Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 18:54

General

  • Target

    2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe

  • Size

    4.6MB

  • MD5

    59595140fac5c8843848b8da7033bcc3

  • SHA1

    caa674ba8880177c62ed6efa52aa62fa827039cd

  • SHA256

    145684687243b6f62d35148924eb28025cc5b8eb4146299c4682899c846e993b

  • SHA512

    03894a70216777179406a5aa4edfe6098716dff9826832c11d1788922743cf2a8a128b9a00a2aecd963cc6aa46708e57b74b7d9f3ddc9db2a5a137e5374ef7ad

  • SSDEEP

    49152:cndPjazwYcCOlBWD9rqGZi0iIGTHI6DOnIIeNxu6xl1aZt6m5xbzDI6bpsRJrAGE:22D8siFIIm3Gob5iErhG/2o3p8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 31 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Users\Admin\AppData\Local\Temp\2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe
      C:\Users\Admin\AppData\Local\Temp\2024-06-11_59595140fac5c8843848b8da7033bcc3_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x29c,0x258,0x264,0x2a0,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4480
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
      2⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa650ab58,0x7ffaa650ab68,0x7ffaa650ab78
        3⤵
          PID:4852
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:2
          3⤵
            PID:1060
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:8
            3⤵
              PID:3416
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:8
              3⤵
                PID:740
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:1
                3⤵
                  PID:2068
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:1
                  3⤵
                    PID:2692
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4388 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:1
                    3⤵
                      PID:4304
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3924 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:8
                      3⤵
                        PID:3444
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:8
                        3⤵
                          PID:2064
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4152 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:8
                          3⤵
                            PID:2996
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:8
                            3⤵
                              PID:5128
                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                              "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
                              3⤵
                                PID:5352
                                • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff64626ae48,0x7ff64626ae58,0x7ff64626ae68
                                  4⤵
                                    PID:5444
                                  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                                    4⤵
                                    • Modifies registry class
                                    • Suspicious use of FindShellTrayWindow
                                    PID:5604
                                    • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                                      "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff64626ae48,0x7ff64626ae58,0x7ff64626ae68
                                      5⤵
                                        PID:5624
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:8
                                    3⤵
                                      PID:5428
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1576 --field-trial-handle=1908,i,14936593177937699018,2353614149447367346,131072 /prefetch:2
                                      3⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2816
                                • C:\Windows\System32\alg.exe
                                  C:\Windows\System32\alg.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Drops file in Program Files directory
                                  • Drops file in Windows directory
                                  PID:2192
                                • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                  C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:4708
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                                  1⤵
                                    PID:3632
                                  • C:\Windows\system32\fxssvc.exe
                                    C:\Windows\system32\fxssvc.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Modifies data under HKEY_USERS
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1604
                                  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    PID:4556
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    PID:1092
                                  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    PID:3920
                                  • C:\Windows\System32\msdtc.exe
                                    C:\Windows\System32\msdtc.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Drops file in Windows directory
                                    PID:2372
                                  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                                    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                                    1⤵
                                    • Executes dropped EXE
                                    PID:4128
                                  • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                    C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:976
                                  • C:\Windows\SysWow64\perfhost.exe
                                    C:\Windows\SysWow64\perfhost.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:4448
                                  • C:\Windows\system32\locator.exe
                                    C:\Windows\system32\locator.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:4788
                                  • C:\Windows\System32\SensorDataService.exe
                                    C:\Windows\System32\SensorDataService.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Checks SCSI registry key(s)
                                    PID:4296
                                  • C:\Windows\System32\snmptrap.exe
                                    C:\Windows\System32\snmptrap.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:2540
                                  • C:\Windows\system32\spectrum.exe
                                    C:\Windows\system32\spectrum.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Checks SCSI registry key(s)
                                    PID:3116
                                  • C:\Windows\System32\OpenSSH\ssh-agent.exe
                                    C:\Windows\System32\OpenSSH\ssh-agent.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:3360
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
                                    1⤵
                                      PID:4988
                                    • C:\Windows\system32\TieringEngineService.exe
                                      C:\Windows\system32\TieringEngineService.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Checks processor information in registry
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4060
                                    • C:\Windows\system32\AgentService.exe
                                      C:\Windows\system32\AgentService.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5004
                                    • C:\Windows\System32\vds.exe
                                      C:\Windows\System32\vds.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:3048
                                    • C:\Windows\system32\vssvc.exe
                                      C:\Windows\system32\vssvc.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4652
                                    • C:\Windows\system32\wbengine.exe
                                      "C:\Windows\system32\wbengine.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5172
                                    • C:\Windows\system32\wbem\WmiApSrv.exe
                                      C:\Windows\system32\wbem\WmiApSrv.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:5416
                                    • C:\Windows\system32\SearchIndexer.exe
                                      C:\Windows\system32\SearchIndexer.exe /Embedding
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5684
                                      • C:\Windows\system32\SearchProtocolHost.exe
                                        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                                        2⤵
                                        • Modifies data under HKEY_USERS
                                        PID:5764
                                      • C:\Windows\system32\SearchFilterHost.exe
                                        "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
                                        2⤵
                                        • Modifies data under HKEY_USERS
                                        PID:6120
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                      1⤵
                                        PID:5128

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

                                              Filesize

                                              2.1MB

                                              MD5

                                              1658a2c14715ccfe22d21fc1b69ee9da

                                              SHA1

                                              49ce3e35d99367c32fcfbb7b2cfd34f6269c966f

                                              SHA256

                                              5d53868cde867db24987b2ee7bf082f1928766a3f89b03344143c410936cfaf7

                                              SHA512

                                              ec46a814c5576582db05406034da0a3f0c948f6ae60d705881bc97fc12b5f7af01e43bea1c645af6b1c2db30826ffa3ca67bb04d496d14e85bcca37db87ac748

                                            • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                              Filesize

                                              1.6MB

                                              MD5

                                              ae00a7a33bd5f05efb4bf8745a4bd99f

                                              SHA1

                                              6bba846e3be2c9ff0fe9c2dc71e0c2dc373b1d68

                                              SHA256

                                              594e33a705634090dd7bf5a6204b5aafe2fe91a93f9e969c15cdc8fae163dd43

                                              SHA512

                                              c8de75c2b1dfaca49ebf72af79027862584e03972b3b2102db4c9fea7f9ec7fb878e7984d0b537ca1e386e4532a5f9ec32a510ebf722061e505c29b162ca3731

                                            • C:\Program Files\7-Zip\7z.exe

                                              Filesize

                                              1.9MB

                                              MD5

                                              9a5e6eb28dd1fc8afcc4ba7369e93e64

                                              SHA1

                                              bab8803a265185abe4e1ff51e6c75ddf3f0a1c40

                                              SHA256

                                              55f60e4e05a162449d040e0027167bcd5d09759b4f040f148ef77aa627386f8f

                                              SHA512

                                              cd4f9cebcc781d5374fca139b2bf4603ab536472a257af75d10d2d32517c39989db44e76f2898f9e3503a318aa6a80c6e79bbf1962853d248feda4dc806eb693

                                            • C:\Program Files\7-Zip\7zFM.exe

                                              Filesize

                                              1.5MB

                                              MD5

                                              238ad58a568a63a27c88bfe6e9586bf5

                                              SHA1

                                              8f7be4f9c86caa7fc720d70c34cae0ae415a63dd

                                              SHA256

                                              17020ec45a3b548432e7f70fd2ad5a5371d375f4523f864628a41b8f37a6fa55

                                              SHA512

                                              5277d6634f6ce44649863ff2b2809a82edd3a1b98a2f010a776bdd43e9abab07f36bb0cf64988e64a8151a0e6ede1581702f6b28be0d5fa4dcb5cd7ea60d6901

                                            • C:\Program Files\7-Zip\7zG.exe

                                              Filesize

                                              1.2MB

                                              MD5

                                              fba898d2f895288810adc7731c7a09e0

                                              SHA1

                                              88b3727a6a0c3ea2dfe85e967ae992697c16e56d

                                              SHA256

                                              43106924a9cf834fac6216b3f395ff30fe31dcd30eedb5deea7515f802de93db

                                              SHA512

                                              ca3fcbc0801e26709c31178576fc8ad6820fdb7bd61c406a54bf38aad39115f27fdca118bfb711e5e074be1cac91a7a0cdb53543bafa1099ea76ae1f0ef64a6c

                                            • C:\Program Files\7-Zip\Uninstall.exe

                                              Filesize

                                              1.4MB

                                              MD5

                                              8a8579e7fd0e56c401c2700b00b8e9fa

                                              SHA1

                                              7e1cdc0a2dfed3f4df7b0ffc98808036f0ca2762

                                              SHA256

                                              867c0b1eb03a8390632c206321ac07e0f1baa7304f7e2f28678effd1bd5ff69d

                                              SHA512

                                              5fabf89e9f35d3a3f8b1b079989f9ea27f3ae037006799e7458625406df952c4a94e275e2a4295ad4c7cf414e116367fb894d1a9c72d21ce7eb84e14dd1d8ff2

                                            • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                              Filesize

                                              1.6MB

                                              MD5

                                              67693c2dc6cf6c3409aea5382823b61f

                                              SHA1

                                              062574ed6a3fca2871db2f3e27d5b4bd9d67b9b5

                                              SHA256

                                              ee7ea0c41349b853e012641fc33ccea0aeff34b119a2d66abaf29ef039205988

                                              SHA512

                                              38c16954b542c4c23f087c5a9f3404705b7b58fdaa61f846fb3218aac978257fdfabefa0443f1fc7cd4ed4c63ad4a617754fe7839557bd5f362d028cf23a7b4b

                                            • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                              Filesize

                                              4.6MB

                                              MD5

                                              425509d32fe60381f0fe9f46e2cb0b95

                                              SHA1

                                              988bcac64a99498fe6b8107fbc460e33d5cc231e

                                              SHA256

                                              849de456b1f3447a8ebaf19d599773e5e74da9385b6bcde626b0b84b7a64f182

                                              SHA512

                                              aa3bf889030cb1a92bca5fa8453b3324df5813d8455d2b569ca9822ed38b038881ff1946e06f563cbcb41de6c961de66115332a79e57dbeae828d8a928126986

                                            • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                              Filesize

                                              1.7MB

                                              MD5

                                              3fbe817bb20c10696c81eaf21d0c1cac

                                              SHA1

                                              f1d027d578206996d92f65e2cd992dc0e2102c95

                                              SHA256

                                              b708edd20546bf53959a21bc9052ac7b4200d6d93aa359adea148f37556b94f6

                                              SHA512

                                              97b350f8e7abe9ff1d728168d5ddb40fac4d06de9168b8c1b142ded4760c82789dc96abac9491840e40478760082df5d36953cf1ecd68ffbae3574d7d68378dd

                                            • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                              Filesize

