Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 11:37
General
-
Target
2024-05-24_5471339b1623b31d374dd72eca8b0f18_ryuk.exe
-
Size
4.8MB
-
MD5
5471339b1623b31d374dd72eca8b0f18
-
SHA1
1719031c0b9d4cea37e9014f2e2d90ce543b2ca5
-
SHA256
4aae0ed50e446fb9357c24d90ace26a57f43e5a8cba3a219164b033adbe956b4
-
SHA512
8c78710a4cc506970db823a82f67aeab1e8a8803b728e0223b1b28033a00ac514f3590fa2d520e03588aa85ebfbd56a24c1e77058df3ff76516048c2b3eda465
-
SSDEEP
49152:nLFo9F8Wo7L8ttMfnIy2r2Kbq3xfs3zPvGAHVhs0BkjdExEfsvm7oEaFWmDLOHui:I8jbIprZbqhhdEef6r0s3D527BWG
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_5471339b1623b31d374dd72eca8b0f18_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_5471339b1623b31d374dd72eca8b0f18_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_5471339b1623b31d374dd72eca8b0f18_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-05-24_5471339b1623b31d374dd72eca8b0f18_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=97.0.4692.71 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x1403c1448,0x1403c1458,0x1403c14682⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc001fab58,0x7ffc001fab68,0x7ffc001fab783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2080 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4252 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=736 --field-trial-handle=1964,i,870559480397426517,5271097602846985260,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exeFilesize
2.1MB
MD584fcec8e5bfaba1e71c697c789124a37
SHA1111c860577c417570e08d40349275cda31608552
SHA25649db3caab570054ad5a92138b53435e95876ff09585180af81a3651b86fa47d8
SHA51270313e562470c8893b99a3b4fb0d0af5eaddcda98d35bb26de5b630a1b2c52dc01dfe106d0584c449b4717f0266380d727dbfcc0f306d2bf2a7714214228bda1
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
1.4MB
MD50d72a11a3dd3fca90e7474d92ffb7967
SHA1082a8061a3609c1d0de08477016880b1d8a1381d
SHA2566393132c5c2d0ab18b5cea78c936ae62f10ee14d6a1053257790f20e51cfed92
SHA512164b1e99309f69b567bbcb852b9ad54cf770e388176ea82f96a5488de5eae559822684eba19f1057a60f017ddc430e3ac41f20d6b098be6cd5069c9e086b1191
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
1.4MB
MD5b05b42ccdf1e9db99c7092617057a91a
SHA107f74581c23beb815531123974b530e682c25ec5
SHA25679bb5e407f34b5c9001f6a058169e9cbf875694d2d3d1544dafc89fb3818f8bf
SHA5123d11dec262b2797ccf753d429fd3835e5bc9de3a5d8d97a806c4d3e5ced659287856ee4b9a4bd032a18bb3a3d43c403ba9e0c346dbbfe781981064d10bffd215
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exeFilesize
5.4MB
MD589cd521cee9ba6f3cb0875d9cfdb7281
SHA18f3737b0c8ce60672d3f1d14e42d33709a422d10
SHA256080cc933f09bcafffb9b75e4ee13cb865a125d16c577defa92502373c87816b0
SHA512bcd126e2e2f705a3b0b0eb9d15595ecfe28c3eb646057ad5cf4d9389f802ab46716918213d69415ad0971cface243531cda99067d3768b38434d4c2e300b7ec1
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exeFilesize
2.2MB
MD5f7e58ab3022053183b202b23fa2ef02b
SHA1fc58375b187c53cb90a4f7351393359672073216
SHA2564c5fa5f4839d20a4dcb3a50fbb22c404c2253b384de131f80a28b1f16176fafa
SHA5129e355fb8117052295281abb3e06c58cdd155186515a1ca52b57bac60af063fa4fe3354df04224f422616980ea882f9b9faa90a6139baa870c4a16135f13fd73f
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\2bb4f96f-a263-4eb5-b33d-19d6e240a0cb.tmpFilesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD523e6ef5a90e33c22bae14f76f2684f3a
SHA177c72b67f257c2dde499789fd62a0dc0503f3f21
SHA25662d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790
