                      abf1dafc080d56e6ec70ace791c4606f

                                      SHA1

                                      088355b41dedc40878e0fd1c26eb12adf22cb947

                                      SHA256

                                      f559071eaf0075f2fbbf031067b55001adbc95f85aa3f63924f2b87c5f60fce6

                                      SHA512

                                      bc001fd4849c9c090aadf62bcf1f65bc109807cfe439b8184021ae0f541997505c0c614112fdc2352f5ed91d985cea27980b24d978866356ab53752ed6fab230

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                      Filesize

                                      2B

                                      MD5

                                      d751713988987e9331980363e24189ce

                                      SHA1

                                      97d170e1550eee4afc0af065b78cda302a97674c

                                      SHA256

                                      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                      SHA512

                                      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                      Filesize

                                      354B

                                      MD5

                                      5cfde5a28427862bb9eee808cc84154c

                                      SHA1

                                      85343cb4a7f94d7e4b9438296b04d3655996d886

                                      SHA256

                                      5cbed3a394cc94b07882a3d90df5f15d0d587af6da320bd41bb109e784fe6a85

                                      SHA512

                                      ccf486f1233f701d4e99f7dc3e302a6ad53f73203e184e11b6642f715f690d4c86c737975a8377a14ed68697323014fd476ba32afe4294e6e29033f8401e39f3

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      362167aadd67e9fb843cb2a4311927ad

                                      SHA1

                                      b6e5ce78a51e246d8c3c2212695287ae0b5b29ec

                                      SHA256

                                      611548ee7a782e65227b4d30e6bb368ed107c706872ebd25a53662eaad003140

                                      SHA512

                                      39cb60a613138e01dff750a944250535ca2c9098829e704f4627797b507d7b08043038ea9908f5a2ab226a0314ee7eddbc80b3d8f450156a524a5c462401508a

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577a50.TMP

                                      Filesize

                                      2KB

                                      MD5

                                      8441fa327ce1f6c12f371a1535e655be

                                      SHA1

                                      7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071

                                      SHA256

                                      975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158

                                      SHA512

                                      986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                      Filesize

                                      16KB

                                      MD5

                                      f103a8a6c55ba79329f040edab716f3d

                                      SHA1

                                      e21c544aa8999079a6294959fa5829de3838e92f

                                      SHA256

                                      780579f5d671a7f413b91f31b1e806b8fee039251f9a0d8db6471abde95fb4c8

                                      SHA512

                                      06fcb482774fbb168ee4455b3f1e45398296f10e217f429a105c9532a899810750d2bc7b1470f4697b4338d64e87bf070943c310fb6304d0a76da4569de152a7

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                      Filesize

                                      261KB

                                      MD5

                                      57f4fd5c3bef216c7ac599c47df10e3d

                                      SHA1

                                      bf0104fe1f1902fb9e2a89c1c8ab27b7d0e3a5b4

                                      SHA256

                                      6c6c7e4719921bc5ec494d83930599240e4b3ee7f712eb6e1884689b1ec800cb

                                      SHA512

                                      a170c91bb12a616ff8b967136d1a0ae750e5de186696c0b4e414f480513ef8de1915424e45b2c7c059b87f1f4bf802e455b23a39081809113f5fdef858af4048

                                    • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                      Filesize

                                      7KB

                                      MD5

                                      570b4f79d8484fd41106dc8bfbd2a193

                                      SHA1

                                      bc0fe57a61de0b4b855cefda66236ea23ee86292

                                      SHA256

                                      dbe279e53833842be47ed85b3bba9a446d9a2665d92b33662ac85f57f2c45ecd

                                      SHA512

                                      1a6a4d37562bd80ac01363932df4bf2b578518c6703c9880ad115f0c94799626e13a1d9ea79f295c263721920207f3e6c1d27b433dc73826622a3f656b8e1a27

                                    • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                      Filesize