                                              24.0MB

                                              MD5

                                              530c86293b1615f16fc33d4ab977de80

                                              SHA1

                                              966d470dee5cbe831c29523a4c7d95295d366c64

                                              SHA256

                                              8edf03c709ec33b14dc05a76ee0254abc7a9dccc37c6e07e722b14046c574bf3

                                              SHA512

                                              e1e6b5bdd8593bffd726230d7585917bf8d4b01ca56ea5f1b4549024986add3b550a1443d604357cd434b3cb20be2851ba629cfaefe220c99df1b218d8d365f3

                                            • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                              Filesize

                                              2.7MB

                                              MD5

                                              968c67c4517c16decbea5f992e70126b

                                              SHA1

                                              d34330bb184f2147b0963a4ca39913f99deb88de

                                              SHA256

                                              ec49c8889abfb6cf7c5197e339e132e812491290c85774787247bc2d818124ea

                                              SHA512

                                              cc92806fb0c1aa30e0b83e4dbca167826b35ef6d8995bc5649996cbe7a5ce59392bcd0d4358c1d0a8b670d2311382bf0f96e10ca4ac0ac17a85b8664be147012

                                            • C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

                                              Filesize

                                              1.1MB

                                              MD5

                                              5cb7159c33d0fef6808b3018419cfc40

                                              SHA1

                                              8b8c12ca3af6e4c5a6892286e3fc1034ccad9c1a

                                              SHA256

                                              5b184532d21bb288e712c96f18113498b44c42e2cf69874a7a9bee3573b3aeaf

                                              SHA512

                                              8384890dde7a60e9bc19d8aba488f2b93951e1c6715bbabf5c2ca8f4e1e8d4a2ade423aabbae9b7c472ddc8ad1c0d825db24997f89fce1b2b8803cf5b5010186

                                            • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                                              Filesize

                                              1.6MB

                                              MD5

                                              ee3f15fdf268c392ee127c74a1f723ae

                                              SHA1

                                              4581d4a686fabe95553a1d156edd24a3cfe17a49

                                              SHA256

                                              cf353b226d39b283937dd1a0adaeada23f1684351d5c5a58909a5a41336d1941

                                              SHA512

                                              3e884cea39de9a19496cad55fdf5b6d0bd41727b1aad985a98bc834ece0a05d61e2973d6deb73d2ed5b47dc885740e31d18847b7a35aad98237d6981c6f6f835

                                            • C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

                                              Filesize

                                              1.5MB

                                              MD5

                                              35ae245d705cfc6486a4355344f5c8d7

                                              SHA1

                                              a71e2dafe4c555f8923f3f20ba1e12301d63dff4

                                              SHA256

                                              98ba10791ef3b8f2feac82c58f4c4fa4c3db7f748735f47c9ef285585b38b26c

                                              SHA512

                                              21f0dd7fd00d4b557c1cab84180b38b9bb372949db1090ad5fa155f42df56c2c78a7ef61005547ea7d213b6646804660ece1a486da420dd3256ac9877f0e2330

                                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

                                              Filesize

                                              5.4MB

                                              MD5

                                              8f9b4ea5164d965edcb5b85c242aeb2f

                                              SHA1

                                              98264732fadcb3967fc5b4890a6e671ee869eaa3

                                              SHA256

                                              d0712e511c216b79a3d77f5a79470434a6b0b459843941205c063e13d414ae24

                                              SHA512

                                              1aa1b6ec5650487be52d3c8000bdd266b8a05f4111a1e1bb70af327da9fb4637e05f7bc513576afac1790afcfad53183a505b041c57847efe0945543fbf5cb0a

                                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

                                              Filesize

                                              2.0MB

                                              MD5

                                              3db6a466131153531d39ad1501cb66ac

                                              SHA1

                                              beb3cf0c6b465e9518aa0d9e5fde97a2cc92991b

                                              SHA256

                                              482fb1ef5e0ffdfa851fec086725a82cea2059ef1b65f55dea6727e8ce7ec414

                                              SHA512

                                              01736bf39064f1cf376153089c2554a9428bdefd37bddbed8fdd69239c176d64a5839a4db6f62e174280e1a9e245ffdf0ebc62111d9276336ee644c8ad865952

                                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

                                              Filesize

                                              2.2MB

                                              MD5

                                              60294e18541879e8b2e15032cdefdb3c

                                              SHA1

                                              f6a02df619cff360b6439246f470a4227b568b2e

                                              SHA256

                                              db442ad3fcd16075298147b7ddf1a86ef8b8795777ca813618a919224d807eb4

                                              SHA512

                                              e64f41b7a05e6a1de239905cdeb6763fc4639ffc34f73d23e0c6441b6b38c3db4520c299f9e1d907fc5a2caca2e4078d80549ca36dc80d4163ab5f811ba51594

                                            • C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

                                              Filesize

                                              1.8MB

                                              MD5

                                              30fc62b27c14b739ff13234a6693c499

                                              SHA1

                                              feceaf607618203dc4cd36b354af710c89441e39

                                              SHA256

                                              3b0bc0a6bfca6f3393e0762b9cfacffc3e15e2d6d6a6c05bda0ebf6372eae430

                                              SHA512

                                              50be4088a2a0559a31a7434bc105f4a41cb843a9b8f3491be39a756a9332e00973524d9a5b93593acf5f913df9d2b39efbfdf08424dd7c905072d4bf23a4a857

                                            • C:\Program Files\Google\Chrome\Application\SetupMetrics\a7b24af3-f8cb-4601-adc5-d39870bd6028.tmp

                                              Filesize

                                              488B

                                              MD5

                                              6d971ce11af4a6a93a4311841da1a178

                                              SHA1

                                              cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                              SHA256

                                              338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                              SHA512

                                              c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                            • C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

                                              Filesize

                                              1.7MB

                                              MD5

                                              6fb393a65d1f731dc33d6701c658fd34

                                              SHA1

                                              be8d3fc98af3e3379f118af850cf5ed47354c6cc

                                              SHA256

                                              ae282e5b6ffe2ea1325eabf6416bcabb6c3076272515b83bb8734edcebe9395a

                                              SHA512

                                              ef44047f6e5116ba7865fc73c6d018fed6b386a07c5e56dd11371998cfde78fb6defb4a1f955a8fffab9b825ae7b5ceaf01c572a356a641dbe3123897e00a440

                                            • C:\Program Files\Windows Media Player\wmpnetwk.exe

                                              Filesize

                                              1.5MB

                                              MD5

                                              0dbf65bc790e7ceabd2641b224612ea8

                                              SHA1

                                              9732c37281b2a169a06131abc2d164d0ea2e1fe1

                                              SHA256

                                              5aeb998e7d78f0ae2fc13d457acb222c026af4cd401c4f1b2c6e5265ba538b4a

                                              SHA512

                                              f49f77c3ff482b1353dc06f79114821fa8f828e21706a63e6a7e34178329cfd87e8bd17fb1bc5225d783d228e6fc702ad10105cc1604113ae6415ed702a7ada0

                                            • C:\Program Files\dotnet\dotnet.exe

                                              Filesize

                                              1.5MB

                                              MD5

                                              57eeb9b116b01876ab77cade335b889f

                                              SHA1

                                              dfc659a45e4461b9643fe3cf833f846698eaeeb9

                                              SHA256

                                              7168c0c45d1495bf9050fc5bcfc7ce7d044fc9a9be218e2fb5ace6abdc143ead

                                              SHA512

                                              1c21132c0c52c0edf7429448419e555154aeedc0f7c45268c7e7e93b5e5fc974effc97127a365a4a5a90eb2a4d35f74024f3d732d988cfcd857c87fdf9fc4824

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                              Filesize

                                              40B

                                              MD5

                                              6123155f7b8a202460ac1407e231fbf4

                                              SHA1

                                              13121f6000a380f6621bcb8dc7c83f9cd10ab626

                                              SHA256

                                              dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c

                                              SHA512

                                              ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6cdff3b0-3c2d-4f0b-b7f8-f6cbe43f3181.tmp

                                              Filesize

                                              5KB

                                              MD5

                                              5e43b56a90c68ed9e121355321347d41

                                              SHA1

                                              3a4993e6bebc9954fbec67e57d5cb52457ad90f3

                                              SHA256

                                              c08651c7925936940f848a38f70286973dbb2a9c8bf27d8cb56d0d68359043e6

                                              SHA512

                                              d403d6625986a3198253a08cc91c5fd1cca2bc15012186e07b8cd980372dbdd96e52c4090691de35b3b75302631f69129f3ed26e8d78490dde48a0b11192d154

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

                                              Filesize

                                              193KB

                                              MD5

                                              ef36a84ad2bc23f79d171c604b56de29

                                              SHA1

                                              38d6569cd30d096140e752db5d98d53cf304a8fc

                                              SHA256

                                              e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

                                              SHA512

                                              dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                              Filesize

                                              1KB

                                              MD5

                                              03dd9ec6829cd9e6976c93b4db78fb1c

                                              SHA1

                                              aaf3db367decfa7a48d6b4323dd81dd84f6704a7

                                              SHA256

                                              4e5c6279d3ae6bf4c872f2b160a5e2c8bf031d7bbd87a5f850136290d7eab35c

                                              SHA512

                                              268571c9de2209b64bac2a196df0a34ff32d3f294b15e4757041c718c6b37ec409651a5b706bdc67b84930abb6bd544ba8db834c3b7babb8262322dba68422b6

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                              Filesize

                                              2B

                                              MD5

                                              d751713988987e9331980363e24189ce

                                              SHA1

                                              97d170e1550eee4afc0af065b78cda302a97674c

                                              SHA256

                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                              SHA512

                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                              Filesize

                                              354B

                                              MD5

                                              712f4a490fd4575e4526d769989aab0c

                                              SHA1

                                              bba1f843cbd9f5ef5e76ecb6e9f5dcc64f1a861c

                                              SHA256

                                              92d2c0cf1c80b512b5836cf78d35549ad8e45cea63afb7eabed72e1274ad7f01

                                              SHA512

                                              0b805b1e33a4f91d9562e71fca5a1abac512f00576a65206fb5a5757ecd548bbea4b66f0c902d0c58c4da95494e6d338c1ca2643e07c9b9f6ab3a985f3978799

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe575e1e.TMP

                                              Filesize

                                              2KB

                                              MD5

                                              80c9ece824708be3255fd46fed4fa84b

                                              SHA1

                                              6ab10396c88f4760224c2820d198207c54f01266

                                              SHA256

                                              1f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336

                                              SHA512

                                              c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                              Filesize

                                              16KB

                                              MD5

                                              9e8caddcd604efd7109cb67a889bb0f0

                                              SHA1

                                              1a9f2db88e74f78374566475f316b8a7ea86c60b

                                              SHA256

                                              49cfd2562307c7c3f921aed6a6aa6082a25915c891a4bac47f1b096a19f79c54

                                              SHA512

                                              3498bbd13e19aed1149c5324dd0f7724c69d52861bbbfb2b29d770ca5c10aff60bc7ae87afb3c94e86ab8fe5675a28a4c1dffac82c7b6aebd0d9eb0fb0c0e937

                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                              Filesize

                                              264KB

                                              MD5

                                              dcd1f57c2b4a8f9030ad563203774a7b

                                              SHA1

                                              b8226ac2eab4cece903618d36195d6e5b45f04b7

                                              SHA256

                                              091abba75698b07a851b3a2c763aa65b8139573df15939f72c20bb34a7c45b4b

                                              SHA512

                                              4fbb26e7d06b283daae4ff3ce82c4b95af0cb9b9bae2def033894c4b0628b4b326a8bac654ece3caf6c84f1dc29524d5a97c52ec4dd640679a5f4b6e1ef35416

                                            • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                              Filesize

                                              7KB

                                              MD5

                                              0396a9dc8a57c3632ce199234f3ea101

                                              SHA1

                                              2ea5c2d8cacac561c906beeed30657aa9f20d94c

                                              SHA256

                                              d9148fad45a9e0c0db6502648e59df1a045872a55b4be54621881a497f82f6d9

                                              SHA512

                                              3cb2854e734fec607af8f47014feacad581a824bd7f6a149cd7540d369a331f140669fb7ae4cb3707ecb5942e12edfca7dd4c32eb612f091f5bdac69fcda765a

                                            • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                              Filesize

                                              8KB

                                              MD5

                                              414f580a6789fca2d468fa5d59c4229e

                                              SHA1

                                              4f1173c3372b9079a4225a0e308731da3632d650

                                              SHA256

                                              96b3fa587f0dcced2d60c7060e2bdd9dee3fdd9ed684a603b13c882632bffea8

                                              SHA512

                                              1f389f1d8f9dba9098942f0c4023ffa7227cd0d3dacfc2d5eefa72b840db68a5d8ec139b0a51116ccd54c9fd8b659a3dd15337847d4790e3d966f4c2b862d887

                                            • C:\Users\Admin\AppData\Roaming\948dd73d92be0f3e.bin

                                              Filesize

                                              12KB

                                              MD5

                                              e395d52f4ad4aedb6aaacf70a9eb4bee

                                              SHA1

                                              aae19b484cda48e6ba3ec3eed9c0bce54db7bd2c

                                              SHA256

                                              76d75be72e5e19ca8fd242386f6612f9abbed9dfce7af4999bbc9b09766aeca1

                                              SHA512

                                              c5c389dbb1ed8947fe574f5ab8d98f85e9aa29ee9c279a30780a66477cd94da43f588d8ebff72c93a55595fbf70c42e78bb9a9ffa1945c15bd0febed6cafdba6

                                            • C:\Windows\SysWOW64\perfhost.exe

                                              Filesize

                                              1.4MB

                                              MD5

                                              115f6dedf417ee698d764718e8088a8c

                                              SHA1

                                              cf183222d20fc35bb8dc9e8a444f4638c1e3ed27

                                              SHA256

                                              305799fc0e7cda5612ae2651fbeed269c6ba079f75d965897a73ae3abdf6d7da

                                              SHA512

                                              9f9d8d1aaeb1cc488b22062026d5b1f2016b55920cfe0c75ae8e5436eb904fe220fa26de559ca3218407de76682ab8c2b765a03eb45ff7ecd8babfaaa119c5f6

                                            • C:\Windows\System32\AgentService.exe

                                              Filesize

                                              1.7MB

                                              MD5

                                              1e6811fc711d9b1135c94002b47db837

                                              SHA1

                                              25d523a7dd8577c8b2b9474e45493846fbbe23bc

                                              SHA256

                                              f141914ab4086dca1ef5d0ecdd05c07c42b5ff7d94af6d1b0604ceae16df4d43

                                              SHA512

                                              ce2ae3a5261a14c03feae0612bec8704a003e8e2d91823e5e0c706e40a134ccaeff0ec677ea90548c8a7c42df4cfb6391c7b8c32a79f1edc0b6bb40bbeef1f32

                                            • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                              Filesize

                                              1.5MB

                                              MD5

                                              b2ea0701243edc9a43185f5c5d315240

                                              SHA1

                                              1b690409fd90f44a7273c368184ab43114b1b32b

                                              SHA256

                                              e2a95c5c4696fe90cd2148fb6aff26a1a7f023f6a8e94fc4e165aec002a8db35

                                              SHA512

                                              ac05bf47482cfdd0ff85f9a615b36abc40089ad596fc6f7423821d64d60d033b2e02f31ac66732d08767d359318e525a5d8310391a643f3bf1c3536cfe930910

                                            • C:\Windows\System32\FXSSVC.exe

                                              Filesize

                                              1.2MB

                                              MD5

                                              9f8cdb324ab9a2bdd8a3ae8f6f0fc823

                                              SHA1

                                              6317d36a24ceea22c1ea5810eebe11413f00dd1c

                                              SHA256

                                              9e309bd368a48f6ccd92e27280a250d981eaf9980ffe7570f7749ed1c1b30b60

                                              SHA512

                                              cf998845764ef628cb26b809b79f83477216ca35d575b06a28e159a98dcc65f999168e6276de80baac5fcce496422d842b6edf55b7fdc5d1c7635eb63eaac0c6

                                            • C:\Windows\System32\Locator.exe

                                              Filesize

                                              1.4MB

                                              MD5

                                              8357a83bceec0fdb15456d954a15400e

                                              SHA1

                                              d345a7db5bba48826b3fcc7caee43e165f9fc17a

                                              SHA256

                                              594b0e32c57c84cf8ff352191aa56b91ed3781d945a27886f8dc628ad0fd5b74

                                              SHA512

                                              775a56a2d1c42a41a3a7e57bf43a7934aa4df6da9e63750b531933ff0c6d945c185efcea2700f13316ee773506ebd9f6072bc12e6a0b3c41d3ccb6cf019b2e61

                                            • C:\Windows\System32\OpenSSH\ssh-agent.exe

                                              Filesize

                                              1.7MB

                                              MD5

                                              02bb0a1da4ae86267ea55adb79285d6a

                                              SHA1

                                              a5af9ea917beda40701ea54501ee56dca5214970

                                              SHA256

                                              5d0bcb85e9a8df81b25979491163ca02e81af7f33373f841024cdcc13fe7ef7a

                                              SHA512

                                              3e408a7cb234ae5b389cece0aa96e4125bdbd0f540e31e006768a20954af4d58aaa48938f1e1c30396e204f0c1865147811b52e0adf314247009d0caa6556644

                                            • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                              Filesize

                                              1.5MB

                                              MD5

                                              5b2b0e4949d34821c8ca8b9c4f0bc0f7

                                              SHA1

                                              503c0d612cd6de070775e7c036b9d0c65831d465

                                              SHA256

                                              5a9606261edaee9722a3bf8c4ff40985b40ae046053f978173f1c9ce4a6a9e76

                                              SHA512

                                              ab7067cfb7f7b39d89df8c17e2adbd4f8afced36eda4711e684210def47fa092b1f7a64eeb3e09a2cddb4c490e8a105f1ac246ead6f15a738977431ed2732eaf

                                            • C:\Windows\System32\SearchIndexer.exe

                                              Filesize

                                              1.4MB

                                              MD5

                                              34564a4297bf49eab94cfed02104e95e

                                              SHA1

                                              d1fd29da308cca94e3a474930d17cc39fe214f3e

                                              SHA256

                                              d94ed229041c675f05f7143677e2c7c8e1f298f6c8a7a71f9e64365611e3beb4

                                              SHA512

                                              d1dfc05599f7a220f9073af9234073ec9b30e79db03e81d2436837d4c91ca354cd88712841f2009fbc1f0c4018772d1c369f2828616b80b55f3d3f9c01ee1af4

                                            • C:\Windows\System32\SensorDataService.exe

                                              Filesize

                                              1.8MB

                                              MD5

                                              6c6bfba1795f52174564bc8e85308297

                                              SHA1

                                              37f850c7a2213e24f04ef02188314ac6b8cc2118

                                              SHA256

                                              6106ff7a73b42c71bb079b29e2f2bcb3f9f9b2461ee35d67649a7915fc58b286

                                              SHA512

                                              26aeab0fd5ba37a99f6ff6d6112633ada4c50e1080795dcdfcecb8d79a82863b5dc9b6b96abb2ae5b11ea973d1fc0c8c8a7eb3d1d30007acc40cc97626d80bf5

                                            • C:\Windows\System32\Spectrum.exe

                                              Filesize

                                              1.4MB

                                              MD5

                                              2681953bec0c339d671516d824bdb316

                                              SHA1

                                              ae3b48f09e3e4bbaa8afba2047119074fa93b7f4

                                              SHA256

                                              6df73387d52fc0b0d58e38ff45f17e1945a299e99e9c22871a7ccdbbe274fd73

                                              SHA512

                                              ff04a6766d2630d46b7db940894b110d9287ea1cb672e100d5b527660bcf968bc814fa1d64ce996b4b4a76c247e7c0173efacee1244a43b91e8ba703cedaeb4d

                                            • C:\Windows\System32\TieringEngineService.exe

                                              Filesize

                                              1.7MB

                                              MD5

                                              630beadf7043e11a5eb24e34b61cfc9b

                                              SHA1

                                              373c5b46747cce1b1ef3a0097dc43113bc03940c

                                              SHA256

                                              eddafc2fcdfdf9d08bc07c2772c35051ea5331553d842c21ae151577472a4d57

                                              SHA512

                                              c580eb760271cb362774442cc1b2d1cc4593cad705215135fc40512cd3da55c86bc99fe18676b6570ff5162802c50b4620f433742577b0f99c1f862c1c8cc1bb

                                            • C:\Windows\System32\VSSVC.exe

                                              Filesize

                                              2.0MB

                                              MD5

                                              9ee5a2a02e68e44f8fb5278fae6f07f5

                                              SHA1

                                              f65607b5e7e7516322df79eafe41a7d25d1e0e49

                                              SHA256

                                              7d8854f8610d4784fa17e3115f4377b516739c9b53acc4c0f125670c92d1afcd

                                              SHA512

                                              3746fb0048a55cfc564f91f971deb30e4de5ae330ffa81ec089a4b39016316bef90fc1f6198b0a9327d63c1da48f94be6fec88f26f97521f330ad40a7406b623

                                            • C:\Windows\System32\alg.exe

                                              Filesize

                                              1.5MB

                                              MD5

                                              dfdac4103b25f9c96223e2f95f2884df

                                              SHA1

                                              8904474b4c6a2659dc738c1c7dc2f2b3b90855ce

                                              SHA256

                                              52aafeb92865efee3dc1f6c55d69fbb411226529d5d54a4da22fff8f0fba823d

                                              SHA512

                                              4ba67dea55dfc6414317a66782b1dbac6a7d02418c0f092e750335af438c0a894f8329939b189d2c1d6d273b2fca3f8d220fbd2be726e5a33d8f6214f85a30e8

                                            • C:\Windows\System32\msdtc.exe

                                              Filesize

                                              1.5MB

                                              MD5

                                              e7ce5bde054b741cbf07a7615ec62f84

                                              SHA1

                                              585ea0249f0568c91d42af644f0004ff2cb848c4

                                              SHA256

                                              573c43d9ca703542646be992090acfebbf34db687f3a3aebbdd8210c44ca8d59

                                              SHA512

                                              b9c9cdfe3a483e34c6a5b93dc3396215ce30432ab71ff9e369589595906f478cf8508805a3421a6c000d630dec871e47cb6e29f7e533a0873f589c466f03659c

                                            • C:\Windows\System32\snmptrap.exe

                                              Filesize

                                              1.4MB

                                              MD5

                                              451ec86d4259910bae1c9c8b0b051bb1

                                              SHA1

                                              d381af8b013fe1cfd0ba6f955d6c75a6c729e2ce

                                              SHA256

                                              3a7b8b1ef36ca71c20ad0cb4ed2ecdfacd2bc2af7c539baea468779fab19433b

                                              SHA512

                                              cf44d7e2a1afcd12f2fa230532ab86302c0c7c085d30f63185e9844bc65ebae1bfd14231107cbad81a9f0d37688499bd1125667a728b2ca32411bed023c2ac90

                                            • C:\Windows\System32\vds.exe

                                              Filesize

                                              1.3MB

                                              MD5

                                              1f33d8610e093d10301325c73a776606

                                              SHA1

                                              f0d523b3f0be289698bf6eecd93784f4100e3559

                                              SHA256

                                              887429bab73001bbb9aef5e0f97f0b604bbb0fe8d421be13d2ea45626c721ec9

                                              SHA512

                                              3c4251fc77a4b49019ac82de8319e86d8a4e9f06f6ea5647ff1c826f1e9e697abd2d791176f722ed8bccc39cb40621828c3c28c461f924ba61dd801dea4b6e8a

                                            • C:\Windows\System32\wbem\WmiApSrv.exe

                                              Filesize

                                              1.6MB

                                              MD5

                                              acdc85613a9a2351be266971446efb6d

                                              SHA1

                                              370d4fb8151c000c8a49964bb20811774c9c5427

                                              SHA256

                                              dc5e1e96731031725928b987cf1a2f2bd2d6fe8ec864b15808d4e26640f21ca4

                                              SHA512

                                              f08c1ef8814fa84fa1dd68fec3a3cc9e3afda7f20bbb851bd742e7c575303291541fccdd19d72c59b191f8d28efc9a35758aee1309d19eb870ac7425a72b4d40

                                            • C:\Windows\System32\wbengine.exe

                                              Filesize

                                              2.1MB

                                              MD5

                                              bdf648d80d41eff9ffc4b9d16ebaa96e

                                              SHA1

                                              07aca5704238f1ac871b834881d0b74b25a4103d

                                              SHA256

                                              024f366a8c2db4a20794908aed789e4474ece2011923a5c365fa5eed081cbed2

                                              SHA512

                                              5cc697360750f5b942b2c857a9fd3a839505c7bf0e914864f547a5752038e925bb4dca23d6d708221433f43096f774023b8ab42f097277ca638fa39e722afe28

                                            • C:\Windows\TEMP\Crashpad\settings.dat

                                              Filesize

                                              40B

                                              MD5

                                              f8da1e3912337378c0f722f616cf6aaf

                                              SHA1

                                              22482c3e69a3b76d24d4e88d30e345654afd0338

                                              SHA256

                                              342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b

                                              SHA512

                                              b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47

                                            • C:\Windows\system32\AppVClient.exe

                                              Filesize

                                              1.3MB

                                              MD5

                                              b0264c7e9f1fd3f7dbfb1aaa385efd78

                                              SHA1

                                              e4b38be95141b70c0c74a19c45eabf900c3048d4

                                              SHA256

                                              91159fcc8ce1933a8da929c8ad1d3a01c4eb455aa86e2177e87efe0b572e5696

                                              SHA512

                                              700ee266e29850c4c8ae04443571564cb2c45f319d2b7d9ba9c4b963d0a9d82bb659a6057eb569b593bbd84d424ef523a59a5ed21cb43276137e21f42bacf503

                                            • C:\Windows\system32\SgrmBroker.exe

                                              Filesize

                                              1.7MB

                                              MD5

                                              89c15cbf9b5890f6f9cdfe21d4031acf

                                              SHA1

                                              fbc4ae2903089b12e9d00439ebab5b1521e6cf70

                                              SHA256

                                              b616ae69abd1336d6174b9f3edf1b56d2599631d9d51c408328a0a562e11a782

                                              SHA512

                                              6d3359a3e25972c5d6245610cbcbca952aefe2c1781503c2cff575b1e552a600ea7c10f0f7ed444ca8a18b7c472256f2f238a1a43d3f69ff45d801c30efad538

                                            • C:\Windows\system32\msiexec.exe

                                              Filesize

                                              1.4MB

                                              MD5

                                              36ddf36093a0992222ebe8fb47adbb6b

                                              SHA1

                                              2367f872d84a1ded613b95d1606dd0c59a7ecb47

                                              SHA256

                                              ad38ffca3be8ef81045294f83cfc818a016cdf2a26bb3d981d2f425969631054

                                              SHA512

                                              bdce24c0a37aa4be0ee3b7a318a568da623cbb8d2299f39f501d09ed9611f9cac0798e9f66ad0f60abee757578d4490410ca90bd46789af118219eaacc34c61b

                                            • memory/976-310-0x0000000140000000-0x000000014024A000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/976-159-0x0000000140000000-0x000000014024A000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/1092-92-0x00000000001A0000-0x0000000000200000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/1092-90-0x0000000140000000-0x000000014022B000-memory.dmp

                                              Filesize

                                              2.2MB

                                            • memory/1092-260-0x0000000140000000-0x000000014022B000-memory.dmp

                                              Filesize

                                              2.2MB

                                            • memory/1092-84-0x00000000001A0000-0x0000000000200000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/1604-58-0x0000000140000000-0x0000000140135000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/1604-81-0x0000000140000000-0x0000000140135000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/1604-79-0x0000000000730000-0x0000000000790000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/1604-65-0x0000000000730000-0x0000000000790000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/1604-59-0x0000000000730000-0x0000000000790000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/2192-188-0x0000000140000000-0x0000000140249000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/2192-40-0x0000000000610000-0x0000000000670000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/2192-39-0x0000000140000000-0x0000000140249000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/2192-27-0x0000000000610000-0x0000000000670000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/2372-133-0x0000000140000000-0x0000000140258000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/2540-220-0x0000000140000000-0x0000000140235000-memory.dmp

                                              Filesize

                                              2.2MB

                                            • memory/2540-562-0x0000000140000000-0x0000000140235000-memory.dmp

                                              Filesize

                                              2.2MB

                                            • memory/3048-294-0x0000000140000000-0x0000000140147000-memory.dmp

                                              Filesize

                                              1.3MB

                                            • memory/3048-601-0x0000000140000000-0x0000000140147000-memory.dmp

                                              Filesize

                                              1.3MB

                                            • memory/3116-581-0x0000000140000000-0x0000000140169000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/3116-245-0x0000000140000000-0x0000000140169000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/3360-258-0x0000000140000000-0x00000001402A1000-memory.dmp

                                              Filesize

                                              2.6MB

                                            • memory/3360-590-0x0000000140000000-0x00000001402A1000-memory.dmp

                                              Filesize

                                              2.6MB

                                            • memory/3920-117-0x0000000140000000-0x000000014026E000-memory.dmp

                                              Filesize

                                              2.4MB

                                            • memory/3920-102-0x0000000001A80000-0x0000000001AE0000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/3920-110-0x0000000140000000-0x000000014026E000-memory.dmp

                                              Filesize

                                              2.4MB

                                            • memory/4060-600-0x0000000140000000-0x0000000140281000-memory.dmp

                                              Filesize

                                              2.5MB

                                            • memory/4060-269-0x0000000140000000-0x0000000140281000-memory.dmp

                                              Filesize

                                              2.5MB

                                            • memory/4128-145-0x0000000140000000-0x000000014026E000-memory.dmp

                                              Filesize

                                              2.4MB

                                            • memory/4128-298-0x0000000140000000-0x000000014026E000-memory.dmp

                                              Filesize

                                              2.4MB

                                            • memory/4296-589-0x0000000140000000-0x00000001401D7000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/4296-351-0x0000000140000000-0x00000001401D7000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/4296-190-0x0000000140000000-0x00000001401D7000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/4448-333-0x0000000000400000-0x0000000000636000-memory.dmp

                                              Filesize

                                              2.2MB

                                            • memory/4448-166-0x0000000000400000-0x0000000000636000-memory.dmp

                                              Filesize

                                              2.2MB

                                            • memory/4480-24-0x0000000140000000-0x00000001404A3000-memory.dmp

                                              Filesize

                                              4.6MB

                                            • memory/4480-18-0x0000000002080000-0x00000000020E0000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/4480-165-0x0000000140000000-0x00000001404A3000-memory.dmp

                                              Filesize

                                              4.6MB

                                            • memory/4480-12-0x0000000002080000-0x00000000020E0000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/4556-149-0x0000000140000000-0x000000014024B000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/4556-71-0x0000000000D40000-0x0000000000DA0000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/4556-69-0x0000000140000000-0x000000014024B000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/4556-77-0x0000000000D40000-0x0000000000DA0000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/4652-307-0x0000000140000000-0x00000001401FC000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/4652-636-0x0000000140000000-0x00000001401FC000-memory.dmp

                                              Filesize

                                              2.0MB

                                            • memory/4708-52-0x00000000006B0000-0x0000000000710000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/4708-219-0x0000000140000000-0x0000000140248000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/4708-45-0x00000000006B0000-0x0000000000710000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/4708-54-0x00000000006B0000-0x0000000000710000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/4708-51-0x0000000140000000-0x0000000140248000-memory.dmp

                                              Filesize

                                              2.3MB

                                            • memory/4736-0-0x0000000002070000-0x00000000020D0000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/4736-8-0x0000000140000000-0x00000001404A3000-memory.dmp

                                              Filesize

                                              4.6MB

                                            • memory/4736-25-0x0000000140000000-0x00000001404A3000-memory.dmp

                                              Filesize

                                              4.6MB

                                            • memory/4736-9-0x0000000002070000-0x00000000020D0000-memory.dmp

                                              Filesize

                                              384KB

                                            • memory/4788-189-0x0000000140000000-0x0000000140234000-memory.dmp

                                              Filesize

                                              2.2MB

                                            • memory/5004-283-0x0000000140000000-0x00000001401C0000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/5004-272-0x0000000140000000-0x00000001401C0000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/5172-637-0x0000000140000000-0x0000000140216000-memory.dmp

                                              Filesize

                                              2.1MB

                                            • memory/5172-319-0x0000000140000000-0x0000000140216000-memory.dmp

                                              Filesize

                                              2.1MB

                                            • memory/5416-638-0x0000000140000000-0x0000000140265000-memory.dmp

                                              Filesize

                                              2.4MB

                                            • memory/5416-335-0x0000000140000000-0x0000000140265000-memory.dmp

                                              Filesize

                                              2.4MB

                                            • memory/5684-352-0x0000000140000000-0x0000000140179000-memory.dmp

                                              Filesize

                                              1.5MB

                                            • memory/5684-639-0x0000000140000000-0x0000000140179000-memory.dmp

                                              Filesize

                                              1.5MB