SHA51223be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD53c13cb60b1403f16bbf29859371bcbb2
SHA1f1751eb95450a0f57b0c0fd8bb7ab8d5b4d36300
SHA256e086fe2ef2d35b279245d950ace26c3a56a7b79ddae6d0df521cfc803a88d545
SHA5123b3cd8f5d2d48c8124ac9053439e838b1f6b8474647f74c816e6bfada8def505879f2fe52481fc996e313dc2a1671fc81b2e01edfd21648fc5837ab1f66c44f4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD54d1775560342f62439ab44ee52283def
SHA168a1b066e03ce21c0de7ef40ad1e2ee6389c34ec
SHA256670132ee9c2c03d16f84d4812899c91ff2369d398b90947f529cad5c8b895da5
SHA5129ce2c4fd4c28f236c7b9df8b8cf2f09cd1dcdb77d06b5792e0fc474e02b7ab0725ee005505b072684b7b66360845348578c8c9b27848963ab0fce2c07263c88a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD5d362d18b289ac56e14bec08bac3735a7
SHA12499423f9ade73890e521ec8053cd4dd3200b449
SHA256e658c6109a5dfcdabd2f0850054ebf7feb50e33b013c4e153f756fcb7b7fc5ae
SHA512d9ac4dc62fdf8b3a5999b37deb130e9ebc12a478aa9df75dd41daa09eae9a4967297f6c8470706fcb5ecfc7561b2ce80348eca613e5bd2d33cbee80acba84100
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5793d4.TMPFilesize
2KB
MD58441fa327ce1f6c12f371a1535e655be
SHA17ccca62179f1eb9a2d47c3886ad8ad4bf5b15071
SHA256975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158
SHA512986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD50d85058eafae51dbc165b3add1b6f895
SHA1ca2b7cbac57f91083f068b136232c5169fb057b8
SHA256f1e547b16859ba61d81141f6771e8e030d49fa2f65f7deea3182b9e544dccec6
SHA5120e1ac3d24838c82dcd488a4c11e82d40e2f76dc24b04d9d68599dfa6e093bf1cb849bd0ea9df96db06cd408d898fd9629669ea5f46602f87b22c6842e454620d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ce02b882-582b-4c29-8211-a0ba062ac63b.tmpFilesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
260KB
MD5c557d4f55cc0985e35d49ffe556f5b68
SHA16ca43ba39f6666140ba32a1d7e4f035682dffee8
SHA25653c9649936562ad76ac592918c42b621a2b0009fa94c8f1a8888ca7cc66d2a0f
SHA512d3e2932ac407351b3b4f309071678efaa56ceda4714be354e4fed695d4d0716e4817c2ce67fd1b00810ff7802fbd5e2632e67fbfea93e62fb012791b3ad55bda
-
C:\Users\Admin\AppData\Local\Temp\chrome_installer.logFilesize
7KB
MD5f45f0ba159ee964a58b4bfd40948eaba
SHA1230ebcc225b95bf3713b9ddb30dbef1551849e21
SHA256908cf056d67e41f12fd0fe91a8e22b5adaefdefe57cfb9097aa3239667ceec26
SHA512edf6671b5066d5b25804e0cd53f72f804d3b73f135f411a25064d816cfd10f4d25f6a07f61181ead0ce53c24f16283a6584a1c517c18b05da3ab4f1dba28b0d3
-
C:\Users\Admin\AppData\Local\Temp\chrome_installer.logFilesize
8KB
MD5666fac57016075ae939979eb42154c9c
SHA174deeba23bfcc3bd43050e958dab79da6fe14551
SHA256414d2a4e50a3ae5f5e95b0275f63a04f2eaa12ff19fbfcb2ee626c8b06cc5923
SHA512737b7a9e6865e9e18b40d2877c45578da98bdfbbb7acbc44e7f5e2f153f1bc206c3537faeefeaa26f77d63fcb8170c38a4bddb4a1439776e266ccfee25a149a5
-
C:\Users\Admin\AppData\Roaming\80b64ad2293b476c.binFilesize
12KB
MD520445dafff50f5dee840a7f70184ed72
SHA10005dce4ed99e8779627932eda222c1f68f32edd
SHA256ab84f8e621bb4915aaba5bd6f9a69f781631b8d7f009bd5809c44e44fa732c83
SHA5127106a7f7d12fa49414171f8771afc276ce7cb96c60167ac9f8aab2af4b211154042b1be20999841815e37f868612b297df80b8ccab911ff6a6a018ddcfe4689a
-
C:\Windows\SysWOW64\perfhost.exeFilesize
1.2MB
MD5286a38ea1db28b0a224b42b476c3599c
SHA1f271b0bca3dbc611cddeba02ca5cc6dac6ee7990
SHA2567206cd11bbe7b006b2b79629de960b4d4ae91c06f36c5b5a0fc846b029fbfbb7
SHA5122513e3c90e3152f79a85bb7ce6063ae1c6b4c3a74ad49040bea7b6a01669673b518e08b012566cb3ecf2ce33a6381ee629ef9d56dfc052f8bf5366687db4d1ff