                                      8KB

                                      MD5

                                      6ba47b15c9f703c6f83990dd0a441fcb

                                      SHA1

                                      e048dc947e715a0ef06e25f04d299a06804fdcdd

                                      SHA256

                                      cc7d066fa793e21ecbfaa4365eb846dcf45ec21d099f2d7d5dfd5b3a1f92bf55

                                      SHA512

                                      ed2f38241bbdbda0d1c2ceeb8d2aeee8ea88022b01caa0ffaebd59a3b26ca535dcbc7e0d906fe740985e1ea7f355801c0719e137a8172667e93d53bdfbcda8a2

                                    • C:\Users\Admin\AppData\Roaming\5f6e1896293b476c.bin

                                      Filesize

                                      12KB

                                      MD5

                                      84701b9cefde8aa44cfe5b20948e9af7

                                      SHA1

                                      2eb476290c49d9a440e8eb6a11c2c9f24536936a

                                      SHA256

                                      717d34d49887f52d4e6c604620ed943462861dd23f2c83755e2533ccb258b671

                                      SHA512

                                      d82eca67ee4bb71a68a60468404ed40f2d85a442b3389a7d40e88d6f0e9b21b533a82562c70640890bec23a580baea894f53aa04c4c900a1524920e993b556c4

                                    • C:\Windows\SysWOW64\perfhost.exe

                                      Filesize

                                      588KB

                                      MD5

                                      9a64c1047fe0931218bdf117d2bc99fc

                                      SHA1

                                      574d6534adeed2be39200bd33234fb972e5eacd9

                                      SHA256

                                      d44197d92446c011ce3816fef846230187bb0567d79f7fb43e9b258c1b90dd8d

                                      SHA512

                                      34a58647b81aa6575f22ce97ab7249eb5a528e44072fd4c2cfbdb9c1e8f8e5778e7866571d215b66df9a5c85ffddb7ff0c758910f5241ee4f78daeb51a8f070f

                                    • C:\Windows\System32\AgentService.exe

                                      Filesize

                                      1.7MB

                                      MD5

                                      101e1ef0a8e5e594de1550dfa4ef021e

                                      SHA1

                                      3c119074c23415c9709642c5b208dc725759f218

                                      SHA256

                                      9e9c33c393be300b568d72ae9335113538e35b226146943c068e94d3e30904c4

                                      SHA512

                                      a74bcc701e7a524f9c222f096fca525af0e883cf6325c6d5884f71cecaa71fb082790cb424239fb03e7ef17d62cb760313cf47a79c6f2ba269f55bdd6a7835f2

                                    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                      Filesize

                                      659KB

                                      MD5

                                      bb4e076d9586f644de74ed61c20c01e4

                                      SHA1

                                      b4d556dadaa6eba19266d7358da590ff54fdcea5

                                      SHA256

                                      009ecdd81ae45e124fc1da033e3bf20f48dcc5efca6de95c6ab24b102e581c0e

                                      SHA512

                                      98c4e9bd13c552368acf9711dc81f1f17484c14c5a96c5bb7e0f9409c685b4891756f2d62698188d50e59c22635b9bcd22f22550811adb1cfe115fbf14e234af

                                    • C:\Windows\System32\FXSSVC.exe

                                      Filesize

                                      1.2MB

                                      MD5

                                      ec2c0d0f1f98da8c5570fb2ebbe90ea1

                                      SHA1

                                      e3ecc3eec4d3334b7d6058dfd357ad1ae636d059

                                      SHA256

                                      df30be53e5a102bfd03a0506eea966f73f896d2f79eecf1fb121e08adb1c5d6b

                                      SHA512

                                      42cd78625f69e2ba4e0099a7f41a95b9fdf41cb0721d303ddaf81be7a38eee97b0a1bb786e730e6210745a5bfc44130692b9da349d8d0c8858ce24ef158587fa

                                    • C:\Windows\System32\Locator.exe

                                      Filesize

                                      578KB

                                      MD5

                                      2a124e285434c2f3a18fb302ea5c4f43

                                      SHA1

                                      4505f1fe061f19a6ea8a98080781e5da1d876371

                                      SHA256

                                      37a8683a857c3c1936c5056ae0cc6a838553505f5d6fb3e98879cabd1b6b7cf7

                                      SHA512

                                      b776afdb7144e9674f6c1dfd5d858a8ee9ac38462ecd02514fd4631693b6587330c0cf13ce7fa96c13770e8e1aa7b9ccb67863aefcbd5b9331b896ae2c0aa9ce

                                    • C:\Windows\System32\OpenSSH\ssh-agent.exe

                                      Filesize

                                      940KB

                                      MD5

                                      2607b28f2be34b34e90a6df1420df910

                                      SHA1

                                      a488d9f2b71c5083c5754e0e6bda29e414432026

                                      SHA256

                                      866be6a8e16bc1569ba901e6d2384390e76e4f92503b89f7df8f186aedf24e1c

                                      SHA512

                                      1fc435100c79ed639c2cec11294b4ec66bc1348e720a6d2cfe65b20147c3477903fbc7654d591c3cdca82197130724f00fec787604e965b2048604ed207e20b1

                                    • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                      Filesize

                                      671KB

                                      MD5

                                      3ef9d7e3e6c3eeefdfa95eabb76b40c1

                                      SHA1

                                      9edcbeb10dfc1741621b8c0168cb470eaa6561e8

                                      SHA256

                                      1d34500c8fed2fa113c361ba3ce1cbceba2ac833d588579e8bcbbc00a7b1e558

                                      SHA512

                                      1f4918f2803115abb53556119364108e9ab7527babf190a19b8e4923af05a26e22d69cfe6ca8d7599e18dd9bb77e4cf8289c926fcc2656e6a238598c78e4148f

                                    • C:\Windows\System32\SearchIndexer.exe

                                      Filesize

                                      1.4MB

                                      MD5

                                      b70dd13cabbc6cab449f3828cef77f79

                                      SHA1

                                      54c6457e93f9e96b66e52561e69233a5ad117f94

                                      SHA256

                                      8feea69e8ab18d991addcaf76e7a7344510e7b0a53184c5c7065752e69e8a87d

                                      SHA512

                                      07aac5e685ab67ca4d748c5bd992f83568f4ef6c08b4cd590ab199c41e44cdb3f7e28643876aedcfcc0c002bb151e24edc4c85919aa53ba0e0624151926d425b

                                    • C:\Windows\System32\SensorDataService.exe

                                      Filesize

                                      1.8MB

                                      MD5

                                      5887260938883ba0f598fe368eb9ab46

                                      SHA1

                                      1412410091064a353993b4cfe8705ec806e40c30

                                      SHA256

                                      585e83bac5797b3d2fabfeef206bdd4dced2e0a3b3a02d372921349e4346f730

                                      SHA512

                                      e0c8b363e71dd43960d24783b95d95d6d6db0909464907d3d4ffac925f99ac77cebb2c0604af9fce7ced628cc2136e1306b289e72b44f40a5aba3a4286211165

                                    • C:\Windows\System32\Spectrum.exe

                                      Filesize

                                      1.4MB

                                      MD5

                                      dfba2877897fa2f6b48d74b7757dfa04

                                      SHA1

                                      8e6046efa736d5b13bb7f7cc83cc7a7ecf4ca283

                                      SHA256

                                      c9d6400a41ca6c98e0bc11eb184d840b9f1a8052097d01048c517cedc3f237e8

                                      SHA512

                                      a81bad31bed4391f04ad70fc0a558dd4e1697a349a28f672e6ef2e274811b1344f8d1878fcbbf8b846d47453650718371670172a62b7b1eddcedc144916d734a

