Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 10:25

General

  • Target

    2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe

  • Size

    4.6MB

  • MD5

    06bb37eb2744eb9f23cb1a25b82c5845

  • SHA1

    fa416078604d02d9e222200c50f9261b833891f0

  • SHA256

    4ed1bd9470e986123ecadb2e316fd2201f008dc9735fa12b1c1dd5dcb89a6dbd

  • SHA512

    70838c38fd682874f16839115ea9f45f0a6baa6cf431aa591e481c648026ffa8669c2ced9e2110441722e34390963b1f53519275a20c788cc5459f4427d082e1

  • SSDEEP

    98304:rDokH1WPirCB6Ijt91p2GWNzSC34g2FiiIVD527BWG:3tHSi6XGNNiE/VVQBWG

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 32 IoCs
  • Loads dropped DLL 41 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3688
    • C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe
      C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe
      2⤵
      • Loads dropped DLL
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:14244
      • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
        C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe "-lang=en_US" "-cachedir=C:\Users\Admin\AppData\Local\Steam\htmlcache" "-steampid=14244" "-buildid=1716584667" "-steamid=0" "-logdir=C:\Users\Admin\AppData\Local\Temp\logs" "-uimode=7" "-startcount=0" "-userdatadir=C:\Users\Admin\AppData\Local\Steam\cefdata" "-steamuniverse=Public" "-realm=Global" "-clientui=C:\Users\Admin\AppData\Local\Temp\clientui" "-steampath=C:\Users\Admin\AppData\Local\Temp\2024-06-03_06bb37eb2744eb9f23cb1a25b82c5845_magniber_qakbot.exe" "-launcher=0" --valve-enable-site-isolation --enable-smooth-scrolling --enable-direct-write "--log-file=C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --disable-quick-menu "--disable-features=SpareRendererForSitePerProcess,DcheckIsFatal"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:6832
        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
          C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dumps "--metrics-dir=C:\Users\Admin\AppData\Local\CEF\User Data" --url=https://crash.steampowered.com/submit --annotation=platform=win64 --annotation=product=cefwebhelper --annotation=version=1716584667 --initial-client-data=0x3ac,0x3b0,0x3b4,0x39c,0x3b8,0x7ffe8a46ee38,0x7ffe8a46ee48,0x7ffe8a46ee58
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:6976
        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
          "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=gpu-process --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1716584667 --steamid=0 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=1704 --field-trial-handle=1760,i,15448163332235978232,13809633619316081230,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:7224
        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
          "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2216 --field-trial-handle=1760,i,15448163332235978232,13809633619316081230,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:8068
        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
          "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-agent-product="Valve Steam Client" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1716584667 --steamid=0 --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --mojo-platform-channel-handle=2528 --field-trial-handle=1760,i,15448163332235978232,13809633619316081230,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:8
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:7736
        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe
          "C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\steamwebhelper.exe" --type=renderer --user-agent-product="Valve Steam Client" --user-data-dir="C:\Users\Admin\AppData\Local\Steam\cefdata" --buildid=1716584667 --steamid=0 --first-renderer-process --log-file="C:\Users\Admin\AppData\Local\Temp\logs\cef_log.txt" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1760,i,15448163332235978232,13809633619316081230,131072 --disable-features=BackForwardCache,DcheckIsFatal,SpareRendererForSitePerProcess,WinUseBrowserSpellChecker /prefetch:1
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          PID:7776
      • C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery64.exe
        .\bin\gldriverquery64.exe
        3⤵
        • Executes dropped EXE
        PID:7824
      • C:\Users\Admin\AppData\Local\Temp\bin\gldriverquery.exe
        .\bin\gldriverquery.exe
        3⤵
        • Executes dropped EXE
        PID:8548
      • C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery64.exe
        .\bin\vulkandriverquery64.exe
        3⤵
        • Executes dropped EXE
        PID:8716
      • C:\Users\Admin\AppData\Local\Temp\bin\vulkandriverquery.exe
        .\bin\vulkandriverquery.exe
        3⤵
        • Executes dropped EXE
        PID:8752
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:436
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:4444
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:2808
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1016
    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:5028
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4284
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:3628
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:3528
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:1604
    • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
      1⤵
      • Executes dropped EXE
      PID:4632
    • C:\Windows\SysWow64\perfhost.exe
      C:\Windows\SysWow64\perfhost.exe
      1⤵
      • Executes dropped EXE
      PID:3296
    • C:\Windows\system32\locator.exe
      C:\Windows\system32\locator.exe
      1⤵
      • Executes dropped EXE
      PID:2148
    • C:\Windows\System32\SensorDataService.exe
      C:\Windows\System32\SensorDataService.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:4496
    • C:\Windows\System32\snmptrap.exe
      C:\Windows\System32\snmptrap.exe
      1⤵
      • Executes dropped EXE
      PID:3476
    • C:\Windows\system32\spectrum.exe
      C:\Windows\system32\spectrum.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:1940
    • C:\Windows\System32\OpenSSH\ssh-agent.exe
      C:\Windows\System32\OpenSSH\ssh-agent.exe
      1⤵
      • Executes dropped EXE
      PID:3828
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
      1⤵
        PID:1280
      • C:\Windows\system32\TieringEngineService.exe
        C:\Windows\system32\TieringEngineService.exe
        1⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:3744
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4872
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Executes dropped EXE
        PID:344
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5084
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3960
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
        • Executes dropped EXE
        PID:3180
      • C:\Windows\system32\SearchIndexer.exe
        C:\Windows\system32\SearchIndexer.exe /Embedding
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1260
        • C:\Windows\system32\SearchProtocolHost.exe
          "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
          2⤵
          • Modifies data under HKEY_USERS
          PID:4656
        • C:\Windows\system32\SearchFilterHost.exe
          "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
          2⤵
          • Modifies data under HKEY_USERS
          PID:1632
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x3c8 0x448
        1⤵
          PID:7884

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

          Filesize

          2.1MB

          MD5

          718d056077b5d13f5523c489ed533c08

          SHA1

          08234a57f7996231504c2828cbf25fc9d34d5720

          SHA256

          f917f4488d5aa480ae90edfc27d14e4a9473b65a02182fd82426b6f93a4b0d40

          SHA512

          0f1e8f13ef62562addce34f184169c1aab367018906e0e6a1b9147fdd8e00ec71188c2371663e48d2b96fa3007348e9e6d35205f7b6902f30a61058cfc012d92

        • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

          Filesize

          797KB

          MD5

          9df103530164bf3ee45fe6d0da26cb52

          SHA1

          b0d3f3328542be6f0a02579cfb9295b20c2fef23

          SHA256

          d19cccbaca6bb2885b9e0c94a1d89162d0672fb91a6af0472d57c2b43217157d

          SHA512

          4d69fb49639613ed9deb326f1e8a0242d40e09f2fc43b0103e69841cb91eb0ba6ce8f03dfc2f81006d729644568f0283fa3e12d04f63ec8ee40605c8da7c6f83

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          1.1MB

          MD5

          efb0363957a8fd4d793c65a80d453f6e

          SHA1

          1868a45e71fcea21f43566f5120411f628f9f98a

          SHA256

          6d9b178454da8cf8bf69193f3625dc3b342451401c0147165b14c7be34571565

          SHA512

          bc6562c8fed32f16f5edac79f3cc5b061b22314eb3b688f264aed4c9c0fca3cc7581eaaa5b5e8a876282fdfa6939ad2dc96ef27214c9d758f13758f7bdd5f9c2

        • C:\Program Files\7-Zip\7zFM.exe

          Filesize

          1.5MB

          MD5

          31bd7cd0f051c05e7a84807035a10476

          SHA1

          697202c35a6f0f134194d640da7d4d7a602ce016

          SHA256

          5f6596f3f050923504e0a26997882ac4f4d2dc84cde391f044a3d82f3cce9e1e

          SHA512

          b92ca50f9a7c4afec504cd1cd6cf0f67d602f9864e061e3c47c2fea993452717dafd98a650babcf24b388573faa177c8aaed3770782d6e1b9c098c2cad0f7706

        • C:\Program Files\7-Zip\7zG.exe

          Filesize

          1.2MB

          MD5

          857f2ff0044ad9be5853981c783eccf4

          SHA1

          bfbe3f18d7b0d84b7d3c9a1ad40d36c49c90c302

          SHA256

          6c19ea44447c24cab29b47c6411cc29c3560a72d398798818a26e5a28f00409d

          SHA512

          2003b179f88f8a468bb1016468a8f49fbc98861c5293b7e3e29840f6cd16ef1e892e230e8d5738f50edd069e9d7d1e80860aafe56d66805c90c569b8195c0c47

        • C:\Program Files\7-Zip\Uninstall.exe

          Filesize

          582KB

          MD5

          d591512fd67ffaf0650fb8b4dcef8b95

          SHA1

          c1a88e35620c01a8d0c05ce5cd4449dbb8ba9420

          SHA256

          69a15060eb9fb75d2224783a58f0270df6a7a8fc3bc473a9d8b20cbca492238e

          SHA512

          c1958b09ca15a3932fa7de1f4d6dce154bb2ee6fb462bbb8b61bdcbdfc09a5d177506a5e23c489e593e8eedf7decdd0289463a199e8d1a308636f715bcbb6e7d

        • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

          Filesize

          840KB

          MD5

          5998729c6ca6b9cd42b1d7bb723216c7

          SHA1

          b1b4627230315f449eae6a5e76076ba93eb03e6a

          SHA256

          34f10cc9c299570258d36504e380d9f277d37dcaead8e4ae2c9ed4476d240505

          SHA512

          3a967a7cd516ee3d212659823100ad9b43bd20a99c804402f71e4f01241dfb3b06a3e799933828c36989f0c9de31df44cd016803fb258a2e1af33970a1f1a0d2

        • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

          Filesize

          4.6MB

          MD5

          ba7cf59fed5fba1ecedca61a13a8e85a

          SHA1

          0987a603d522d61eb50f5fbe6cbf1b5f3998bdba

          SHA256

          b0b71866b4e17e58be4101fe1166b519c931ba515cef745d81e65368e8f2e419

          SHA512

          cdce780bfea0f5cf20c98fcf7d738b603adc87054bb562f3e9ed386fbee4a2cbc523a1050aa2f22605162847d274a0cbfe18687db8e36710385739a3e28402e1

        • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

          Filesize

          910KB

          MD5

          408d00f379d50046a43bd1b7be9fa02f

          SHA1

          0e7ab60f426b0cc8cfa77932c2f382650fc8cd86

          SHA256

          14ca6a896eb0a8d2e310899d9b9737e2be111d4b252490420924e151faaaf088

          SHA512

          982e3206f1d4d41db4c96ebb3cd32631bfc3575a03444467191d60e2a79964b9f590fabdaeae22b0347f19d98ee8011230a8bc0414ece5ddd26706ded576ed0f

        • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

          Filesize

          24.0MB

          MD5

          1836409500629c08e958dc3ad40ec300

          SHA1

          1552ffd9e779552d60591c6f0874c9692eb37409

          SHA256

          460d0d3dcef45b54431ead8367bf07a12e303293f1802d57ae3eb661c9900899

          SHA512

          5c4016032cfc5921ee681d59cea0b739c8f668437c3b46771399b154bc33ed46152e75a7c5cb16274bae1b0151adb5859d682a12f2ef5c3b894d4bdd6708132c

        • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

          Filesize

          2.7MB

          MD5

          8c9e85da6417ed1fc6deacebb2e3eb75

          SHA1

          14084131d6a1ee5ce5d0d7f9bc3006c973d06ee8

          SHA256

          0b480034080729fb7bff5281f101be59c0ac11f16ce1d762f795684e3ff83c14

          SHA512

          dc4cd64c2c5c101c267d05195207b83bd9cb801d6137c01cd3f4cebad4c8979820da0c6ab2eb748c2de0d82c7a84232dc927f923a8200121a64ecd0ba30c607c

        • C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

          Filesize

          1.1MB

          MD5

          95039c544f3474b299b9aeb1cee55a18

          SHA1

          64ee34960b6efa7eaf72dfd74f3d65182fd59715

          SHA256

          64406a7689dce92bc7e6a9a3988118a0f77128f2c46402adaaefd7654c745486

          SHA512

          3921b0248851b49cc20844b8f9b861b1e9000c0c13c63ca12f36ff2777d23a763744229ffbdf05fe8a4eae8fbefc242fafb7ea17092aca303dd0c08d9f93aa35

        • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

          Filesize

          805KB

          MD5

          f11e2405e3d785ad823acff08aa53a80

          SHA1

          49c5fce5e46df2c05fa223aee647d62e6a6e8f96

          SHA256

          07f5ed677703bdc67d34f43e22e3a15d3aa3eb7850534b6241718a27de9a3ff0

          SHA512

          5ba2f8ece7e78d084684c0c69b7b3e4c092351579a51d755f520cd008628672b59912db8378154f36b22eb6e445623b21c0020185a3dc364564b2cf49b3305b3

        • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

          Filesize

          656KB

          MD5

          8af433d5a24564c13dbcfc3b017d224d

          SHA1

          208088d625b166c342d30b99d2ed0f8e51ecfabc

          SHA256

          c8ceb3948685d6879d81439e0fc460e6280919dd01401515c4f0858f0bc74fc0

          SHA512

          5ca12146e5eeb075667e101f24de3e177f389a2b48185481981ddda60d62800b30c8ed0b4ecd7d927629d4fa1a6e7e20d05ce1be916aa3994061443ebf9bab39

        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

          Filesize

          2.0MB

          MD5

          ab8a8a2e5f976c5ab34cba583ac36356

          SHA1

          1f8875734015e0ab64ee26efc6f8c40b5716d0f0

          SHA256

          36d600a651f8776d570d2ec7c0d0aeecc1774da6f656e54841a915f2d2d0e3d8

          SHA512

          2f754b9784586edd2ad981736710696c038ce247468ccfea7226ea4fced63d6bfe63a79bb92d14424d11fd43a738a3045f46a2973847a712122523693d0df9dc

        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

          Filesize

          2.2MB

          MD5

          3eb84cf4c1c1fa434cf4155e33181ded

          SHA1

          33413b0545820caa8d1ba638423db438b03c6e07

          SHA256

          dbf4b991227739c888dc73ba57d35c0205b82f9134d191d4c8e9e6b141bc3b3a

          SHA512

          6987f35a7906f3259e7fbdd2d574e8d2c89f1beced26093d682c4681fc327f4333791a99750731fb322d81cfcb5dba3aa34a8d43198da73a269efb033cbeb814

        • C:\Program Files\Windows Media Player\wmpnetwk.exe

          Filesize

          1.5MB

          MD5

          8da553ef7f4ecf8692bec03655310b17

          SHA1

          cd5ed68e83ec8daa2abe606aa1c6327c690a0d9d

          SHA256

          e988878977350c62c89b960dbbedfc860bf2c7c4ab48a95e117a541af82a84dd

          SHA512

          37a6c0a80ff7b14f5e48c22425c861272f5df51dd214e6b649730e5175e41c4b9b913e5eb899c2ae4ad3bea9f0e9ad576d9137a57c54ce2a6fb9243410432e72

        • C:\Program Files\dotnet\dotnet.exe

          Filesize

          701KB

          MD5

          e0b642329e8162016418ac4f621159f3

          SHA1

          7a79926e60a9d7eca992ef1523bf4c87b3e179e3

          SHA256

          07ea4f5f818dded46339c2e9ec450aa1a43149034ab478dbefd24d18989212d2

          SHA512

          80156ad7dfce36f80da392856b1749b88b34f513e593ccfa562ec148d92a7d9ff165a4fd2decd42920b41b428d3e84cadaae0cb4780c16d026f31302417ce962

        • C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index

          Filesize

          216B

          MD5

          e826d9e0468f19f2691d94dba32246e0

          SHA1

          46d74659a655d3241b6bc2ef42a778bc42f60091

          SHA256

          8dd898b52487a612ff0c753789e2d2039aba2f5fcd7b01d7afd13f57603faaef

          SHA512

          d31ebcf0bd0ea6a3ee41565828ae72affbfa6c9fcc50f3e19ae2ddacfb3e770c9c972a5abc70c16e92f1b747001bbe268e409615a28068cea5ad975c7786dfa2

        • C:\Users\Admin\AppData\Local\Steam\htmlcache\Code Cache\js\index-dir\the-real-index~RFe588fb8.TMP

          Filesize

          48B

          MD5

          5de732b8c96404d45c2d04e10eeb5cec

          SHA1

          64fb3d432a306a364ec3bbe6d8b834c1b14d510c

          SHA256

          91952841965f1391bd91daf93623465a9b4801c9420529150d5a300154db3157

          SHA512

          af5bf0603556a38a311412da60a76bd7973a44376597d8b4d6770d08f9c0b97e15fa299eb5801577a159fde9a9f8ddd4445a35bbc7951a5fe8c01fadebedbe48

        • C:\Users\Admin\AppData\Local\Steam\htmlcache\Local Storage\leveldb\000001.dbtmp

          Filesize

          16B

          MD5

          46295cac801e5d4857d09837238a6394

          SHA1

          44e0fa1b517dbf802b18faf0785eeea6ac51594b

          SHA256

          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

          SHA512

          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

        • C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json

          Filesize

          693B

          MD5

          8971c39ec098db262ac752d3ae5ce44e

          SHA1

          20b476a37e5a85b6539ae88ec75042a19f10d6db

          SHA256

          3ce1938a192873b3cc39ae004a9b090468b697e977cbae524d43bdca57945672

          SHA512

          e2ea62dd42e4638f01e6f67840690e292a89b0f6381462a6686d4d93f2fe07393aa433a8de860f8381d3a441b95cf04ea84c570e9c5ccd2f87ea0f51237be3fb

        • C:\Users\Admin\AppData\Local\Steam\htmlcache\LocalPrefs.json~RFe594397.TMP

          Filesize

          484B

          MD5

          f1b5adc9c264a0dd2a8d7180a767f8cf

          SHA1

          0fa5c8c88d35a73edb267b76034710cf46c629bc

          SHA256

          718454c8d95c17e08878e44f055749ee72a9376c6e7e73387f6ce1d0863db84f

          SHA512

          02d4fc20a0bada58dc4c793c9f27b895f2341b054c27ad4cdf8a68b2f090f314b7e2cad5e2f44ffdf84bc20142565be5ef01bd24c2cffb52c851fe7b02bbee6a

        • C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State

          Filesize

          300B

          MD5

          540458c0bad774d09682015f06aa5623

          SHA1

          4a260dcbfd1405c1d29b49301f8f5177a2e14f02

          SHA256

          f7d398f6ec44f415fd56af725f541adee90d3786e8b99c04b1e9e4fe0557bc18

          SHA512

          51117ec4987ee357c95df470d94cf5111ccc7566afdff74db9192f24ec3c1e1c587fdc5cc6c6e26bf74b2242fe55a0cc37214cf1345b28cb893a2695d59059e4

        • C:\Users\Admin\AppData\Local\Steam\htmlcache\Network\Network Persistent State~RFe59579c.TMP

          Filesize

          59B

          MD5

          2800881c775077e1c4b6e06bf4676de4

          SHA1

          2873631068c8b3b9495638c865915be822442c8b

          SHA256

          226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

          SHA512

          e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

        • C:\Users\Admin\AppData\Local\Steam\htmlcache\Session Storage\MANIFEST-000001

          Filesize

          41B

          MD5

          5af87dfd673ba2115e2fcf5cfdb727ab

          SHA1

          d5b5bbf396dc291274584ef71f444f420b6056f1

          SHA256

          f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

          SHA512

          de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

        • C:\Users\Admin\AppData\Local\Temp\aom.dll

          Filesize

          7.1MB

          MD5

          d764264518e77cc546a5876c3bcebad4

          SHA1

          ea17d45b396fa193a851bfd345e2b2c20ad60e12

          SHA256

          e78492de0ab575add50b925bfd44216d224d09904a9b14c17087a92fdcbc15cd

          SHA512

          7cf132ea5254a55c08186ffcf5e47360ef5ddd57d03d7051171f6753b22e3925304d183c2037bfd320ad56c08e079f9b2c4640db8cb3dbd38ff500c7a39e997f

        • C:\Users\Admin\AppData\Local\Temp\avif-16.dll

          Filesize

          226KB

          MD5

          a09c5fa842fa4456a0b53b46f1050225

          SHA1

          9e4677f19e77bf55e7d0e2e82d8c27f79dbbd78e

          SHA256

          3d7ba6fedfdfd6e751693d718a21438304690b754d1c5d13c847a829b2423b8b

          SHA512

          71c962da6ed6894209891513bf9f0132a5eab6c65a5d9ba334efcaf73463be5625665a060863a106d59fad1949f6191f641aa4c59ddb0e825701bef08ef9b5a5

        • C:\Users\Admin\AppData\Local\Temp\bin\audio.dll

          Filesize

          175KB

          MD5

          cbc43e3928d5fd556456f8f9ef285063

          SHA1

          33c043f63171ddbbe58a5031961cb5040d1a245b

          SHA256

          ae99258ab7694026147b259367ef82d8ac2b118f87c02c7a41f81b82d1f7a9d7

          SHA512

          0d13bebbd71e48a1dffa34ad68e2a76746b3d745529842aba594b5de4d1a621f8759a2968cd61d8dfe9780a9ff23e808b6c90d63957e6ac2f95bf1ae0bf4b3a6

        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-1-0.dll

          Filesize

          23KB

          MD5

          9c2202f9ebd8d2e8c90c93d3b0f433e1

          SHA1

          3d20c8f8428df16372e7de91a6d4f94b80aefb4c

          SHA256

          894842053591d4818bac9e1e476601cf39e4191b4bd0748ccb9f3c2711caa946

          SHA512

          b274b3f3dafd290f72351b36b9937445e78b6a16eb6cfa9a0b6de3cf11d5d809cd5f4095c2c4a05c16bdd1fb1be0b883e4c387ae8f7693eab958a63ce408097e

        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-console-l1-2-0.dll

          Filesize

          23KB

          MD5

          0b2450ac7066b1aa6970cd4763bed6a8

          SHA1

          9cdc98d8a852c5e66c42e83edec21a1a2ab1d347

          SHA256

          9e9ee99c5fbe9a2a784d324b4bff06842874dbc33320c1fb02f063060d2d5c7b

          SHA512

          a1e0b0dee99c5d4ee03f15fa69436f41c965438b289eb244c8bbdec2de4b439e8ea60417ca6a37064b0aff023fbae5debb732e5e69027ca86623514520d6dffd

        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-datetime-l1-1-0.dll

          Filesize

          23KB

          MD5

          880c1094ab4679600f77012712fcfdcc

          SHA1

          d92636752ceed77e4eb37967306de746953e375a

          SHA256

          65e57b5316eee1433c006adc6487c3ad3e17412b1a6d5a35ba518aaefd871bbf

          SHA512

          de8a622fd97bcd0a429c7a0874fc6dbeacb966e406dc519448ddfb420f584686a7a5ef105b4ac45a3a8de3bf0b7ed5b79ed62a92ebfceea3bceccce7298af652

        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-debug-l1-1-0.dll

          Filesize

          23KB

          MD5

          df9bc6c6936655ed05180de600916f3c

          SHA1

          abfd6dc420368aaee7d3ce11cca36af3cb4446f6

          SHA256

          b34fda7a50b20aaae509d0919ced53d718afb997a2bd9f3b97446c3cebf994d6

          SHA512

          b6d935a6046a573df8c0a7bafd57c35f333f74fbe754e18de13cdf9a39fd9649449030539b208046651d648eca20e4b5d0e73a8a7d173d6ea37bbfc311b0d6df

        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-errorhandling-l1-1-0.dll

          Filesize

          23KB

          MD5

          a78aabc0f9a9dc5b9923d2ff67d24f23

          SHA1

          3a0330b84c7ca674f0710c10eee1e5126d545429

          SHA256

          39e98dd2cfd15b1687f3a8f8690a80026af0deaba5142c0fe503bbebca46d4c1

          SHA512

          3efd9fd95ef6aa16172c3d89150d49611c21deaa13fd50c2114e76380de573255ec6bdcfe10665bbe15a17c1d05ba327ca7ea24949ad1a173b3db86bab24adcf

        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-fibers-l1-1-0.dll

          Filesize

          23KB

          MD5

          72dbf67f86c95cdef31eaaef5861a00f

          SHA1

          18134f00734a2255bdf9bbc777045ac2d4f2e2f3

          SHA256

          5c74808c61ca8b6acb8f74813fb116341b18c27e4a654bbdd383b9fee3f33d36

          SHA512

          e0bbcdfb658ffa70b047cfd84a0e8a5613530ed0a34cc9ac365f69e253894db4b6fd059ce02627c201c1e9efe0b98aaddb70a641ce297677d3f9162838fdd1f3

        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-1-0.dll

          Filesize

          27KB

          MD5

          ee9e1e1af17a74d23438fb63f6b66395

          SHA1

          11f60e073257560f5f3dc8943e854bf2eac36ed2

          SHA256

          8587505e511503127abb7e5c614853b7848a489d96da0a95bc736dc6c3097a5e

          SHA512

          aca34604580214291d1ea62765ecb280c6eafad7bf8967af8c268d2daff84f783dafec8ed334ac051ad61a14fc3128dc3f396116b9c6413a288fbe7bb099a202

        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l1-2-0.dll

          Filesize

          23KB

          MD5

          a5707e6342e22d92ef8df839783d1716

          SHA1

          642c499b65382d883f6f9381fa204ba8d08f1f10

          SHA256

          fbf7e43884a1fd8adf167a5cfa4319339e2dba84515ec4487e074decc9afb206

          SHA512

          33a5255fe6b46d228cc131d27479d272342e88f12d884b841751167000e2c6a9c08a996526580a8466e957f4696d2400baf5d2cc2b3e5f8ea23ae3803d684285

        • C:\Users\Admin\AppData\Local\Temp\bin\cef\cef.win7x64\api-ms-win-core-file-l2-1-0.dll

          Filesize

          23KB

          MD5

          a2317c5ce4c82910c7f4e97d48af645a

          SHA1

          67f5034a905cd1ef0c2888fd2cc40c2024d0848c

          SHA256

          363c1cc60b8cf09f026ffe4d6dabee37021f37d5719fa55ab807d56613e30b90

          SHA512

          35be28f55fcde4ad140fa089ee86aaeff3e90f174737474dfd502925313225db393a3e27eda0b44d9bee831ead48a24e803c35884842cee2946d558650b6f8f5

        • C:\Users\Admin\AppData\Local\Temp\crashhandler.dll

          Filesize

          361KB

          MD5

          9667216fc56106299cfe0474afdeaf39

          SHA1

          38b0768abfcd617bd8db59431a9525d789c84f83

          SHA256

          b056457b66dea391772a655ba03871180160314df68768f43b21c3cedf9d19ed

          SHA512

          a3c02500299e433ada5de7cc12bb05ee6b947ce363d355bb074a5525c68ccf0ccf46b5732262bb56e88f4dc2a0e32d4d577858c48a742a63745be8c3f018bba1

        • C:\Users\Admin\AppData\Local\Temp\logs\bootstrap_log.txt

          Filesize

          13KB

          MD5

          3286b091e48bda782618cffa3b012ac7

          SHA1

          48a20a4062acb7961fb22e76e52081b36bbe61aa

          SHA256

          d1fac24e9be588bd765263c4699710d15f3516b207d7828e270968d3268ccc33

          SHA512

          853b292b629f57c894db7c1d482af374cb25262d606ec2c59f7e931362e20870ed432aecce23b0b3b444a459a1a585046752450be6e13499cdef2b11230aae1a

        • C:\Users\Admin\AppData\Local\Temp\package\steam_client_metrics.bin

          Filesize

          3KB

          MD5

          b5fb6a1a9bffc9d7bd0d16cb41bcd328

          SHA1

          e9ddfdd047a3090a9ea52e873ebf0e7607f6a2f3

          SHA256

          de844519aeb812eb5e1178b9837abf236de57d88668d792b2fb29f411bbd2cad

          SHA512

          6d0e4197a8e5eebe5cdf559dc0da3bb836359ca34b72de043ef2093a925c9926a241bf677208501eb3d228c0b77e4584e6c19b59136d58598f3ae5c7d878da91

        • C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.installed

          Filesize

          464KB

          MD5

          10f9e89e442f565957d2af08b2b74047

          SHA1

          8132cd3763cd9200bb0fb7600cded8d60d6cd9a5

          SHA256

          3ffcd73d5e6761b05be12dbbb07d3baf64f2680f2931d4acea288bb4d48e803e

          SHA512

          e69a5f1fd04ff966179b185d4e4c82bf223aed29b0a67044509e33b2d4745d677bb7697e47b419205478fbef9a6903d50469d7ad41c302b4cfa9506180a8d50f

        • C:\Users\Admin\AppData\Local\Temp\package\steam_client_win32.manifest

          Filesize

          9KB

          MD5

          93e69eae544858aa33c9c1f6d48c4a8b

          SHA1

          f8b18435ceaad470bd809f02ac2934a5926e6adf

          SHA256

          7c569ccef088133b444f049ae07a8b9e6bdb78ef1b00ccfc6eacbf7b23619b3c

          SHA512

          cc4256ea641a41c31bce7ff19d4a5dc50a3a123cd039dba85b70549dcfdd9798024a258dab1be734165a89fcd24792d623f064ed4a639567f68b57b864d2be8b

        • C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\[email protected]_

          Filesize

          15KB

          MD5

          577b7286c7b05cecde9bea0a0d39740e

          SHA1

          144d97afe83738177a2dbe43994f14ec11e44b53

          SHA256

          983aa3928f15f5154266be7063a75e1fce87238bbe81a910219dea01d5376824

          SHA512

          8cd55264a6e973bb6683c6f376672b74a263b48b087240df8296735fd7ae6274ee688fdb16d7febad14288a866ea47e78b114c357a9b03471b1e72df053ebcb0

        • C:\Users\Admin\AppData\Local\Temp\package\tmp\graphics\icon_button_news_mousedown.tga_

          Filesize

          20KB

          MD5

          00bf35778a90f9dfa68ce0d1a032d9b5

          SHA1

          de6a3d102de9a186e1585be14b49390dcb9605d6

          SHA256

          cab3a68b64d8bf22c44080f12d7eab5b281102a8761f804224074ab1f6130fe2

          SHA512

          342c9732ef4185dee691c9c8657a56f577f9c90fc43a4330bdc173536750cee1c40af4adac4f47ac5aca6b80ab347ebe2d31d38ea540245b38ab72ee8718a041

        • C:\Users\Admin\AppData\Local\Temp\package\tmp\resource\filter_clean_bulgarian.txt.gz_

          Filesize

          23B

          MD5

          836dd6b25a8902af48cd52738b675e4b

          SHA1

          449347c06a872bedf311046bca8d316bfba3830b

          SHA256

          6feb83ca306745d634903cf09274b7baf0ac38e43c6b3fab1a608be344c3ef64

          SHA512

          6ab1e4a7fa9da6d33cee104344ba2ccb3e85cd2d013ba3e4c6790fd7fd482c85f5f76e9ae38c5190cdbbe246a48dae775501f7414bec4f6682a05685994e6b80

        • C:\Users\Admin\AppData\Local\Temp\public\steambootstrapper_english.txt

          Filesize

          4KB

          MD5

          da6cd2483ad8a21e8356e63d036df55b

          SHA1

          0e808a400facec559e6fbab960a7bdfaab4c6b04

          SHA256

          ebececd3f691ac20e5b73e5c81861a01531203df3cf2baa9e1b6d004733a42a6

          SHA512

          06145861eb4803c9813a88cd715769a4baa0bab0e87b28f59aa242d4369817789f4c85114e8d0ceb502e080ec3ec03400385924ec7537e7b04f724ba7f17b925

        • C:\Users\Admin\AppData\Roaming\521dbdb1c3136770.bin

          Filesize

          12KB

          MD5

          c5573b722849a26993a7753479f88632

          SHA1

          f30f0e6721acc51e09c3b5cf1033ca071364abd5

          SHA256

          baa95466e0095bd5cf385544eb736bb22d04f72f3fec00fd0315cc4731c355a3

          SHA512

          ef30c0df421342180f751a3903d574f484cc623f259c2c564d7f53ecc8fc8d70aeb7c9b985a6e8de29d8b472c675cb3e538fd185f34b27d0b2c19b05e07422f9

        • C:\Windows\SysWOW64\perfhost.exe

          Filesize

          588KB

          MD5

          8c2e80e98c50a7b308f45417e6cf6e3e

          SHA1

          f5a504d8d3d06baacaeea23cd1e8d07064a80809

          SHA256

          37a78b1e6528be72b84ac0a45ca982f95eb0bcc32b9c140fa4423f04a53928c3

          SHA512

          5d9a76b71d23014df9c6e24e7df6746395e219bb533d360ec3269d60eed7642119651d33bd343995f17cecfbac2344c084027261d6bcf5643e64421b05d781c1

        • C:\Windows\System32\AgentService.exe

          Filesize

          1.7MB

          MD5

          e1aaa20ddab1d17c029e292ac2e51d0a

          SHA1

          589ff498c53011d36ef2c87f2bdd1d6a376d4a8b

          SHA256

          775b1a1c9c21e9c473013db30b7dd593993fd283e8f4386f42cce317e2b10518

          SHA512

          a24acefce66ea58f5bd3d10a39012f102f68236e6e67743ad5cb9c8ba86d3f77fffcbf189403c28351f178836e08147e8aabdf0e7a68cb635804fb2c7b5b17c8

        • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

          Filesize

          659KB

          MD5

          f7789fb329b9b9f15dba8b8dbb34482d

          SHA1

          0caa9d05ec3c8c26376f08739cb712f1d46722dd

          SHA256

          1884029044ecddd5ae47c4b24f67859749a9d94ba4bc8ebde40ba6edd87e598f

          SHA512

          2cc8b8b54e8814436425dc01685aa3f76b3380951f4cc8270121ac55e6ea8a983ed95213b891f2cdb6f473d51ec846ee3637bf663b5f204e802c14582a91c1ef

        • C:\Windows\System32\FXSSVC.exe

          Filesize

          1.2MB

          MD5

          18f3763b70e11222263ccbf2a079ff32

          SHA1

          ae742eda2b4b01d82f1abb4885a785e9ea4bd917

          SHA256

          d7978bcff4bcdadc809fdabc0baa5bf9055acddbb344e6da369ddd9b7819c17a

          SHA512

          0ab26a3d8181a2be192e25dfafcd4d58c2a889b357119bf12ce93a967a6a8a7998b4bdb0c631d9ddad1dd0bdddd04a830579f110d618f4b543b691aba230ee69

        • C:\Windows\System32\Locator.exe

          Filesize

          578KB

          MD5

          2d5e713ef80f28a4c48bf7baba63dc5e

          SHA1

          eedd36025a86a9f1ee06dc51c19a97030f88794d

          SHA256

          b5e3a8336f7fd483789c2959399d1ef77aaf44a3e0f44bd68fe0f209e75908cf

          SHA512

          3d9f04c58bdf5ae811dcaf2791a5e8e94ebd314bdb5de1fa9be80243a66cd23ebd91575c67214d0340548db8f092008e073fdb324d0ddc769dd944a7e4d9499b

        • C:\Windows\System32\OpenSSH\ssh-agent.exe

          Filesize

          940KB

          MD5

          eb51858b6f660d25d37aa09f8524e8af

          SHA1

          2e172383d2bbdad613ebc8b7531fb2d0dd8c2eea

          SHA256

          9647a6c81b647471f76e950276c190e76461a2eb0a8ace167b601db0ac3901c1

          SHA512

          752216dc84c062ef1e5915caad8560bd144dc639531ea71cde1478c0b319df3ab63e7ee621a4f4112cce6c0cf0b243b8c21becf8faaf96f3ee0ab06916580a9c

        • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

          Filesize

          671KB

          MD5

          a731369edeb1cc6aad63cd9935821629

          SHA1

          915f988571aae0f0ea58da6765863a580d13a760

          SHA256

          af2d8b9324f2d3b7a30c9125e990b5ac653c0254acfae47f810cd6ae0b9947fe

          SHA512

          f4b2a5029e0018594f1570c9736d269f7674bd2ab79fa371bed9de4d28b5856983b3e09ca4f6ffa520a8de19045c05e254c3791b2da3364339b5be833258112a

        • C:\Windows\System32\SearchIndexer.exe

          Filesize

          1.4MB

          MD5

          2cca94d6f2d0c5813f75b4892357d376

          SHA1

          d29684bbca9b406f2c016c02c8b064e58644a772

          SHA256

          666b2bf2dc295dbf1f23c168b4483146ec951b82cb0a75603c22716613ef9cd0

          SHA512

          28d1498fba036821f38e942f9fc4d5ad9eb90e4db9c97286572f6862c9aa07a91839d9274436ea8497c41c46fa7587030f7de6f91e963c85f95f45059d13e5e0

        • C:\Windows\System32\SensorDataService.exe

          Filesize

          1.8MB

          MD5

          a459af34501f7a4f020ce11db34291d9

          SHA1

          37a9b3880e5bc5e22f601f0f0a6e925381e2c1fc

          SHA256

          f65969426b6bebf3c95a204ac290c8011e8d21749dc718f23b0f540852b54100

          SHA512

          a39746b5daffdafc21a514be7138a590f1128be58c38a275ff36b3a88728ae5501299a9bd6a1923999ecb83e1f354cd8346e5c38d6e390b03a79a7bdb9b37606

        • C:\Windows\System32\Spectrum.exe

          Filesize

          1.4MB

          MD5

          ee3b5429987e8b53db1e93d329559ed9

          SHA1

          71012aaffd2ba80e349af5e484b3ed403400984c

          SHA256

          d2ab987c68aff320afa0f18dbd1683abcfd9cd5491605fec6ababaef4db821dd

          SHA512

          15c8ae7fe8f5b70929ec9aadf8e4abea113822eea3d2510e12c43325d2ea1ec2f1912e7d70a4e445a77cf51ca9cd0b3ac94f4c6c6131d10d41e3e7c23e94ac5a

        • C:\Windows\System32\TieringEngineService.exe

          Filesize

          885KB

          MD5

          7373e5bbfadf7ad3db53d1735d825e65

          SHA1

          4ba589a66f253bcc239007df441cb119b9d8a6bd

          SHA256

          84f210f190c159beda119e92b4662d86a32412cb63d4ba93017aef84389a032b

          SHA512

          11abb3491bd909e8b08081576191cfe097549d05ea78497eff2dfe261a245d39ba81272a0c8079b0ee9661defdd98ee5e138b3a32db5cc73697a547cc94f0ed9

        • C:\Windows\System32\VSSVC.exe

          Filesize

          2.0MB

          MD5

          af43bf962e1fb6b05c17fe47fa3971be

          SHA1

          70a8d60b005c226a5461e4c0923e657b7b16a669

          SHA256

          4471e709d2958a52d8564d9dd3af61085a3637aae19e8735bc50d62b12912451

          SHA512

          3a8bc8958e2b1d8acc4c19c94cfd60a27d2844481b3af34e048ce9c9a4283f0bb4f459ca2bae653504638ce24d3e83209b092d3b30d39ba73b007b27fdb48a0b

        • C:\Windows\System32\alg.exe

          Filesize

          661KB

          MD5

          cfb4f102db0c1d9dde757a77d295369e

          SHA1

          9f5eaf5b76cce660c5d1163b7fd7740156d2742a

          SHA256

          8a3c0d9e79ce334c73f6f61d0d978f11d42c593ef30fd9030a5214f8d255e745

          SHA512

          881712dab4098fceed15a29a4c5ce32856ef9e6e8b266064291dac1a87a2a09dae613b65ff1ad22529d6d3b3a4a05dbe74b2e760e475562ce138b3c1036807fb

        • C:\Windows\System32\msdtc.exe

          Filesize

          712KB

          MD5

          ad40bd07051c42f88b3f51bec0182bdf

          SHA1

          b0a5307e73d9528aad161a92f0ea5932de187b85

          SHA256

          fc60cf465fe6ba17ae9c4a563f00cc443bcbe65ce55c6dee5075c2d9ef88fb4f

          SHA512

          0d136b1a8ac89f6b052cbacb1d690e3c6a2792627f2662bc598eb1d5852ef27631d7f92e27de5e2f84589d859b1d47bdf6184afce6c795ae8a5e9ad4a86f79fe

        • C:\Windows\System32\snmptrap.exe

          Filesize

          584KB

          MD5

          4a276aeeb9032038f355925ae1ac7f4a

          SHA1

          84e30e8106bd25611f9c9ef4a5a15cbd1e58f08f

          SHA256

          eb1b9a245d803da0bdce21ba807b03a4eda35aece7ec9a21b9ce4473e6a12ee8

          SHA512

          59d8becaccc414001e5ea9ed66596ae7ea82401a730887a8ef618b39aa36cf1e0e28749f5c085539a6c69cb3476c09cab597280f5cb4592c4e4fba4e5ad6dd8e

        • C:\Windows\System32\vds.exe

          Filesize

          1.3MB

          MD5

          b88b9413ac48565ac2b6a91afab75934

          SHA1

          e54821123867f5cf132b6b5c1d4dfe216377805a

          SHA256

          a4d518f2ce9dbbb969572e72ece6309b7858c02b1559016012dad372ede01b6c

          SHA512

          6bce5bf30c0f3a20641469fd9feff31cfe3182cefca8039d9a5d937e547a513b581d9f18512674cae4d9960ebfcfe8fa461026d23a87ff95fc487bbfc4301b69

        • C:\Windows\System32\wbem\WmiApSrv.exe

          Filesize

          772KB

          MD5

          10f0a5d8b4161119883d6be0d5ac61e9

          SHA1

          572854f57f201d210542362483d1db4ad9ab63a0

          SHA256

          61d52d7e5a390a6b555c276093b8004b5e421d92b4af8d0223575fe904067d25

          SHA512

          d07d0a64c5d9e6c19db0ee2181bab005cb2eb646a638d1be182f3bd11a37e254fc7d47f3c55b25a6eef0038e80061115029a400607303d4938eb2574ed2cb9b9

        • C:\Windows\System32\wbengine.exe

          Filesize

          2.1MB

          MD5

          12c4ef74aa9782a644164b305ea9cad0

          SHA1

          a52d6b539b1654b0b6149333b337e7422edb1371

          SHA256

          e0ff4fc88743fa4294792e5ab8aa29a9d50d2380d404342ac0965c0a479129b5

          SHA512

          e0f63df9f07208b5c1c7f847a122d76483b87c144871559754fa6edb8c8406fdee7dfa00b5c4a18653e7e2083d958b4b0f02e32eefdb3e6785a23722117395c0

        • C:\Windows\system32\AppVClient.exe

          Filesize

          1.3MB

          MD5

          81d4ca1ab4bf37029b9e1a735cd3ee63

          SHA1

          337a176a28b39eb98b146a1ed37434b15afc0fbe

          SHA256

          7b370b227b5d52ecf62c9dd566f010fc97c1f1e7b53b80817731b0e886bc105e

          SHA512

          53a60b24e46ba0db8823a4d66a6b92ece786a6c26e0a408b9471c9e15c970e047293388fa1ebb927287c2392da63aac48c7ff22d9e85b1164cf5a33ad446a27d

        • C:\Windows\system32\SgrmBroker.exe

          Filesize

          877KB

          MD5

          9f83ce2cc27181711534960990737292

          SHA1

          9f93ddbed38b36eb887bdf8083d2fb0d6dd7838f

          SHA256

          783e08f3cec167b049ad2bc5547b0ad37d3fbabebe9263053e9cf10f0004dd07

          SHA512

          3a8b9ccc67c9848d85dd73e0aa3b7f6739c6ab69ca54b1e86fa168930dfed52c2ddeb63135d0099d94eb17fbffa6728f67f4c934515850900231950c0af1ceba

        • C:\Windows\system32\msiexec.exe

          Filesize

          635KB

          MD5

          d631c86241764b66e2518f17892545f3

          SHA1

          7affd2b257bbf56d3b393198f0d4e668e5420784

          SHA256

          1c10a3f92d3eabc1f3990022a864744281433a6afa92bfa365535d59a5aaf1ef

          SHA512

          71ce5e019e8353465b180c682bb8bba233d9cf63370697bbbc246468d030e649ccdb10cf01f881576f73bbb6dbc76d35ec0cbceaa9bf2282b08f2a93003ae917

        • memory/344-271-0x0000000140000000-0x0000000140147000-memory.dmp

          Filesize

          1.3MB

        • memory/436-430-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

        • memory/436-12-0x0000000000740000-0x00000000007A0000-memory.dmp

          Filesize

          384KB

        • memory/436-15-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

        • memory/436-20-0x0000000000740000-0x00000000007A0000-memory.dmp

          Filesize

          384KB

        • memory/1016-51-0x0000000000D60000-0x0000000000DC0000-memory.dmp

          Filesize

          384KB

        • memory/1016-43-0x0000000140000000-0x0000000140135000-memory.dmp

          Filesize

          1.2MB

        • memory/1016-53-0x0000000140000000-0x0000000140135000-memory.dmp

          Filesize

          1.2MB

        • memory/1016-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

          Filesize

          384KB

        • memory/1016-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

          Filesize

          384KB

        • memory/1260-275-0x0000000140000000-0x0000000140179000-memory.dmp

          Filesize

          1.5MB

        • memory/1260-606-0x0000000140000000-0x0000000140179000-memory.dmp

          Filesize

          1.5MB

        • memory/1604-110-0x0000000140000000-0x00000001400CF000-memory.dmp

          Filesize

          828KB

        • memory/1940-214-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

        • memory/2148-211-0x0000000140000000-0x0000000140095000-memory.dmp

          Filesize

          596KB

        • memory/3180-605-0x0000000140000000-0x00000001400C6000-memory.dmp

          Filesize

          792KB

        • memory/3180-274-0x0000000140000000-0x00000001400C6000-memory.dmp

          Filesize

          792KB

        • memory/3296-210-0x0000000000400000-0x0000000000497000-memory.dmp

          Filesize

          604KB

        • memory/3476-213-0x0000000140000000-0x0000000140096000-memory.dmp

          Filesize

          600KB

        • memory/3528-88-0x0000000000730000-0x0000000000790000-memory.dmp

          Filesize

          384KB

        • memory/3528-108-0x0000000140000000-0x00000001400B9000-memory.dmp

          Filesize

          740KB

        • memory/3628-84-0x0000000001A90000-0x0000000001AF0000-memory.dmp

          Filesize

          384KB

        • memory/3628-80-0x0000000001A90000-0x0000000001AF0000-memory.dmp

          Filesize

          384KB

        • memory/3628-86-0x0000000140000000-0x00000001400CF000-memory.dmp

          Filesize

          828KB

        • memory/3628-74-0x0000000001A90000-0x0000000001AF0000-memory.dmp

          Filesize

          384KB

        • memory/3688-208-0x0000000000400000-0x0000000000904000-memory.dmp

          Filesize

          5.0MB

        • memory/3688-12707-0x0000000000400000-0x0000000000904000-memory.dmp

          Filesize

          5.0MB

        • memory/3688-1-0x0000000002630000-0x0000000002697000-memory.dmp

          Filesize

          412KB

        • memory/3688-0-0x0000000000400000-0x0000000000904000-memory.dmp

          Filesize

          5.0MB

        • memory/3688-6-0x0000000002630000-0x0000000002697000-memory.dmp

          Filesize

          412KB

        • memory/3744-216-0x0000000140000000-0x00000001400E2000-memory.dmp

          Filesize

          904KB

        • memory/3828-215-0x0000000140000000-0x0000000140102000-memory.dmp

          Filesize

          1.0MB

        • memory/3960-273-0x0000000140000000-0x0000000140216000-memory.dmp

          Filesize

          2.1MB

        • memory/4284-107-0x0000000140000000-0x000000014022B000-memory.dmp

          Filesize

          2.2MB

        • memory/4284-64-0x00000000001A0000-0x0000000000200000-memory.dmp

          Filesize

          384KB

        • memory/4284-70-0x00000000001A0000-0x0000000000200000-memory.dmp

          Filesize

          384KB

        • memory/4284-602-0x0000000140000000-0x000000014022B000-memory.dmp

          Filesize

          2.2MB

        • memory/4444-26-0x0000000000540000-0x00000000005A0000-memory.dmp

          Filesize

          384KB

        • memory/4444-34-0x0000000000540000-0x00000000005A0000-memory.dmp

          Filesize

          384KB

        • memory/4444-524-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

        • memory/4444-25-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

        • memory/4496-212-0x0000000140000000-0x00000001401D7000-memory.dmp

          Filesize

          1.8MB

        • memory/4496-488-0x0000000140000000-0x00000001401D7000-memory.dmp

          Filesize

          1.8MB

        • memory/4632-209-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

        • memory/4872-207-0x0000000140000000-0x00000001401C0000-memory.dmp

          Filesize

          1.8MB

        • memory/5028-52-0x0000000000810000-0x0000000000870000-memory.dmp

          Filesize

          384KB

        • memory/5028-59-0x0000000000810000-0x0000000000870000-memory.dmp

          Filesize

          384KB

        • memory/5028-61-0x0000000140000000-0x000000014024B000-memory.dmp

          Filesize

          2.3MB

        • memory/5028-597-0x0000000140000000-0x000000014024B000-memory.dmp

          Filesize

          2.3MB

        • memory/5084-604-0x0000000140000000-0x00000001401FC000-memory.dmp

          Filesize

          2.0MB

        • memory/5084-272-0x0000000140000000-0x00000001401FC000-memory.dmp

          Filesize

          2.0MB

        • memory/6832-12917-0x0000000140000000-0x00000001408FF000-memory.dmp

          Filesize

          9.0MB

        • memory/6832-12761-0x0000000140000000-0x00000001408FF000-memory.dmp

          Filesize

          9.0MB

        • memory/6976-12779-0x0000000140000000-0x00000001408FF000-memory.dmp

          Filesize

          9.0MB

        • memory/7224-12785-0x0000000140000000-0x00000001408FF000-memory.dmp

          Filesize

          9.0MB

        • memory/7224-12930-0x0000000140000000-0x00000001408FF000-memory.dmp

          Filesize

          9.0MB

        • memory/7736-12858-0x0000000140000000-0x00000001408FF000-memory.dmp

          Filesize

          9.0MB

        • memory/7736-12937-0x0000000140000000-0x00000001408FF000-memory.dmp

          Filesize

          9.0MB

        • memory/7776-12860-0x0000000140000000-0x00000001408FF000-memory.dmp

          Filesize

          9.0MB

        • memory/7776-12942-0x0000000140000000-0x00000001408FF000-memory.dmp

          Filesize

          9.0MB

        • memory/7824-12813-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/7824-12816-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

        • memory/8068-12933-0x0000000140000000-0x00000001408FF000-memory.dmp

          Filesize

          9.0MB

        • memory/8068-12799-0x0000000140000000-0x00000001408FF000-memory.dmp

          Filesize

          9.0MB

        • memory/8548-12862-0x0000000000400000-0x000000000049C000-memory.dmp

          Filesize

          624KB

        • memory/8716-12877-0x0000000140000000-0x00000001400BC000-memory.dmp

          Filesize

          752KB

        • memory/8716-12865-0x0000000140000000-0x00000001400BC000-memory.dmp

          Filesize

          752KB

        • memory/8752-12899-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

        • memory/8752-12889-0x0000000000400000-0x00000000004B2000-memory.dmp

          Filesize

          712KB

        • memory/14244-12888-0x0000000000400000-0x0000000000904000-memory.dmp

          Filesize

          5.0MB

        • memory/14244-12685-0x0000000000400000-0x0000000000904000-memory.dmp

          Filesize

          5.0MB