-
C:\Windows\System32\AgentService.exeFilesize
1.7MB
MD5a7188939ecfc7ee7c694d59ed5d7a41a
SHA1711131987360d5570c312c14aed79ba4cc367b00
SHA256221aaeb0c854d34ba73594fab672a6410ac4046ed8b928d184421e1758944db5
SHA5128d3c410f3fdf459c3fcf05f1dfaddb081917cf6bfc6c7f6be190bea168fdd143c9b28f3025e672e5524b52e7deda2bd51b6f685eca3315488fb308be9f197f02
-
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeFilesize
1.3MB
MD53c9885cf38872492f311ffdf734a7242
SHA141390b133164b1f80ce35130fb214122edbb6651
SHA256e46254f918b4699b1c566ae856e98d206526645724b746ea9b6c890dbd4ade86
SHA5127fb81ba3a769fb350db5ffb6cb2a15f558b6ab18d3695e027cf63dcfcc79294c425bbf8badeb856326471ba8eeeef391a610ff6df69859e4ac05a353ef8ef61f
-
C:\Windows\System32\FXSSVC.exeFilesize
1.2MB
MD566fe760753144e12f7193f23f92c40ef
SHA16012b5165ccb0fbf1f551f9f35bc9f799dd2d5ed
SHA256292f01c84da0028ec4219500019817e0a4db1d917eafd1fbc45e057027cea961
SHA5120b5057e924fe558e39b10e4125f952635c1f727b15dc7a5ace28d66b2b7f1b42e18f9f9a634f42acd983a39e5f4a2569caa559174ed5715cba154cd7a2c3bf25
-
C:\Windows\System32\Locator.exeFilesize
1.2MB
MD575a0f7e34d3d72db7b217165a0208d70
SHA1c8742fb4de84c73b9f68c7c75911adf6d54eaee7
SHA256893673739719861ba88995f50cd0a81e9d7a9974057bfdfdcd143f837e3ef87a
SHA5129e99b700990e718ada4631ec355d79bb930edf6c615f2a4986a1660eb61e3ee5d5575859729dfda19f773f6cbd91575239b3b09144aaa77c7fa1886a07b54a1a
-
C:\Windows\System32\OpenSSH\ssh-agent.exeFilesize
1.5MB
MD54db6b6a21b4ba21affe9c23206c7f871
SHA184ea44af0877d4fae56f739050a0310a5707e511
SHA256ea6809d8321e55556deca0f787993fcabaefaa21a6359b58d6f91bf8d09637a8
SHA51253af436009811e520a0ad8d34016720434dd7b9aaa04a2c8e62a86b6c3836515f82af3d48426ecbf8e1f4b56b600bf3e44ab587b43e307b5ec7db60478cf8eb2
-
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeFilesize
1.3MB
MD55780f8f95f752eee808c90517f91104c
SHA1ae924661c480d461d95e9f6987f0870904fbc8ef
SHA25677eb9fc659e1c222111c89647bbbce8e620725a00c2525a8c82ea7284d9fa37b
SHA5126aa1f6d6e1907f60aa765db622e3e9a2e9da27d9b5693e8dd7a53d24c6bc1b6a47a62c05decb44cd6aa97d4530cbd172124c1ca203105f865eee28fefbe428c9
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.4MB
MD5797d56fb18d4eadc003dafd62c44fa36
SHA10f1344b6d36545c21b6ac1afbc261995f92cc886
SHA2569c57cc35b7d10d938f960f59052c2189f47a600cd4ef8c273ca72fca7f5c3255
SHA51226d1338d016fb881c35f0fcf055b75f2d9e0d746c5962fa4fa250c4680b595e4b6544690511e6f3e5fce84df00c674519d002ea5eb80b242eaf3e41f54db59f2
-
C:\Windows\System32\SensorDataService.exeFilesize
1.8MB
MD5831065aec4282297993769dba26ddd54
SHA15f349cbcc7bd12fed5ceb9ba117dc1d38e30be19
SHA25674c859a19f3b10603464426e016fcbe978b6289b8b1a0601d3b68e0c0c549e48
SHA512c57a2c0e6d8806ff081c67f1523c8e718bfb74815b6ecd326abfdc929ad21d2796ebfcd4883e088499d215a3f4d1e810117d5b85e1ca3c1d82b312297cf458ce
-
C:\Windows\System32\Spectrum.exeFilesize
1.4MB
MD5e81aae2411d0d2af98d79afdf1224d98
SHA100a148d2af2fdf969ab0c60d28b9eeb1698f29ae
SHA2568a9e001a606e23c9f34afbc38ea7ef54394a2b7853a0350e968542a63af2f868
SHA5121b9cefbba008fd39db3cede1c70b6907872d1179f162147de3b01a6d1f744c112da5a1351a504e1c8ae0bea5c5beba86652f17ba16f5cab3d759dbc81a309b59
-
C:\Windows\System32\TieringEngineService.exeFilesize
1.5MB
MD568e5d8304b1496282d677750f15e7404
SHA17e0b0fce73b9a460e8b1a4d7745e724bd4cebd18
SHA256cc835f1a646173be13bbc31b591caff38cf4b590d8c5e069b4d9402d1d04ba4b
SHA5121fe6543b29922ed7a037e5e7130e43563a428b68a63f1c6bdb2c43954f40366e60090fd8ee73dbb4853431c9e853f0b14e45df0d79c5eedbd6ecc261d799c554
-
C:\Windows\System32\VSSVC.exeFilesize
2.0MB
MD51a67cf212b675eb702fb77536cf92339
SHA1db6a7dbe844e6b927b74f2972d914b1460a7efe6
SHA256f6facdef27efe8893513d5b2d487f48bbc8471a071812d30c45b4fc80e3d5898
SHA51218bcdff5bc16828d4e260dac54ee559b20a194fb587d7b29bc3d96f26ac8fe05337f56eaf59be2721ec383a15993b88ad1d3ee60ffcb04377c0b24a3f2936b2c
-
C:\Windows\System32\alg.exeFilesize
1.3MB
MD5bcee9db515e35f961f2d8adef63a45f3
SHA1515de85636ba8d24fdcb5516c7effd88b994ce9a
SHA256229cabf4d0a48a388479552be6ad9799a92790a1a73e5257a18b8b8be61f9ba6
SHA512f1ef0519360d6118497737a3d01e4da237cce5a92f11161953f0ffca1913dc83682a2de4264adbf339d6e871b9a3c86ae042434aba6ff2a3c2742e6cbcb8b7fc
-
C:\Windows\System32\msdtc.exeFilesize
1.3MB
MD5f7e9770aeff901733c4aec2490d3cee2
SHA14a1e462ea359fc83808ce38dfa0bd3cc07e8d441
SHA256164fccdfc3bdf992936e4991bb3c98631776a3f831e5a0436d716bf2b159cf1a
SHA51260c04a1b534356ded5ae4fed2d4c3122ca1c5b8adbb4f851b624edb590ede632efed4285ca03abf36bf008a005c10647763adeec62110baa4370aabf3c1833f0
-
C:\Windows\System32\snmptrap.exeFilesize
1.2MB
MD5fc2a4cc0a7c5bee81f3e189f622a8abb
SHA163d7b304f89dd010d0f9f1583fe790e0a6ad5903
SHA25660b9cc5f202df7a1e85eb7e75595f41f5bdd4fb37076d8edbb41dbaf8a6357ff
SHA5123fd06cc07f72d00a2b7397258d109fa36b2474b18e8f08d259fff505a296f8249b2fdf8e5e6865cdbc7c3bbd66f39074bc49659aab6fb09f775c023667def935
-
C:\Windows\System32\vds.exeFilesize
1.3MB
MD5cec245544bd59a44b57d1972aa4bcc36
SHA160e8e5e5d824319e661aac3089ed375f992f3f24
SHA256dc1983126cc3369667fd8690e25e5b4c1f5ea77434a4048296dff0b1007154da
SHA5129c0c9f219606c6627cd031bf9043a5fb5eba0213725e274be499e37dcfcfcf8beb29859ea89b39b0ed83b041b83d53971952327f3e821c97e62761b2a6c480fc
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
1.4MB
MD5e9293e4f17b9a7092dd303d5d61331c1
SHA19de4fdae2cd38cdd0f2e46243de5bbba7d214d7b
SHA256c58a8ddb4adf3c8a19ffb9a77fd237f64c65f074da2bccc8724594961da43313
SHA51276c8ec0e60b137f714423718d42da5d997d5deab785966bf38f56128b2c1837ee2370fd9380b9d05834d6b105c29654e483f6113652ddab5cd880d139040894c
-
C:\Windows\System32\wbengine.exeFilesize
2.1MB
MD5a3a5ba60c4bc1e536aa1cfa2a42f6771
SHA1b54d89cf282530d0ddc35a8d041ce5d82e8d3440
SHA256ebe303571dcd3675f64a27cc59a28e410ee64e82d6eadc9d0c8503a431d8615a
SHA5121d063113fea678a935948f43b73a45bc73c9ba89a9b2841cfea7c076ec7c973a44f8ecd90e5a2e0d38c4f151e966495523c5aad4efb82a888c68731b2b1b0efa
-
C:\Windows\TEMP\Crashpad\settings.datFilesize
40B
MD5440112092893b01f78caecd30d754c2c
SHA1f91512acaa9b371b541b1d6cd789dff5f6501dd3
SHA256fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6
SHA512194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea
-
\??\pipe\crashpad_1708_ZOMRHQTAZEISYBOYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/832-333-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/996-216-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/1192-344-0x0000000140000000-0x0000000140205000-memory.dmpFilesize
2.0MB
-
memory/1192-744-0x0000000140000000-0x0000000140205000-memory.dmpFilesize
2.0MB
-
memory/1244-89-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/1244-83-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/1244-743-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/1244-321-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/1544-323-0x0000000140000000-0x000000014020E000-memory.dmpFilesize
2.1MB
-
memory/1660-326-0x0000000000400000-0x00000000005D6000-memory.dmpFilesize
1.8MB
-
memory/2116-72-0x0000000000C80000-0x0000000000CE0000-memory.dmpFilesize
384KB
-
memory/2116-454-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/2116-78-0x0000000000C80000-0x0000000000CE0000-memory.dmpFilesize
384KB
-
memory/2116-81-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/2228-12-0x0000000000810000-0x0000000000870000-memory.dmpFilesize
384KB
-
memory/2228-530-0x0000000140000000-0x00000001404E7000-memory.dmpFilesize
4.9MB
-
memory/2228-20-0x0000000140000000-0x00000001404E7000-memory.dmpFilesize
4.9MB
-
memory/2228-21-0x0000000000810000-0x0000000000870000-memory.dmpFilesize
384KB
-
memory/2324-345-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/2324-745-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/2752-329-0x0000000140000000-0x00000001401D5000-memory.dmpFilesize
1.8MB
-
memory/2764-325-0x0000000140000000-0x00000001401EA000-memory.dmpFilesize
1.9MB
-
memory/2816-327-0x0000000140000000-0x00000001401D4000-memory.dmpFilesize
1.8MB
-
memory/2864-332-0x0000000140000000-0x0000000140221000-memory.dmpFilesize
2.1MB
-
memory/4008-36-0x0000000140000000-0x00000001401E9000-memory.dmpFilesize
1.9MB
-
memory/4008-30-0x00000000006D0000-0x0000000000730000-memory.dmpFilesize
384KB
-
memory/4008-24-0x00000000006D0000-0x0000000000730000-memory.dmpFilesize
384KB
-
memory/4008-557-0x0000000140000000-0x00000001401E9000-memory.dmpFilesize
1.9MB
-
memory/4192-338-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/4240-331-0x0000000140000000-0x0000000140241000-memory.dmpFilesize
2.3MB
-
memory/4448-45-0x00000000006C0000-0x0000000000720000-memory.dmpFilesize
384KB
-
memory/4448-54-0x00000000006C0000-0x0000000000720000-memory.dmpFilesize
384KB
-
memory/4448-53-0x0000000140000000-0x00000001401E8000-memory.dmpFilesize
1.9MB
-
memory/4468-339-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/4560-41-0x0000000140000000-0x00000001404E7000-memory.dmpFilesize
4.9MB
-
memory/4560-9-0x00000000020F0000-0x0000000002150000-memory.dmpFilesize
384KB
-
memory/4560-0-0x00000000020F0000-0x0000000002150000-memory.dmpFilesize
384KB
-
memory/4560-8-0x0000000140000000-0x00000001404E7000-memory.dmpFilesize
4.9MB
-
memory/4560-33-0x00000000020F0000-0x0000000002150000-memory.dmpFilesize
384KB
-
memory/4724-58-0x0000000000DD0000-0x0000000000E30000-memory.dmpFilesize
384KB
-
memory/4724-64-0x0000000000DD0000-0x0000000000E30000-memory.dmpFilesize
384KB
-
memory/4724-70-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/4724-68-0x0000000000DD0000-0x0000000000E30000-memory.dmpFilesize
384KB
-
memory/4724-67-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/4784-587-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/4784-328-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/4792-322-0x0000000140000000-0x00000001401F8000-memory.dmpFilesize
2.0MB
-
memory/4840-330-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/5088-93-0x0000000000CD0000-0x0000000000D30000-memory.dmpFilesize
384KB
-
memory/5088-105-0x0000000140000000-0x000000014020E000-memory.dmpFilesize
2.1MB
-
memory/5184-533-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5184-596-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5448-543-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5448-746-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5608-582-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5608-559-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5784-572-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5784-747-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB