Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 17:44

General

  • Target

    2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe

  • Size

    4.6MB

  • MD5

    08b0899c5dabd0332b2bad2cb5ff0514

  • SHA1

    f0e936b3d9c1dfa0d28d26c292e7154c9d1f413a

  • SHA256

    cbabdf6269b6a4f6c6b6bde6f5ef34ed42df36b7867be8786b0d4082f1384451

  • SHA512

    fbc2b8317066ee9a659f1da37c6355d8fbddc2b7b97ccb71fa6910329704756a16c16209ae9f82ca8018a9538806afcb6df0f1fef4c0e2b752496fbf90d027e6

  • SSDEEP

    49152:EndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGf:O2D8siFIIm3Gob5iEgdt6N3u5H

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 26 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Users\Admin\AppData\Local\Temp\2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe
      C:\Users\Admin\AppData\Local\Temp\2024-06-11_08b0899c5dabd0332b2bad2cb5ff0514_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5024
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
      2⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80c84ab58,0x7ff80c84ab68,0x7ff80c84ab78
        3⤵
          PID:3648
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:2
          3⤵
            PID:5064
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:8
            3⤵
              PID:4060
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:8
              3⤵
                PID:1772
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:1
                3⤵
                  PID:220
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:1
                  3⤵
                    PID:1704
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:1
                    3⤵
                      PID:2604
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4248 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:8
                      3⤵
                        PID:5184
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:8
                        3⤵
                          PID:5212
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4936 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:8
                          3⤵
                            PID:4360
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:8
                            3⤵
                              PID:5376
                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                              "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
                              3⤵
                              • Executes dropped EXE
                              PID:5532
                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x2a8,0x14044ae48,0x14044ae58,0x14044ae68
                                4⤵
                                • Executes dropped EXE
                                PID:5752
                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                                4⤵
                                • Executes dropped EXE
                                • Modifies registry class
                                • Suspicious use of FindShellTrayWindow
                                PID:5844
                                • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
                                  5⤵
                                  • Executes dropped EXE
                                  PID:5964
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:8
                              3⤵
                                PID:5544
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 --field-trial-handle=1912,i,14650696390592978703,16048101520113071626,131072 /prefetch:2
                                3⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5280
                          • C:\Windows\System32\alg.exe
                            C:\Windows\System32\alg.exe
                            1⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Drops file in Program Files directory
                            • Drops file in Windows directory
                            PID:4104
                          • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                            C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                            1⤵
                            • Executes dropped EXE
                            PID:3548
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                            1⤵
                              PID:3384
                            • C:\Windows\system32\fxssvc.exe
                              C:\Windows\system32\fxssvc.exe
                              1⤵
                              • Executes dropped EXE
                              • Modifies data under HKEY_USERS
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4956
                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                              "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                              1⤵
                              • Executes dropped EXE
                              PID:1724
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                              1⤵
                              • Executes dropped EXE
                              PID:4984
                            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                              "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                              1⤵
                              • Executes dropped EXE
                              PID:4892
                            • C:\Windows\System32\msdtc.exe
                              C:\Windows\System32\msdtc.exe
                              1⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Drops file in Windows directory
                              PID:5104
                            • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                              "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                              1⤵
                              • Executes dropped EXE
                              PID:2892
                            • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                              C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                              1⤵
                              • Executes dropped EXE
                              PID:4608
                            • C:\Windows\SysWow64\perfhost.exe
                              C:\Windows\SysWow64\perfhost.exe
                              1⤵
                              • Executes dropped EXE
                              PID:1512
                            • C:\Windows\system32\locator.exe
                              C:\Windows\system32\locator.exe
                              1⤵
                              • Executes dropped EXE
                              PID:3852
                            • C:\Windows\System32\SensorDataService.exe
                              C:\Windows\System32\SensorDataService.exe
                              1⤵
                              • Executes dropped EXE
                              • Checks SCSI registry key(s)
                              PID:4856
                            • C:\Windows\System32\snmptrap.exe
                              C:\Windows\System32\snmptrap.exe
                              1⤵
                              • Executes dropped EXE
                              PID:1044
                            • C:\Windows\system32\spectrum.exe
                              C:\Windows\system32\spectrum.exe
                              1⤵
                              • Executes dropped EXE
                              • Checks SCSI registry key(s)
                              PID:2384
                            • C:\Windows\System32\OpenSSH\ssh-agent.exe
                              C:\Windows\System32\OpenSSH\ssh-agent.exe
                              1⤵
                              • Executes dropped EXE
                              PID:5096
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
                              1⤵
                                PID:1636
                              • C:\Windows\system32\TieringEngineService.exe
                                C:\Windows\system32\TieringEngineService.exe
                                1⤵
                                • Executes dropped EXE
                                • Checks processor information in registry
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4980
                              • C:\Windows\system32\AgentService.exe
                                C:\Windows\system32\AgentService.exe
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2356
                              • C:\Windows\System32\vds.exe
                                C:\Windows\System32\vds.exe
                                1⤵
                                • Executes dropped EXE
                                PID:4380
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2936
                              • C:\Windows\system32\wbengine.exe
                                "C:\Windows\system32\wbengine.exe"
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1260
                              • C:\Windows\system32\wbem\WmiApSrv.exe
                                C:\Windows\system32\wbem\WmiApSrv.exe
                                1⤵
                                • Executes dropped EXE
                                PID:1480
                              • C:\Windows\system32\SearchIndexer.exe
                                C:\Windows\system32\SearchIndexer.exe /Embedding
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4956
                                • C:\Windows\system32\SearchProtocolHost.exe
                                  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                  2⤵
                                  • Modifies data under HKEY_USERS
                                  PID:5976
                                • C:\Windows\system32\SearchFilterHost.exe
                                  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
                                  2⤵
                                  • Modifies data under HKEY_USERS
                                  PID:6088

                              Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

                                      Filesize

                                      2.1MB

                                      MD5

                                      91cb4111ce7fea6c16b39ccbbc82540b

                                      SHA1

                                      fad61792c299653b12ea5edfe8b04278aa538035

                                      SHA256

                                      ed010fa2616da7136e35a2b3561fafd28a85ed2a8166ad9200eaf912fbe1d938

                                      SHA512

                                      a59e80834ed783e89b2ef47f700ccef2d304f82ffda181844249d01efa439703410a3760fdb5c9fe9fab18da6351b8a30174ba81a54af55be680256fc02a294b

                                    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                      Filesize

                                      797KB

                                      MD5

                                      6a669e69d9ce20cfa9c70e7771b7358a

                                      SHA1

                                      35e6f79b98aebf98fa42688bd6f18bb23f28058e

                                      SHA256

                                      1434d5d887016e0b65cb866c19036a57fa300b7150c5ac070dc73607cc160263

                                      SHA512

                                      20a1b10099983682c4e2ccb0bb633d9b5cb9c9f4ca15df09353d1b27eb3e5c818a41839313080b70bb8a365d167f70151aedb1f8d84dd107741e2ccd132f5321

                                    • C:\Program Files\7-Zip\7z.exe

                                      Filesize

                                      1.1MB

                                      MD5

                                      fc8b05f5f11aa2754d7ddd70ed29c1ce

                                      SHA1

                                      5f2fbba9a3e118cd941c94327ce5f1c5f7d7879d

                                      SHA256

                                      190dc1a2a89934168161f4b1d6e9246564a077b38f245aa8d9c7fd9f76aea55f

                                      SHA512

                                      42155f62e154b68b97e1df68c9290eb8ac44abee9c3861ac3e6071ccca5226b85b3b68eebacefd91639dbb105843a58f9ee6a88f6426ed694a94ad631732c41a

                                    • C:\Program Files\7-Zip\7zFM.exe

                                      Filesize

                                      1.5MB

                                      MD5

                                      0f89b65d2c532290dc810cca6ed9ce3a

                                      SHA1

                                      bbaa3bbc391395efbd7ed11dcb0d85a6bef2015d

                                      SHA256

                                      b6457603e9b2c77bbb33f240ce0c7822c652c562a3bf49342cfabbc79dc40c90

                                      SHA512

                                      c00481d6e88f95d58842b8417c572d2efa5a90e3f866abd56bec170a2554990ce2d99ac8be0215fcb2afadab587dcef99eaf6b3057a5b9cea498eb1b1bfc98fc

                                    • C:\Program Files\7-Zip\7zG.exe

                                      Filesize

                                      1.2MB

                                      MD5

                                      da8e4af95a49cd5154a6798403331bf9

                                      SHA1

                                      93b10a3f1e7d75092e85745c46e496e87152256b

                                      SHA256

                                      5432cb99ee882f73f9a8b317bc89d1ad820503479e216711bc66bb7968a7e88a

                                      SHA512

                                      1c0273c1f0ea32797e5c204fa08dce2f4bce6f940ab61b440ba99bd3766408a440dad90fa891060983b5074b1c1659d8e5c1f48761659e6f2e5e3aba6f1dcb67

                                    • C:\Program Files\7-Zip\Uninstall.exe

                                      Filesize

                                      582KB

                                      MD5

                                      6b4e528178f5f4abac3a914b6aa6b9c0

                                      SHA1

                                      4c157f7e6ac7a29f84f8bb75501119b998b29ddf

                                      SHA256

                                      36701799227ee9b5cec3fd035177658c04208f3c732f5b35f6ee2710fc9f16c7

                                      SHA512

                                      df7803b8872a7a624c7c804080d2df14939ef62ea14c24352a8d640029958515c8b076744a1edad48e2121fa09d6a3381b93ec1171075a447e681ba9444a97cb

                                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                      Filesize

                                      840KB

                                      MD5

                                      da1816dce2238a783b616b9e359dfd73

                                      SHA1

                                      b0647fddbd38e9bb746c691e93c2d36c73e2dbd3

                                      SHA256

                                      631d0ea2cb31670a64507a38319d83a701eb5dcbe3900c94ac0c4ea7a8e57443

                                      SHA512

                                      1892146f027197ca74092037355a157698d8c28c9960347f05b4326d72bdfa2dd375087c9cfe1ff599255af7fc3d0f7aaa0d9af03bbdc734fe310d7580c8d72d

                                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                      Filesize

                                      4.6MB

                                      MD5

                                      ab501d1930e3defeff60d66f5577b444

                                      SHA1

                                      1bf3708fd924e47c67e7edc6a428f75bad1de4e7

                                      SHA256

                                      eedfbbe4cc92cb326fdca1fb8e73dfcb02eb73781a2c555ee37b3db891cde979

                                      SHA512

                                      19d0f4a7a1811154b60c8e224e670a376648fa2b5f438711ecde3385d5229121afe29fb9d4e8024e5000eb2400023faa0434ac20a7a71c4053235b6b11cd9e52

                                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                      Filesize

                                      910KB

                                      MD5

                                      1ad629ac0e6b66673a09f128c8e8fd9d

                                      SHA1

                                      150680fab521657e6851fb4fab42bfc0475b579a

                                      SHA256

                                      ac4ae077c20443d28034628838d196399eecb367387dd6eea8b6c4a5371d8845

                                      SHA512

                                      6502fb644701b5dca691ab573e99d4bd6e62a142f1f1c2e885d1af7ae04fe17f81ba9d01186b64634044fb7227654fb3ae77ba660c97d06b5ebf8bb575e6e452

                                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                      Filesize

                                      24.0MB

                                      MD5

                                      5a81f53fe3f3f0ccc9a686d3fefc8409

                                      SHA1

                                      42516d5d64fd89b57f464d3bc41b06d57106e357

                                      SHA256

                                      98175c4a6aa4add9f5517a4716fb8692e60c020d05796cec0ff810b2b3be7fb9

                                      SHA512

                                      16279b601e75159a8970cc370c768383bf05591cd4e9cca88b32584b172ef398f2568dea1913db6f049e5b81da62fe5cfa3df0d0e6060851279be00979918c5f

                                    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                      Filesize

                                      2.7MB

                                      MD5

                                      684622e476bda434cf393001fda86375

                                      SHA1

                                      1398aa589326db4479aae4a778e3b076b6c00b6c

                                      SHA256

                                      06aa8d3e768d95e4dfe2c1acb9e00762432c5df3583cafba037c720585a42895

                                      SHA512

                                      edd0ce784521c6d95c1f9899ec929ed769a6785c5b04bdd373d9e56d718b78fe638c4e8d274e0da239af762cd080a4de532e43a5b29914677732f7a52a6c34da

                                    • C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

                                      Filesize

                                      1.1MB

                                      MD5

                                      f72b5db1b4ee9ea0bb410d790ef5f7af

                                      SHA1

                                      1b34f1bfdebbf3d3b8bf3a1597ecf00795e1f667

                                      SHA256

                                      8fca840e8d0d5252c1e9bf999e40584ef3bf5e08b5bb6dc70001caaa70695edc

                                      SHA512

                                      950de01e357f71574034efca282a22c2bc0e32fcff23a11126a84e33a81eba848bf0875b578e11e78a19969b51c60b854b96669ca82e1faf618645ab425e3654

                                    • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                                      Filesize

                                      805KB

                                      MD5

                                      0ece844040b757be277615a5a388018d

                                      SHA1

                                      2b1f6fa79fdfb57ba94bf9ae7839d8780ce26d20

                                      SHA256

                                      2d4c2eb560f7eeb7c61d17738bded8ee6613b031caffd26c0507c2d6315bc1a1

                                      SHA512

                                      1c128c2f2d252c2eb060d2012b5d61279ee31df133cf7288e91a700d189a337afe269b79cd4f581f6822f1f44cc31fa0805ee571f4f35e1634648e2c8adce182

                                    • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

                                      Filesize

                                      656KB

                                      MD5

                                      b3c7ab0eff3699328ab4567bd3e58d22

                                      SHA1

                                      905d3d91402c1995cf5eb182fbb40afb0147ce9d

                                      SHA256

                                      f2c50dd4395ae542108fc15ba0f6b44a6494e2c8f7234947d65b3c2d14236761

                                      SHA512

                                      6d21346e9d83fb1342ca2d17c34f2596eab1b1e371ed1968b670e39469cbb524ad249a6bc1e93f03ec474f4ee48c927cdca58098207a5ea0fe8bc0617224de3a

                                    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

                                      Filesize

                                      5.4MB

                                      MD5

                                      73f50fa339657870b319ff700abf7ae3

                                      SHA1

                                      3cee278e7550c6bb12f593f6f5d2782249f8e72e

                                      SHA256

                                      a2cf43b449b85e32f5a817390e62425d78e007cf40e8b596f6770fce277f07ef

                                      SHA512

                                      88196f701876c55032255d6cf1c842f2e8ca6b8215044dbf973e53fd09234cf956a32cdb72af9c581505692d3e8b766affa3a8d4668c51f14323e7bd8e2b8b0b

                                    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

                                      Filesize

                                      2.2MB

                                      MD5

                                      3ae20288e3b73a3c7834180f426715c3

                                      SHA1

                                      8e5cf2c5a4ac4a62358f9c27beec7d685415911b

                                      SHA256

                                      4b893fc5c6c195fcc024c4fb159625b4652ee4e4e90cfc3bd0808fa64ce50ce8

                                      SHA512

                                      6484ad1c4f0cf81090e61b1d8e651991ca84d70565d9698ca033067d06a6ec6c3edeac8cc8083d344194773eb712de8e3b0aa5db57671d71efc5bc74a55e1df8

                                    • C:\Program Files\Google\Chrome\Application\SetupMetrics\1c2f6c78-11f1-49e3-9000-cf0e00bdb676.tmp

                                      Filesize

                                      488B

                                      MD5

                                      6d971ce11af4a6a93a4311841da1a178

                                      SHA1

                                      cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                      SHA256

                                      338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                      SHA512

                                      c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                    • C:\Program Files\Windows Media Player\wmpnetwk.exe

                                      Filesize

                                      1.5MB

                                      MD5

                                      adba759c67ecffccf38b29724ab1e3c3

                                      SHA1

                                      6ed218df7cecd39affb2176dc08693cf06942f12

                                      SHA256

                                      a92e4dcdaa846e40412dba9f4fc80d18dc6e304a07bebe59c8a9a10f30e62618

                                      SHA512

                                      0c1ee573f3b6dd9dde65b25ba75558f96866ac16d56601ce8c8427b12370d402d5345c4d0c52b8bd2ba63456189167d92eb1f8afa6ee0f13c04b4ecc5b887e52

                                    • C:\Program Files\dotnet\dotnet.exe

                                      Filesize

                                      701KB

                                      MD5

                                      266ca4ba3c262c1b65215111fe06766c

                                      SHA1

                                      211d2cb92d3e6b5de19121389019c7a76d9b99f0

                                      SHA256

                                      3f25345880981ae94666984f0ba6d19614b26569a34ad23ff0c4690e2a8fd701

                                      SHA512

                                      eb7ba486f74fcfba4551ef7fb28068480ea6caa0802df218cca97aa1ff7361f81e57d696466525839521deeff6fbf781e01a35aae00e2aaa4b49c250dfe1e894

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                      Filesize

                                      40B

                                      MD5

                                      ead5c5b65992ef68cf2eb90edd0f8846

                                      SHA1

                                      e23f95767614ce9830147ec6ba7b0b5ca18a8101

                                      SHA256

                                      be7c1faec23a46d25250554bdeb10d8f49b4fc3176004c914f34cd0c8caa990f

                                      SHA512

                                      043645f254ad57e33e6968a60ad645630ca980de7555b410631fbc597bdee7402e1f4b15e7d522537f01304ca08400fd58a69609a125e7440dfa3f1bb33d1077

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

                                      Filesize

                                      193KB

                                      MD5

                                      ef36a84ad2bc23f79d171c604b56de29

                                      SHA1

                                      38d6569cd30d096140e752db5d98d53cf304a8fc

                                      SHA256

                                      e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

                                      SHA512

                                      dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                      Filesize

                                      1KB

                                      MD5

                                      c8ece039929c172679702d5e69f2cad8

                                      SHA1

                                      db6936a03b7ce8a5edd561575c7b52ea3adb1f3a

                                      SHA256

                                      f4791a8a6588a2a25323137e34bf735eb68147339cfd54f17ad86281897bcf22

                                      SHA512

                                      652e4e0717f771f36357111c06a75aa4722bdaeabcbecf4706bc62beed14a2df5928643a31440ff0fcba9f4816ad421e2893f29bae41671710cc9ac4802c5c2c

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                      Filesize

                                      2B

                                      MD5

                                      d751713988987e9331980363e24189ce

                                      SHA1

                                      97d170e1550eee4afc0af065b78cda302a97674c

                                      SHA256

                                      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                      SHA512

                                      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                      Filesize

                                      356B

                                      MD5

                                      549a0ab54e08f2b7256fcb344f4b3890

                                      SHA1

                                      e2a7171a31ae0fdc43ac367f0a360e75b3737a1e

                                      SHA256

                                      1923320cb81ed242e976cdc95931144a7ef9394070970529a7addbc6733ceb69

                                      SHA512

                                      6cdf23935474a295136ea621b845d6e778bae60cd66b07cf719e06dfc74284da6d7cda7834436d606a95f0444b7c8b02db5875bdeb4ed00ba3d01197ea85b8b4

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      ed80e862c54640898f4cb8d2d4e08cfd

                                      SHA1

                                      4c29674ce25ba2c8fe51236cffd2a0962ec7b39a

                                      SHA256

                                      a2a55bef9c4ecff6756118810b37f126b7030073924dc2f43710a3a3bb3b234e

                                      SHA512

                                      aea98c8871dfdcfb9bee53ac97b8ad022009d07631dee2601fe29a05a1aafd26001bd7935c0e3bbff9065f1a9e36a24f4eb43b21804d83a8365cca4d6f1d9c2f

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57659f.TMP

                                      Filesize

                                      2KB

                                      MD5

                                      056cebe70ead07d8acc38f1ddd50556b

                                      SHA1

                                      906167b4de443ef14bb095ae8f196165c25d17e0

                                      SHA256

                                      bb4c89650137cd1ed35cc2299d77c4b282072dd0e43418272d06a04c82c3733b

                                      SHA512

                                      ba3fc43ac1e418b5c33910a18aa115755a4350b946b3a6589b77361b95f5f109973c3a072b4724ae9590f8ef2cdbe52ad0958be62d7d08ac46fd90dc3de00fe6

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                      Filesize

                                      16KB

                                      MD5

                                      c7e6e1808e558bd1b129f0f35eb23a91

                                      SHA1

                                      24e886f767cde632b85f3545047d4b2d9f39709d

                                      SHA256

                                      5d213b23d7c6e18732d1c965f627b5e768928fac754b257b51e6394a6d741b66

                                      SHA512

                                      d74744ca41721420acd4732037c8b84545cc226691b2ab5f9537cc725b8b3f2790b64676c2460986e810a408198f4469eb2834e677507743e6435504b65072ba

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                      Filesize

                                      264KB

                                      MD5

                                      9a4b502d5c1e1877145d6c883d34e23e

                                      SHA1

                                      32d6ea8825ffcccb127b86e2dae4178bafdd2dab

                                      SHA256

                                      6c57590b19c93408ec833cfd98beb4f6fa9b5d189bc55f57df39cd8e25e82025

                                      SHA512

                                      19c165d6efc6c4b6387b6f75f7fefbf46163e683acad3962572a8aaa1307831ae1d700738feefbe4d3cad21a2aeff57be13e42ee1bab11fbe6ac283ca342d2d8

                                    • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                      Filesize

                                      7KB

                                      MD5

                                      b1d79eb95aa6ae4cbd08abed49d85ddc

                                      SHA1

                                      fe5f06996776d9862a00ec269c1c0a2e0b26e6b9

                                      SHA256

                                      3d0d3749b015bc75fa9a65f0a81d235dc7379be73e76868a707e75f64f97453a

                                      SHA512

                                      312579fb39d0880f579713bc902c04cbc298125c9c79c7c8d8fd5277d917dbd43cb651959df46c9530d63071f6cf0803d5617bb6a3ee8d810db049353177216e

                                    • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                      Filesize

                                      8KB

                                      MD5

                                      a9a96a3e813f0c5199cf13db6d888866

                                      SHA1

                                      e62269a71ed9c94758a92856500fe0924864b66e

                                      SHA256

                                      61dc3aad19f98e72128003bf437ffb9f47513f7025d5a82af009f5ce3e1d4f73

                                      SHA512

                                      05107882d40596fa8015d54bc66085dd471977dde48de416ce711112d58e8eae33435ff943b9e2ea4af77e3f1826338c149fdfd1892a2977d83b535f31187381

                                    • C:\Users\Admin\AppData\Roaming\971ca1e64a48edc7.bin

                                      Filesize

                                      12KB

                                      MD5

                                      519433321d3cae17cfaacb263ef11107

                                      SHA1

                                      9051a5dc4960c91ec218d0f73839d76affff8dd6

                                      SHA256

                                      a4a5c4dcac55515fe5a70f1c239d6d4d2ce5f9847f4bf13b16f86294dbb0af82

                                      SHA512

                                      b3cc04e68694657a89332ad89fac5eb55b50766ac205528f6ab75492b11a71b5d46bd82d9198286620410293f64bf66264ce2a7c5b17cca7d64ca30be11d92ab

                                    • C:\Windows\SysWOW64\perfhost.exe

                                      Filesize

                                      588KB

                                      MD5

                                      d7a9ee3c51aa6ee1b38834007fe372b6

                                      SHA1

                                      eabc5312c035e7735ecf0e787fe72f3bbdcda85e

                                      SHA256

                                      9d8e67eebbf5471927735ccb0342ea5d6f4884918eff21acadd5c9d8f176d2c7

                                      SHA512

                                      213a2fede26b3ce35702622d1acb3e0f8cac364393ef2ea2ea0d8590fc46a01587b75d9102e9bf4563d88584aeaf98e6264f3294fdd796b366ce48b2cd939234

                                    • C:\Windows\System32\AgentService.exe

                                      Filesize

                                      1.7MB

                                      MD5

                                      03e98a14894bd8510e1ec4c20555b27a

                                      SHA1

                                      ec4e9943e56f0a8facc59d92ecadd17271de6a8d

                                      SHA256

                                      7715185a3aa759be717d16fbd27ab886101ce0e8649255fb647a463e0e360e4b

                                      SHA512

                                      2dd42eb0f157f994f6bc5d92a33777276f87a5dfcb60d4b17dfd16c918a82809f8b88ed0a1d1e26a99680c41b58ff605e68b9f5c9c8734fadada069f189f017d

                                    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                      Filesize

                                      659KB

                                      MD5

                                      c3a3cca974e45137ff0fc105c3299fc2

                                      SHA1

                                      95e35c622da972a7e189b4114508aa5c1645c5dd

                                      SHA256

                                      9a47a69996a38a154837841d2134ded162f1a214fbd5bda71387ed58861998bc

                                      SHA512

                                      3571a09c16d07e4f0859fc1dfc6e831b76afbb7ff658c1a21fd28efc176f2788807b19bca512f2c6482eb8f890e19647a82c3af9c4c74521b1a47c72752ba5af

                                    • C:\Windows\System32\FXSSVC.exe

                                      Filesize

                                      1.2MB

                                      MD5

                                      4bf237900a6430b6546519f8cbd86895

                                      SHA1

                                      cc886b9126a99232309265a7da72fae8c0464d3c

                                      SHA256

                                      c13e9b325fae2e4e5fecf6a78895c8018959123b99c0e4cb3fdddf893f99a970

                                      SHA512

                                      e692f18ca3741b1786c3f8b558bedcf824338aa9abc6a0a50e3ddb1f8dfb090ffee2771089435644f1a3afc20e5beb57d86ff509c12b7812a723b625b2db9e6b

                                    • C:\Windows\System32\Locator.exe

                                      Filesize

                                      578KB

                                      MD5

                                      4092a504a7269526a4f89845c2a4d954

                                      SHA1

                                      2d9832b7947fbb6d7f137e80dea3b889d36dfd0d

                                      SHA256

                                      497845166ae9bbfafaf9e2f0baeccf8dee196cf8bbe7520ee7dfd9d28e8b6ee5

                                      SHA512

                                      b4547ceeccc08cff143582d3de8422d083ed6ce1afd4bae152d33047fa25b7bff949ec4583f91a48a73dcfb5a57984d413f73a3a33b7d0dbb275cecc71cad77e

                                    • C:\Windows\System32\OpenSSH\ssh-agent.exe

                                      Filesize

                                      940KB

                                      MD5

                                      249858a8d905d3d2a10d01f5f5730a91

                                      SHA1

                                      902c00cdbcb6b17f3832e496ad316f7cd6fb3a53

                                      SHA256

                                      9aea2a3af22c6cad690c43222fa408eb9daaa0e5a9ea4cd81118beaa0d0d51c6

                                      SHA512

                                      ef37f3f86b65bc5cfab665faa4e63610a042eeae60544f2a159034b4739f263e55bd5c46dbf64125370a0950d870332d05a5fcbfc08717da5a784b17f9042a2f

                                    • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                      Filesize

                                      671KB

                                      MD5

                                      29460377cda7755685bbcb3628b36be7

                                      SHA1

                                      c4ec61792953088f13056e7bfd5c9aad9d5eb412

                                      SHA256

                                      8a1152ec084b95e11cef8c48c3bec814f16b8c73b3b4581753c6eb61bd299db2

                                      SHA512

                                      f4655518bcc29b73684f2a9bda833f16abb40e736f7661555c587d7361e2724f90dac824a9165d5b5422e0c59b21f78b8cdaf10f964c9a641ee98a918ecff866

                                    • C:\Windows\System32\SearchIndexer.exe

                                      Filesize

                                      1.4MB

                                      MD5

                                      921e5dfc9a3af34b39caa2719cf4bd56

                                      SHA1

                                      1b80852504a3f80d01f1a932051bb0d0713f359a

                                      SHA256

                                      582159fad6e4ec3cb404732cf9ecf7991390c1244dcb535e71ccc5399fd6955e

                                      SHA512

                                      aa26d58cdfe32b9d86c033c2d8d60160c55ad785a91bda8a81621a4aa02d15b6bff3f9e3d496d3ebebca48160248b0de4a9db842c75e5188c222cb5234580dcd

                                    • C:\Windows\System32\SensorDataService.exe

                                      Filesize

                                      1.8MB

                                      MD5

                                      bacaf705dc185a497531af4c9ee0511b

                                      SHA1

                                      e56195c67b29a42c70df278c38b2747852d9120a

                                      SHA256

                                      78cb16b8c1ba331bae8b02483a6ac324221976e76a38def044d737a64a6416c2

                                      SHA512

                                      3063067cea55d4b973dc51100d0ac20bac4b36dcca21c2364c55cfd5555088f0df3b89738c16e0d6bdbe1d22584ccfba4cbd1451d3bae1c7660a63f85325a653

                                    • C:\Windows\System32\Spectrum.exe

                                      Filesize

                                      1.4MB

                                      MD5

                                      ee71435e6f5a9f081a85ba03dd331890

                                      SHA1

                                      84cce38d7c0073264f8c10209f68d5a3daacc02e

                                      SHA256

                                      1d6b0947a92687da60b50a75507f490fbf18363e89dab75048184d376c335c79

                                      SHA512

                                      ff621759e9e3a031498a539d2ca3f0d1a9d1a395b1384c85ba0562138ef050cddd8740d1ef28afb485f23e005cf140a8bc9de2c742aab70291a5652b60a46991

                                    • C:\Windows\System32\TieringEngineService.exe

                                      Filesize

                                      885KB

                                      MD5

                                      38eba1aa6c2306cd0198af3a8ca57746

                                      SHA1

                                      df28e5602d7bf142f647e3d367aadc5eb2d88449

                                      SHA256

                                      c1e44d707f59d287ed7ca4c7805beb12747b0970bd04f52dcf677fa98e9de6a7

                                      SHA512

                                      3e0d4b1860a0f6073b3371792ca6860dc9dee1d77d711b564048c7964c74959bda2907d3b5732969c2c0b86a9a777db7ad7f0d8624237d3c755945acccda1662

                                    • C:\Windows\System32\VSSVC.exe

                                      Filesize

                                      2.0MB

                                      MD5

                                      4df6e7eeda3d3063d192c9e1e6fd9a8c

                                      SHA1

                                      5addd3bfd3b6af0893f20582a7b838a9d6b10b98

                                      SHA256

                                      f757d441f430f0ac27c7ffebdd45c39d6552534c67e5d487f52e402aa77042af

                                      SHA512

                                      94109cd37c4b6215f045d6a40e7a9b87a50d80d227c2346de3e1f4a6d89c60d42f8dde9cead1e81d6681c677454b90f4b9d08d1147731cd0407d8c05a3139fef

                                    • C:\Windows\System32\alg.exe

                                      Filesize

                                      661KB

                                      MD5

                                      23a2039f9577ca24a20537ed6becf841

                                      SHA1

                                      ed2f227c1bbeb9b7031a7421904185ca0173ae1b

                                      SHA256

                                      fdd63ee3dbd507ebfa5ad2ab3eceb58d0136710a6481168aafa5e9787611b903

                                      SHA512

                                      e37410fa6950f73ccb0657f042d17dab2cad5659728bac5aee46c69c4af9d29d72a4100ed1bd72b3aeef02204f75c602a6cbe3565d89e431e0cec16124c69b9f

                                    • C:\Windows\System32\msdtc.exe

                                      Filesize

                                      712KB

                                      MD5

                                      cd7fb3eef186d901b4b1deed6dfb7ab5

                                      SHA1

                                      4918f9196ca37d505e82ea7c9d1bf2956208f576

                                      SHA256

                                      db02de3151f5e434b061b12246d0a8a978acb8d7b1537de552f9ef29728a9bf8

                                      SHA512

                                      0526282f1f51c8b625eb982b5c92acf7c451612c639e5565508983f2b9d9326b4d3a1f71ed6a9cd851bf441ba222b73045ac1f70418a8e6fad3d6d86a696ee6b

                                    • C:\Windows\System32\snmptrap.exe

                                      Filesize

                                      584KB

                                      MD5

                                      bdb640486108fad0f39d209eb1669c18

                                      SHA1

                                      a28170f0b7ab823db1916abf77fd25cd155edfed

                                      SHA256

                                      ffeb29157348519b839f3874e91b6344d0d1253ba73a93169bd2449890ee6406

                                      SHA512

                                      1c8d469d6e9308a7247ed4e445e77d4cb7fefb4baac62dcea87bd51e1767132975b5f732d635516b73894e59480e501e55d73c1e805eca555be46b94fb12e536

                                    • C:\Windows\System32\vds.exe

                                      Filesize

                                      1.3MB

                                      MD5

                                      5f6dbdb8223a7e203fc7d2ccf9c7bd32

                                      SHA1

                                      ebfbd786a70418714c827454c7449733c2603559

                                      SHA256

                                      7950a86d075e28cf834edad810a340b9781a82536654b284b2fcdd38e42d4d98

                                      SHA512

                                      659adb59389ec886bf1bc7de7f043a7a3970646ea8463d6d53d6043d93e23e5896094c85aa0cd1051a1d597b5090afae9adc0586ae3b17e0cdbb6cf08559b092

                                    • C:\Windows\System32\wbem\WmiApSrv.exe

                                      Filesize

                                      772KB

                                      MD5

                                      cf6ea9769560feb8881804d5473a4d3f

                                      SHA1

                                      e3b8dfac1c9e78aeadf5a8fbe659731af48b7a91

                                      SHA256

                                      02401768feb4e64e86bca5962066c7615e3d38fec95b520427189a52274ff451

                                      SHA512

                                      2ba053f0e2d632201a524be7ec3f9984afee0fa92a8937aea27fdce9b77d0edd8d90bf681f1c98bda39ac617fde02e0af7cd7bcd0d0ac0cc1ac9baad703ad616

                                    • C:\Windows\System32\wbengine.exe

                                      Filesize

                                      2.1MB

                                      MD5

                                      098da57ab83599f2af5cce44a5271d90

                                      SHA1

                                      f4456f23941bc8f1067ac5cfa2195ad87364bd48

                                      SHA256

                                      bc155660a208f7883943c619d415118d2da16c317adbf6053208f3a347b87ab6

                                      SHA512

                                      cd45b2c544caa88a13eadb4b05bec090c318972daacb5b3694200c407cc00c22e292e43d7b09b17505e79aba73bbb96dbc5a36836753464ac5643ebcb1623fe0

                                    • C:\Windows\TEMP\Crashpad\settings.dat

                                      Filesize

                                      40B

                                      MD5

                                      295c35172675c56d85b3271fc5adbaf7

                                      SHA1

                                      fc8f7052aa2fdfb84e7cb6bf027db403bcb8cdf0

                                      SHA256

                                      f022aa4752d0400339634741871e82f3bb6e1dc719e1ffe9b3987e457c01bdc0

                                      SHA512

                                      15813f64afc1d8f3fb24db561e3b68c8efcdfe45dd0768d53f85b32e72352c0f22240b9f4156dfa8feb88fde664025c75d3fe6594c957aa961fc010496f8548a

                                    • C:\Windows\system32\AppVClient.exe

                                      Filesize

                                      1.3MB

                                      MD5

                                      8c50fc621bd9e76ed4e968f9a6b70cbd

                                      SHA1

                                      13cfd32d061ce34c3e7e36103220d2e0d8f21486

                                      SHA256

                                      3a5be4de425085b4a802674bf634ea9389f223aa9e6c3b863dde5894b0463517

                                      SHA512

                                      aff82847c238ecaf9daac673672e6a5a6f5baab5ed7929c0817f0609930f2f2592bbadf3b45ab6fd57f34dc7c0c655666dd70b75c2fbcd6be57a3eb16f07c3ea

                                    • C:\Windows\system32\SgrmBroker.exe

                                      Filesize

                                      877KB

                                      MD5

                                      127c79d8723b6aa637a5e6f2dcba4519

                                      SHA1

                                      6aa4ba79cc0dfb5e61047112c4914c0eb76f2dbc

                                      SHA256

                                      4a95dd03c4c4ebe198d952905284185f30ea47769800d1e4c7158a612712d464

                                      SHA512

                                      2fcd45fabe4b3fdb518473e605b3ea131b72e92b17b09cd817467ef7a9386fe560bf47ee8f1a4fa3d84ff41b26c0b7282c645cc14d0fae83cabbe25bf9653f8f

                                    • C:\Windows\system32\msiexec.exe

                                      Filesize

                                      635KB

                                      MD5

                                      af60cb12273060e9230fd436108a407c

                                      SHA1

                                      c6fe846ab7d0cfae06d02e14427a421d80e67009

                                      SHA256

                                      cc61ae3e0a1f0f94697a88358cf3696d2dd32c672a9e6212ce43568f78ab6f7f

                                      SHA512

                                      019893118e206b08757275aa3f3d7ee2a5cd5847e2ea6c0206213e6c752c91d0e2fb45bdf0b60a9c5ed47c2bd71ff6f2bd206cad6c8de05b5fe62024e89000a5

                                    • memory/1044-233-0x0000000140000000-0x0000000140096000-memory.dmp

                                      Filesize

                                      600KB

                                    • memory/1260-634-0x0000000140000000-0x0000000140216000-memory.dmp

                                      Filesize

                                      2.1MB

                                    • memory/1260-266-0x0000000140000000-0x0000000140216000-memory.dmp

                                      Filesize

                                      2.1MB

                                    • memory/1480-287-0x0000000140000000-0x00000001400C6000-memory.dmp

                                      Filesize

                                      792KB

                                    • memory/1480-637-0x0000000140000000-0x00000001400C6000-memory.dmp

                                      Filesize

                                      792KB

                                    • memory/1512-230-0x0000000000400000-0x0000000000497000-memory.dmp

                                      Filesize

                                      604KB

                                    • memory/1724-291-0x0000000140000000-0x000000014024B000-memory.dmp

                                      Filesize

                                      2.3MB

                                    • memory/1724-73-0x0000000000C80000-0x0000000000CE0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/1724-67-0x0000000000C80000-0x0000000000CE0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/1724-75-0x0000000140000000-0x000000014024B000-memory.dmp

                                      Filesize

                                      2.3MB

                                    • memory/2356-217-0x0000000140000000-0x00000001401C0000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/2384-234-0x0000000140000000-0x0000000140169000-memory.dmp

                                      Filesize

                                      1.4MB

                                    • memory/2892-228-0x0000000140000000-0x00000001400CF000-memory.dmp

                                      Filesize

                                      828KB

                                    • memory/2936-257-0x0000000140000000-0x00000001401FC000-memory.dmp

                                      Filesize

                                      2.0MB

                                    • memory/2936-624-0x0000000140000000-0x00000001401FC000-memory.dmp

                                      Filesize

                                      2.0MB

                                    • memory/3548-45-0x0000000000690000-0x00000000006F0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/3548-53-0x0000000140000000-0x00000001400A9000-memory.dmp

                                      Filesize

                                      676KB

                                    • memory/3548-51-0x0000000000690000-0x00000000006F0000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/3852-231-0x0000000140000000-0x0000000140095000-memory.dmp

                                      Filesize

                                      596KB

                                    • memory/4104-37-0x00000000006B0000-0x0000000000710000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4104-305-0x0000000140000000-0x00000001400AA000-memory.dmp

                                      Filesize

                                      680KB

                                    • memory/4104-28-0x00000000006B0000-0x0000000000710000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4104-36-0x0000000140000000-0x00000001400AA000-memory.dmp

                                      Filesize

                                      680KB

                                    • memory/4316-0-0x00000000020D0000-0x0000000002130000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4316-39-0x0000000140000000-0x00000001404A3000-memory.dmp

                                      Filesize

                                      4.6MB

                                    • memory/4316-9-0x00000000020D0000-0x0000000002130000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4316-8-0x0000000140000000-0x00000001404A3000-memory.dmp

                                      Filesize

                                      4.6MB

                                    • memory/4380-238-0x0000000140000000-0x0000000140147000-memory.dmp

                                      Filesize

                                      1.3MB

                                    • memory/4380-618-0x0000000140000000-0x0000000140147000-memory.dmp

                                      Filesize

                                      1.3MB

                                    • memory/4608-229-0x0000000140000000-0x00000001400AB000-memory.dmp

                                      Filesize

                                      684KB

                                    • memory/4856-603-0x0000000140000000-0x00000001401D7000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/4856-232-0x0000000140000000-0x00000001401D7000-memory.dmp

                                      Filesize

                                      1.8MB

                                    • memory/4892-92-0x0000000140000000-0x00000001400CF000-memory.dmp

                                      Filesize

                                      828KB

                                    • memory/4892-106-0x0000000140000000-0x00000001400CF000-memory.dmp

                                      Filesize

                                      828KB

                                    • memory/4892-94-0x0000000000C00000-0x0000000000C60000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4956-56-0x0000000000EB0000-0x0000000000F10000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4956-93-0x0000000140000000-0x0000000140135000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4956-62-0x0000000000EB0000-0x0000000000F10000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4956-65-0x0000000140000000-0x0000000140135000-memory.dmp

                                      Filesize

                                      1.2MB

                                    • memory/4956-89-0x0000000000EB0000-0x0000000000F10000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4956-306-0x0000000140000000-0x0000000140179000-memory.dmp

                                      Filesize

                                      1.5MB

                                    • memory/4956-736-0x0000000140000000-0x0000000140179000-memory.dmp

                                      Filesize

                                      1.5MB

                                    • memory/4980-236-0x0000000140000000-0x00000001400E2000-memory.dmp

                                      Filesize

                                      904KB

                                    • memory/4984-86-0x0000000140000000-0x000000014022B000-memory.dmp

                                      Filesize

                                      2.2MB

                                    • memory/4984-84-0x00000000001A0000-0x0000000000200000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/4984-551-0x0000000140000000-0x000000014022B000-memory.dmp

                                      Filesize

                                      2.2MB

                                    • memory/4984-78-0x00000000001A0000-0x0000000000200000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/5024-18-0x0000000001FB0000-0x0000000002010000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/5024-12-0x0000000001FB0000-0x0000000002010000-memory.dmp

                                      Filesize

                                      384KB

                                    • memory/5024-278-0x0000000140000000-0x00000001404A3000-memory.dmp

                                      Filesize

                                      4.6MB

                                    • memory/5024-21-0x0000000140000000-0x00000001404A3000-memory.dmp

                                      Filesize

                                      4.6MB

                                    • memory/5096-235-0x0000000140000000-0x0000000140102000-memory.dmp

                                      Filesize

                                      1.0MB

                                    • memory/5104-227-0x0000000140000000-0x00000001400B9000-memory.dmp

                                      Filesize

                                      740KB

                                    • memory/5532-536-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5532-598-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5752-817-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5752-547-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5844-587-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5844-552-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5964-564-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB

                                    • memory/5964-818-0x0000000140000000-0x000000014057B000-memory.dmp

                                      Filesize

                                      5.5MB