                                    • C:\Windows\System32\TieringEngineService.exe

                                      Filesize

                                      885KB

                                      MD5

                                      8886b8931126d9c61374ceb1bde637c2

                                      SHA1

                                      00382fbc3db8e2235e99693184c64ea28386b1c2

                                      SHA256

                                      8c0c3eab025eace40fabffd96ad7a68e256b6aa2c2e9e115f0017627063cd3fe

                                      SHA512

                                      2367ddaf528c49a9c0bbc79161b82f447c22247cd89a6c88abe41bd4bf188dad5f028e743aebbe5f7726d15a446488d76ab8fa154e834153382639f5113935ef

                                    • C:\Windows\System32\VSSVC.exe

                                      Filesize

                                      2.0MB

                                      MD5

                                      8562b9399716be020b74a09b6aa95d3a

                                      SHA1

                                      f9445b4c7bc589c63f282ac55347a6d57e9ae251

                                      SHA256

                                      067cee21bc6d2274b4d4bac3a0d3959adb05ee70f296fa0875d67815bd27a4f1

                                      SHA512

                                      64b9c9ca6882fa5c0f596a11de724139a7bc0089df3a7cc05f740720e0f43d6e953007e08668bf92e0e45c8a386656e77d83ed7fa860e9902239954c01577209

                                    • C:\Windows\System32\alg.exe

                                      Filesize

                                      661KB

                                      MD5

                                      04209638250833fb9500d8f4e3c6be6d

                                      SHA1

                                      dc16933104a4b19a023f44f2b8b2856117ca3860

                                      SHA256

                                      c6aad76a242cd9bbca8b3493e3f6d76c368083922c2722b483787f16a22ea47b

                                      SHA512

                                      0ac41d287cd4c915f8eaf00070199810d8b0fa912a6750503a4341322e4fd847c448b9c10eede2667f54126af4ee286af5a2c37f747950d87af2ed66a580fbbf

                                    • C:\Windows\System32\msdtc.exe

                                      Filesize

                                      712KB

                                      MD5

                                      f4d1760917ddb61762d44b839b713ecf

                                      SHA1

                                      45e8d13564c6e8121bc7d4a9e0d4f34f18da495a

                                      SHA256

                                      e72d52a179d72c39206c4ad764e134730226f4f89e91ddfd58f5b1ff15722d20

                                      SHA512

                                      f6df2ce62775852f053d6f5d32e892a863ff0875e80c5678a511325e7cb9d7e2fa1c81f5c324afd21b9ca0e90ba4f160af8bba8db55f696ff4af60a6f15a966a

                                    • C:\Windows\System32\snmptrap.exe

                                      Filesize

                                      584KB

                                      MD5

                                      abad2798ac7b0adfd3bb0704429bc826

                                      SHA1

                                      3363917f874067c8648eae2d9ec36eb6ffdd8322

                                      SHA256

                                      5d0f1c072533f5eaad1fdc6c1fbeb1865818b7acd469bcf7949e5927d7ad3752

                                      SHA512

                                      d33bd489b08c72d62b1f05399eac3e86f406ea42d09d4be3b4ae165b82b5c1c712951a122df4ec7aad5c933a9679cbabc09c4143b19cedd878a2952d8f76d453

                                    • C:\Windows\System32\vds.exe

                                      Filesize

                                      1.3MB

                                      MD5

                                      9882d9a3ae1b410b58d26baed39c7ef5

                                      SHA1

                                      5518a583b682e50d8a14dae50f98e6e377f55d5b

                                      SHA256

                                      0cd4e34806b046ebdf872f3099cf582ebcd182bab86932e3caf3b63e9684cce7

                                      SHA512

                                      b6b7f6310f0c9beb424e816cc743bcc5c0c4667896cad68007e74ed608157553c441b633d345fe812b72b71acc366416029c6095736eb860cd46f1090c4e91af

                                    • C:\Windows\System32\wbem\WmiApSrv.exe

                                      Filesize

                                      772KB

                                      MD5

                                      e9cb9e6a358d73d693e4b9bd4a970445

                                      SHA1

                                      1655b7a5a730feb097adbf49a15e65b255f9511b

                                      SHA256

                                      1b87616c2cf96f2b7ea6e697d53a532e647571ab1edff832a9630f08bf6b06d9

                                      SHA512

                                      cb59bcf529641ac0fe4e1a313cde89ba0a971b6d137ea0f0bd5acf6915a1e5ec7b586fc85444dddbdb82be5664a3ab05e916bae6f020b8b967caf9b850804df8

                                    • C:\Windows\System32\wbengine.exe

                                      Filesize

                                      2.1MB

                                      MD5

                                      28826223cccba2bff1d18fd385a0f5eb

                                      SHA1

                                      d3b2b49b68773b6eca72faa989fd832cb093458f

                                      SHA256

                                      49245461d3cab0238361699ec546d73bfda5cc47bf943e74ded3eedac43b5172

                                      SHA512

                                      c4dece6122dce1253519d87dec6a30050d8958e4148644357a707eeddf84bf6f24e2245f8ea05bfc0f3403e603305edc855f09b03f17ee3321d2743e0246b5a6

                                    • C:\Windows\TEMP\Crashpad\settings.dat

                                      Filesize

                                      40B

                                      MD5

                                      440112092893b01f78caecd30d754c2c

                                      SHA1

                                      f91512acaa9b371b541b1d6cd789dff5f6501dd3

                                      SHA256

                                      fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6

                                      SHA512

                                      194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

                                    • C:\Windows\system32\SgrmBroker.exe

                                      Filesize

                                      877KB

                                      MD5

                                      fda326788b852ea53b536e2141428807

                                      SHA1

                                      4aeb6a74fe9a2aba1f3a4798c50a1d95faf847a3

                                      SHA256

                                      059b85ffca0fc62b288b09329a86a5625321d819c395e2a47cf3eb8b1a83fa39

                                      SHA512

                                      7ac1faeec59c06b0e23aac0904a1368f3b044671e2f3d133d0a30dfe7abf580e67fa08b27124f1b21f8963c027009b736b5ab987a5e5b69dbb4398c36c5ac773

                                    • C:\Windows\system32\msiexec.exe

                                      Filesize

                                      635KB

                                      MD5

                                      25ea2e7bcba550192ac871527176fd59

                                      SHA1

                                      cd969e831190535807cae0597520d26900550b05

                                      SHA256

                                      b0b3f6369e48d14d23062043fd43f1c30ffeb048cedb6028c02589281b2d7ac9

                                      SHA512

                                      c4cf10529013f22966ad647adeb8d429222d2bd7b4415a688bc04e8531f7bf961afff455d8175293a089c6d72274c2305de5012dfafd3e8136d21bfbedbe32ad

                                    • memory/8-224-0x0000000140000000-0x0000000140102000-memory.dmp

                                      Filesize

                                      1.0MB

                                    • memory/216-225-0x0000000140000000-0x00000001400E2000-memory.dmp

                                      Filesize

                                      904KB

                                    • memory/316-243-0x0000000140000000-0x0000000140179000-memory.dmp

                                      Filesize

                                      1.5MB

                                    • memory/316-563-0x0000000140000000-0x0000000140179000-memory.dmp

                                      Filesize

                                      1.5MB

                                    • memory/388-240-0x0000000140000000-0x0000000140216000-memory.dmp

                                      Filesize

                                      2.1MB

                                    • memory/548-86-0x0000000140000000-0x00000001400CF000-memory.dmp

                                      Filesize

                                      828KB

                                    • memory/548-84-0x0000000001A40000-0x0000000001AA0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/548-80-0x0000000001A40000-0x0000000001AA0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/548-74-0x0000000001A40000-0x0000000001AA0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/940-50-0x0000000000740000-0x00000000007A0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/940-56-0x0000000000740000-0x00000000007A0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/940-59-0x0000000140000000-0x000000014024B000-memory.dmp

                                      Filesize

                                      2.3MB

                                    • memory/940-354-0x0000000140000000-0x000000014024B000-memory.dmp

                                      Filesize

                                      2.3MB

                                    • memory/1012-217-0x0000000140000000-0x0000000140095000-memory.dmp

                                      Filesize

                                      596KB

                                    • memory/1252-215-0x0000000140000000-0x00000001400AB000-memory.dmp

                                      Filesize

                                      684KB

                                    • memory/1252-101-0x0000000000620000-0x0000000000680000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/2128-213-0x0000000140000000-0x00000001400B9000-memory.dmp

                                      Filesize

                                      740KB

                                    • memory/2184-241-0x0000000140000000-0x00000001400C6000-memory.dmp

                                      Filesize

                                      792KB

                                    • memory/2184-562-0x0000000140000000-0x00000001400C6000-memory.dmp

                                      Filesize

                                      792KB

                                    • memory/2192-219-0x0000000140000000-0x0000000140096000-memory.dmp

                                      Filesize

                                      600KB

                                    • memory/2204-58-0x0000000140000000-0x0000000140135000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/2204-61-0x0000000140000000-0x0000000140135000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/2580-529-0x0000000140000000-0x00000001401D7000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/2580-218-0x0000000140000000-0x00000001401D7000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/2612-231-0x0000000140000000-0x0000000140147000-memory.dmp

                                      Filesize

                                      1.3MB

                                    • memory/2628-43-0x0000000140000000-0x00000001400A9000-memory.dmp

                                      Filesize

                                      676KB

                                    • memory/2628-35-0x0000000000690000-0x00000000006F0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/2628-44-0x0000000000690000-0x00000000006F0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/3484-154-0x0000000140000000-0x00000001401C0000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/3692-12-0x0000000000710000-0x0000000000770000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/3692-21-0x0000000000710000-0x0000000000770000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/3692-20-0x0000000140000000-0x0000000140592000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/3692-436-0x0000000140000000-0x0000000140592000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/3984-216-0x0000000000400000-0x0000000000497000-memory.dmp

                                      Filesize

                                      604KB

                                    • memory/3992-63-0x00000000001A0000-0x0000000000200000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/3992-69-0x0000000140000000-0x000000014022B000-memory.dmp

                                      Filesize

                                      2.2MB

                                    • memory/3992-70-0x00000000001A0000-0x0000000000200000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/3992-559-0x0000000140000000-0x000000014022B000-memory.dmp

                                      Filesize

                                      2.2MB

                                    • memory/4336-223-0x0000000140000000-0x0000000140169000-memory.dmp

                                      Filesize

                                      1.4MB

                                    • memory/4388-97-0x00000000007B0000-0x0000000000810000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4388-91-0x00000000007B0000-0x0000000000810000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4388-214-0x0000000140000000-0x00000001400CF000-memory.dmp

                                      Filesize

                                      828KB

                                    • memory/4528-25-0x0000000140000000-0x00000001400AA000-memory.dmp

                                      Filesize

                                      680KB

                                    • memory/4528-530-0x0000000140000000-0x00000001400AA000-memory.dmp

                                      Filesize

                                      680KB

                                    • memory/4848-234-0x0000000140000000-0x00000001401FC000-memory.dmp

                                      Filesize

                                      2.0MB

                                    • memory/4856-31-0x0000000140000000-0x0000000140592000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/4856-9-0x00000000008D0000-0x0000000000930000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4856-8-0x0000000140000000-0x0000000140592000-memory.dmp

                                      Filesize

                                      5.6MB

                                    • memory/4856-24-0x00000000008D0000-0x0000000000930000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4856-0-0x00000000008D0000-0x0000000000930000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/5536-424-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5536-526-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5608-564-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5608-448-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5800-473-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5800-631-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5812-461-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5812-515-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB