Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 16:19
General
-
Target
2024-05-24_570f113160f7fa4a98b8239c35fd0adf_ryuk.exe
-
Size
5.5MB
-
MD5
570f113160f7fa4a98b8239c35fd0adf
-
SHA1
8d467f225cfa38cfaaaa88d8f6f3ac5161e7d4a6
-
SHA256
ab7c95bf8e772e2da67fc3c6ae5c5d2a8f81825f2d1021fe934f19a154bdf716
-
SHA512
c7b5c9cda08edab7103b039df1d996245d686bfc75c4f4d92ebc1beedeef9705cd71036bc3451f8b5f03540e81141f9678a3258fd9d38b4c867799e3f109e767
-
SSDEEP
49152:aEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfm:QAI5pAdVJn9tbnR1VgBVmoPHn3
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_570f113160f7fa4a98b8239c35fd0adf_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_570f113160f7fa4a98b8239c35fd0adf_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_570f113160f7fa4a98b8239c35fd0adf_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-05-24_570f113160f7fa4a98b8239c35fd0adf_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8be60ab58,0x7ff8be60ab68,0x7ff8be60ab783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4296 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x298,0x29c,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1888,i,16170347053932038233,12297710287355021796,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4460,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=1308 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exeFilesize
2.3MB
MD501dfdb30d02b3b9b35e572e13bc3df36
SHA1bedae3c815fb30d6fede5581111d90ce40434baf
SHA25616af37426feb7250ae1deaf8eae94925b59965aa9e9305b52f01a96e750aae2d
SHA512a9dbc3671a562bc2da9921e1acdfcbdfaddaca440bf7af1b97d92f7a84c47bc07ac7812a9a5e90ee014445b37337c0c3e3a6555bfdd30b108ecf4ba70e293d6b
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
1.5MB
MD587d20fac49b25fff3ba775283d34b9f8
SHA1659900cf7d7eec339ca946ed5ce2511b131f662f
SHA25658923909aec310813b8114cccf28c489d9752deaf523b9f819240a3ff79b006c
SHA5121dc3b5e83decef87071aef57681324b15ea9907cb11ad49e0a353a9e50049a8489e60441cc28f5bc906c953fc918340351ddd67cbd2651331d9cc689f8eab0ea
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
1.6MB
MD581ccbb4053093927ac15af5316d994a8
SHA1c0a8eb985b1afafa5aba424556996877d41a53d5
SHA256312e5cb3a6e82610702c0093c76075410d01863fac3a6c4b5d281e8573bff40e
SHA512c17dbdc85f7797f596a7d86c212cc3db8909362da275c27c685a63b8f79ced3be367fc273172ce72da07377e05acc072b9f5befb5c8efe1a3e19dc415d0cdc58
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exeFilesize
5.4MB
MD5451bdb3ae18532b7645b94b1601f44a0
SHA1e5834c0c73c42325d7bfad91a46d5ca9f2d51949
SHA2560c2b7f07bec18743124ac4c053e6bb58f0935845a69fbb140813d28c61e79c07
SHA5124d40c320ce38cb17c9f8868351b158b254e4dc57cf24dc30e5d38f9e720c2001db2d1db0156bd57ca817452a03b1c392a6a53cca4da1809391af3f62e963968b
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exeFilesize
2.2MB
MD57c63ba5f31480d84df3e107cc2349263
SHA1f4d801878b2ad145a4d423fc48f04dbeadb9cc5b
SHA25637531d2719ada84a4733636331f7d064c99cd8392fec2c351c12da121c8d2a1a
SHA512105731727181601f93c37f20e6f4813c7bfb75fa68903396afd065c75b1f4f5cdf5f26f9891cbeb907c41ad94cca40bd5ea0c0501817639cccb0b7a9cf6ee037
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD5e646991f9b7863013f4543e5deea2d49
SHA17d3ab1c249b15c5bc5761baef819fa96b043539a
SHA2560cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA5128b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.icoFilesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD595df65c8e5c16efa2d6c5cd94896353f
SHA1cdbbcfe826339d773bdff906b2f321bc45fb3325
SHA256f33a3b3bad3f761ccdbe7bd544b0feb1d0617370df6552395c8e911a6ed997df
SHA512ad34d0a09ab216acba64762b1493f0beb88228e6342d30e8ef86221e19292d62b43a11dd0ca03e9172fddc27f993e7a229e16dc8b5da57e07ab6433eb5330dc0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5bf91efa5d1815fa4b74bed8b94e9ca88
SHA1a747117b1af32518db7aa75ed969f5160ff22cd9
SHA25636656e206669731ca319783299b9fd3be0e4e38bf680b8954f0d2d957e1d86e1
SHA512dedfc1a91ceb3a598e9fddcae78c9f6395150dc52eb711a0c1f6fdf21ebe53675e03bc367f1a780f48e730ac9bf91ded45b9c64b71efa8faa4b80a58a3a5f721
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD5af3eaab11835fb6ab382539508b28e59
SHA1fe5d9178f0dc7eba64889dcfd906ca8b4deabe13
SHA2566847d230db3274be402a922ddbe5984d06d7c23a5b4b949a961e15c37a35302f
SHA5125201cfbe6ede07053532632cbb4345513dd8ea92f652e41eac258355d2a25afaa696d8bb8d5a7895c1a858fa36b9065c6b2905e788fea3629d53622d844dca87
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5820b2.TMPFilesize
2KB
MD5c4d12c24a85b7e1aaf85cad983fe7610
SHA100bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb
SHA2566568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337
SHA5120d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5d7ca005a559934f0acac16c7c010743e
SHA110ea49ab9223bea1f71e2cb5f51557660509a896
SHA256dd059addce92514620388dc7bbe0c758ae098379d6f924758124e2e34ed3cc91
SHA51277fffe852016e6daab933ab11011757a287b6b3012ec302c8a970c3be1e230881d6a18d0434c59c4157b09af92eb775924d708fc1d8011477358fb7d06d159e7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
260KB
MD566078758826bde60717c9a901dc314a5
SHA10a091ddb0268d115e6a220e9467f27245486f0f0
SHA256dcd84792d5fd5d7132c860728e89405ae045f40b000447b5f04ab77bc77fa50f
SHA512a55966770468a317074bb2c6238d800de0ee472e9a869ecacc4e33fd1a8458521ea16e1260d22872206e818ffb69d0b9c88ff216b40d5b00dcefae823f8f8b27
-
C:\Users\Admin\AppData\Local\Temp\chrome_installer.logFilesize
7KB
MD541ad11155b3495a76b7bf4ac9d336a87
SHA11e5dbf23fa1106bb2483526f082033c91dc5bfc4
SHA256926dd0b48995e64d75da6088e9aa0c0e0e95c79ad7fb57b156db957df6482e45
SHA512c79f5a612b053163915f8c11ea9c6ac46686fce562e753ebbd9310bf320e285148698c0cc0dec1aa18a61a3e67b7bc233e6b92b9878904a194451b8a284adc36
-
C:\Users\Admin\AppData\Local\Temp\chrome_installer.logFilesize
8KB
MD5aaba21330e37aa4060deee33056d60a8
SHA18a26742ecfc3c187c9d16b6ccecf1f40d23c0be7
SHA256ab0c600317533edcaeb82857b975fa2125280db6b25e290ed7f80dad120ded3a
SHA512c353dff6ed914b4ba28e9341994cfb913b64414609d31f4b646dae5fecf7c0a761508b70bfeca9eda10fd0c23f4f0bbee68847ff0b5c9fdb1b93209131fe6e5c
-
C:\Users\Admin\AppData\Roaming\159adcb5c3a5208d.binFilesize
12KB
MD559154790322b564d12a2c0b83d4e8b8b
SHA11aff36a2d2e5c3066e07480b329638b1da135a76
SHA2566e98ac0b4e8a25223d33df21ce2faaae824bfbe53c710e39137c4bb15a3c2d64
SHA5122488b5cc00ca58fdf8767e052dacfee64271e112d725cf9d7926b2142c75bb41d9fe69a71629b199b9179225582ca67b136615e84bc4ec20e3046091d4541f59
-
C:\Windows\SysWOW64\perfhost.exeFilesize
1.3MB
MD5ea85f08ce4851a1b0b439227e37b85f6
SHA1225db60157c393b93a5065b5dea18fa62b30edc5
SHA256d6fbc534264723eb22464511e624f85a244f009ad3f0213e1a7f64164598b827
SHA512489445bf16f0c2e33f32d2716b9926f7502ba87962d9f7bb6e9db9f0d3e05479081eae1961ea267db736806566c43aa5414708f59ed9fe9b93830d2fd9a7f790
-
C:\Windows\System32\AgentService.exeFilesize
1.7MB
MD572f166fc39a808f36cc9eeacc99027a8
SHA1251771b890b3af3c8cf6c26b6df05986ac1ad0b7
SHA256c2ca8bc3c2feda632dbd8c40c27e6d068aab2ebb99814724f6ea5b323c97b9c0
SHA512223aa9c6cd6f13d68268dcf2c4d0d348b57372aa9ed3a06a6d1ee239d762c3a5c26a97566d20044ae4097048d9919535b44d51fa795e7f54e1b106ec710e650a
-
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeFilesize
1.4MB
MD50022577390a84094a8be838444fdf30e
SHA124fd0ef51aed102a2ba6e7eba1e12db6b5684162
SHA256ef90556ac7a08b23a3652e4f4655d5ff49c6ce5272e662152438815280b2f620
SHA51266d12c765a24ea114a7c20c86e93431d1261bb6d90866059f5293f3e4269304524968ce719f940d7b847f51b7ec47c9b3e39386bc9253874b6cf00174a617d3a
-
C:\Windows\System32\FXSSVC.exeFilesize
1.2MB
MD557ad4515d4e994e3deae47fb5ed6a964
SHA19373ab566f332df716264412c429279f20b54cba
SHA256b9f3336a882a8bba434b9283dc69b8580f30e12969bcdab00f20ea620b241ada
SHA5123859254a1a00300be41d995e2d7435da07088244c6bb417f51e333ccb671d7df9fe29efbc98b27fb64060652033d9a6f90fa2ad56883fad08eef3af4e0c1af20
-
C:\Windows\System32\Locator.exeFilesize
1.3MB
MD5f78d403f241da3d8b891f8a3c709fbb5
SHA1a1f293e56698f44dd649d7c730c454e131fae5f4
SHA256d6bc639ebf52d1069ae9e06fe853c552115b1b306d806bba634160af00fb9c0a
SHA5129f887e3d3e906665abe9f9866b1474fff24740b3d036af33e2c039c7141381d0e7b39e9ecef61117620e705bf2b8655e3307bcd113243350148fc5dedadaaf61
-
C:\Windows\System32\OpenSSH\ssh-agent.exeFilesize
1.7MB
MD5d485ed4381ea9eab8028a56450d69565
SHA197336143056fd9cced69ab160beca3703781a1a6
SHA25666320240cdca280d02c409e566e3a4c7bfb78c181bbd59081bdbe536e065a978
SHA512e91491202f1e09c8f62b9784f7a798c26776aae83005155384778b0e94e08846967b1b50d94b47a16d087227d39226526e11e2593d796cf4be368e86fa5a23c0
-
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeFilesize
1.4MB
MD5b23a44997d31c842887fdbe66d630c38
SHA1c421c1c2951eb14d84a56752a1ac22d04d972abf
SHA256ca7be95f4221a328dbaf6b36ec469e33a29f90b10edc3946dce30884e6605d9e
SHA512db9fae4a4680d729f25a826a340e566a590791b6f7e6988715a00f1f97d52bfbe1835ba259a59f0450f8f4a43fb6ee141d8c673f645a7b932a71484458043dd4
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.4MB
MD5be4376aee5cc78a4c36cbb4cd2277dae
SHA186ffd4017ff6fdcc09499e08bab76fd94c6e5526
SHA2567a10780144927d1b9b4027737d02569afc2c3c6dd9559482d296d89dd8cd23fe
SHA51294420f18b4753d6193cd37ef534acc3e3a57dc6b79cb9fbdcb5e1269404d547aea6757e5a8baa7199e2d596065f83135ffe6ba59816a1f7164d5baf2a6807f71
-
C:\Windows\System32\SensorDataService.exeFilesize
1.8MB
MD599280f2b9b03ee3ee5af2b2fb29a9fa8
SHA100ad3cc42cd05d3581eaafbca562cf5db6a36ff7
SHA2565f3032c2624df88dfa1a9a3b4dac9bb0c3d959efac42f61fa32d6ffa4fb6014e
SHA51283a9fd5bc3651daeff78699f9e8777b0375542227c894b58ac359c402cfdf6b76f6b917e70b39274f705141aa842513507d1ca4094e6fda40548bf4ff36037c2
-
C:\Windows\System32\Spectrum.exeFilesize
1.4MB
MD573ca9df2260ec29d71792f414da43b83
SHA133189d0f2fb971cf53165c8d5687a45888c293f6
SHA2561e2fbb37c8e8591f58d241e1e9a067b5fff4d561574743d97ee1f3e8b5e99520
SHA512b69e19256f79530d8b35469d1c8cdd1750105d1481ff5617ed8c7ce3b9a30332aaf2a38874a74d9343eb58c9ef89253d3b2128d75da33616fe46dfcb8a94713a
-
C:\Windows\System32\TieringEngineService.exeFilesize
1.6MB
MD51c15a8921546078c12e744bdbcb9b2b7
SHA1b8d54c6eacd4dd7a5ca660c5225881b664e03db7
SHA2563b36279d76b8e1e39700048351ee05807137ef19439fce5646d6a6f22d024ec1
SHA512c98fe47dae211cfb98ceca71c05c75459b288c391e88811d455c33c3f03f801603e458ef08a022a91b20354b718d1a2ba37783bafc484f7c3a2c4cdf2a67b490
-
C:\Windows\System32\VSSVC.exeFilesize
2.0MB
MD5837b0a29aece2f4d5656444657e558d2
SHA11d750af430612081cae9a2a531a81679545d6437
SHA25651f45c824afa79418e9ef9f81f4887402e9e7321438e63f57f27fbd52639df07
SHA512982dcd8fd8bfcc7b008a9074010a2dbf2938075b43ce8a933f3db6fa5614693aa53f127ffc5e4e5df18f79d168af66cc1415721d9223e6248c57502918476d3c
-
C:\Windows\System32\alg.exeFilesize
1.4MB
MD579926e17b1b44ced8e2c433965c87b28
SHA1f63e7f05684b57b073137eaa9288c23e756018c6
SHA256bf1ce6ff064ce1b961bbd6b36c3d6103cba178a8a57ccd86aabc32b1de308c76
SHA512360f040b0ee9c5a8d45e0644ec5a91c63e832fda5f5f63f882fdb9e257f108d752eea718673a8db675e436e5ed21e9e63d03684385b10959335f54b5d41e6926
-
C:\Windows\System32\msdtc.exeFilesize
1.5MB
MD52c2b0f08171f43edd9646d7e888427cb
SHA108ebe94d456dfbe0e00fcbbc4a199e6a52b9a4ea
SHA25660754600f095ad7bccac27476dee5da67d15dba4536436007dd3c8fd342e649f
SHA512996c573c8817a0049192e53302c8d8c3501c726d3c166b68e2277313998bba1040f789a31d2453ebdc17b5a537a3c735fcebfed9645dc9c0fb87aa3749a053dd
-
C:\Windows\System32\snmptrap.exeFilesize
1.3MB
MD5afd3eacbe52485585683fc98dc817670
SHA1162d97bd5d9b89f54bb1275829d829ab59a46b68
SHA256b3592dc9ea67087886eaf7692bfb5a9571c0e912a4d17b6f0dd9388c4f811415
SHA5127347cdd754681377d9761300ba44828ab9a63e6710bc032f167e621d8f8fa8e131da938698d52688e2d2c43843e7d906921ef24bf90ce11a5258237e16fd473d
-
C:\Windows\System32\vds.exeFilesize
1.3MB
MD50fc9b87dbb9354b64f5f9629da3d957d
SHA13ecbb28d160c5ebb298fc7761adb742cbb8c05dd
SHA256fe9508bc286ea2db84f61990ce656f0edbb5f6c37bef12273f9567ad1c27d3dc
SHA5125e8bf0e7bf61cf3ba9a11adbaa7c96f52e6cae9a003c0bd81b3fbebae8a7c65a7801ecd3d2d9903be684cfaeae474d2e30d61d3a3ee927844aab06985fb2590c
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
1.5MB
MD5d240107a7a763c4695a472e53bef61cc
SHA18a0499f3069c92a0083694996cab24a4dff08632
SHA256b8c6d4618b95f5bd07fad071ee129a3c93d70c802ea4afa013e9f8e6fa70d1e5
SHA512d82165d6790f13496a0c6d76aa881985cf9bdd6b5e709235fcbfa80e08b6d8755588a81ae9532dd60d2a756ac097f9a21e75fed03cf72433efb7d3077f3ab942
-
C:\Windows\System32\wbengine.exeFilesize
2.1MB
MD5e70c12c68527f5e56ca763c19998670e
SHA13429b457e05f0708de0dd9e6b143ad206d08f5e6
SHA256fd744ec36a68a7bcd3cf0c3eb500b0fcf74be8e0512a89d54c6f0b8e6a86bc50
SHA5123ddfb2f00eb6ab935f90acdab87b64392f5b407c32898d22d9d3d58814774be3e67de20ed9ea18b8a772bdd80e014433d712027e671048df6c99c91110b98535
-
C:\Windows\TEMP\Crashpad\settings.datFilesize
40B
MD5de12892063f81f60b11c0497ec332fa7
SHA1ccfa0530f55d277c3fe6d75260088ae08d5b7616
SHA256afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae
SHA512441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca
-
\??\pipe\crashpad_4936_SOEDNWAGZSYHNJJWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/216-395-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/732-388-0x0000000140000000-0x00000001401A6000-memory.dmpFilesize
1.6MB
-
memory/940-54-0x00007FF8CA9C0000-0x00007FF8CAC89000-memory.dmpFilesize
2.8MB
-
memory/940-45-0x0000000000580000-0x00000000005E0000-memory.dmpFilesize
384KB
-
memory/940-648-0x00007FF8CA9C0000-0x00007FF8CAC89000-memory.dmpFilesize
2.8MB
-
memory/940-647-0x0000000140000000-0x000000014016D000-memory.dmpFilesize
1.4MB
-
memory/940-52-0x0000000000580000-0x00000000005E0000-memory.dmpFilesize
384KB
-
memory/940-51-0x0000000140000000-0x000000014016D000-memory.dmpFilesize
1.4MB
-
memory/1084-82-0x0000000000890000-0x00000000008F0000-memory.dmpFilesize
384KB
-
memory/1084-335-0x0000000140000000-0x0000000140267000-memory.dmpFilesize
2.4MB
-
memory/1084-649-0x0000000140000000-0x0000000140267000-memory.dmpFilesize
2.4MB
-
memory/1084-88-0x0000000000890000-0x00000000008F0000-memory.dmpFilesize
384KB
-
memory/1424-390-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/1436-75-0x0000000000510000-0x0000000000570000-memory.dmpFilesize
384KB
-
memory/1436-455-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/1436-336-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/1436-69-0x0000000000510000-0x0000000000570000-memory.dmpFilesize
384KB
-
memory/1756-40-0x00007FF8CA9C0000-0x00007FF8CAC89000-memory.dmpFilesize
2.8MB
-
memory/1756-37-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1756-644-0x0000000140000000-0x000000014016E000-memory.dmpFilesize
1.4MB
-
memory/1756-643-0x00007FF8CA9C0000-0x00007FF8CAC89000-memory.dmpFilesize
2.8MB
-
memory/1756-28-0x00000000006E0000-0x0000000000740000-memory.dmpFilesize
384KB
-
memory/1756-34-0x00000000006E0000-0x0000000000740000-memory.dmpFilesize
384KB
-
memory/2316-43-0x00007FF8CA9C0000-0x00007FF8CAC89000-memory.dmpFilesize
2.8MB
-
memory/2316-38-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/2316-0-0x0000000000440000-0x00000000004A0000-memory.dmpFilesize
384KB
-
memory/2316-11-0x00007FF8CA9C0000-0x00007FF8CAC89000-memory.dmpFilesize
2.8MB
-
memory/2316-6-0x0000000000440000-0x00000000004A0000-memory.dmpFilesize
384KB
-
memory/2316-23-0x0000000000440000-0x00000000004A0000-memory.dmpFilesize
384KB
-
memory/2316-8-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/2488-18-0x0000000000440000-0x00000000004A0000-memory.dmpFilesize
384KB
-
memory/2488-635-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/2488-629-0x00007FF8CA9C0000-0x00007FF8CAC89000-memory.dmpFilesize
2.8MB
-
memory/2488-20-0x00007FF8CA9C0000-0x00007FF8CAC89000-memory.dmpFilesize
2.8MB
-
memory/2488-22-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/2972-383-0x0000000140000000-0x00000001401C6000-memory.dmpFilesize
1.8MB
-
memory/3136-92-0x0000000000C00000-0x0000000000C60000-memory.dmpFilesize
384KB
-
memory/3136-104-0x0000000140000000-0x0000000140193000-memory.dmpFilesize
1.6MB
-
memory/3236-389-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/3300-80-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/3300-78-0x0000000000E00000-0x0000000000E60000-memory.dmpFilesize
384KB
-
memory/3300-59-0x0000000000E00000-0x0000000000E60000-memory.dmpFilesize
384KB
-
memory/3300-65-0x0000000000E00000-0x0000000000E60000-memory.dmpFilesize
384KB
-
memory/3548-340-0x0000000140000000-0x0000000140193000-memory.dmpFilesize
1.6MB
-
memory/3556-351-0x0000000140000000-0x0000000140159000-memory.dmpFilesize
1.3MB
-
memory/3644-343-0x0000000140000000-0x000000014016F000-memory.dmpFilesize
1.4MB
-
memory/3668-397-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/3668-650-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/3788-396-0x0000000140000000-0x000000014018A000-memory.dmpFilesize
1.5MB
-
memory/3940-215-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/3952-345-0x0000000000400000-0x000000000055B000-memory.dmpFilesize
1.4MB
-
memory/4268-587-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/4268-352-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/4324-357-0x0000000140000000-0x000000014015A000-memory.dmpFilesize
1.4MB
-
memory/4632-382-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/4940-339-0x0000000140000000-0x000000014017D000-memory.dmpFilesize
1.5MB
-
memory/5288-546-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5288-594-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5808-548-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5808-715-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/6240-549-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/6240-584-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/6340-569-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/6340-717-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB