Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 17:48
General
-
Target
2024-05-24_494b73bd6c426a5aead7c7d7488dc127_ryuk.exe
-
Size
5.5MB
-
MD5
494b73bd6c426a5aead7c7d7488dc127
-
SHA1
685bc7bd7d21453b901a4a10bf2eca0afb3bcf0b
-
SHA256
f3d86a157d1e8d777dfdd7c40c3a71b7aa661551c68d126a3ca3ca5530bc49c7
-
SHA512
7b2df709e8bf193dc983fba2e142a17f6e40c5ee59b16cb5faa1b9213d5f744622f2609b8802d341ad5975f29240fb5203533d01bbc66f408d7022bbf384a4fc
-
SSDEEP
49152:REFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGf+:VAI5pAdVJn9tbnR1VgBVmGOkf
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 25 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_494b73bd6c426a5aead7c7d7488dc127_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_494b73bd6c426a5aead7c7d7488dc127_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_494b73bd6c426a5aead7c7d7488dc127_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-05-24_494b73bd6c426a5aead7c7d7488dc127_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb251ab58,0x7ffdb251ab68,0x7ffdb251ab783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2064 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4364 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 --field-trial-handle=1912,i,10616174155456632803,13526620230396526521,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:81⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exeFilesize
2.3MB
MD5b4fa7ced7c3edfb9e9325204c2ea575d
SHA1043db58de10adfb577d165d87816819c69a8a49e
SHA25694d9092c2d78242aaa842599ded034d261cf60b087415176e9f34580fb6f6f2f
SHA51239b2bc576366364daf484b6eedf96b4ffa9df618d6b47969ed419c70106946296f418ba4345d65ff6ede33d55b0c2573ea73841f52acb2323e7b89b7f5a738ea
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
797KB
MD59bbd9b342d4ed58d434f116094b08a48
SHA1171e8b0daadf8b6a0d50af751446e64cddef33a3
SHA2569f2a05bed7c8440257e9089c6a15085d8eb3e9fb822b65e5ca3470a2ccb51e4c
SHA5125a53d49454b164639d26a701b4dc5ef7ce76d0696edd23ea671aa49372d3718db122e9299fe2f3e8183f3ee679fa693d3d95244e437694538d84bff19748189e
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
805KB
MD5a4030382c57af3e98e8bb360659d2c3e
SHA1c179ef6701a8dbf30744a99a2627d40c8f5df63f
SHA256b564ad136b546c9324dd0c2e8273396304e55d04957f1882bd462a72e7a9cff9
SHA512cec382bf476bb47014b3c0353e901a6edb562c25a1ec543ef29d19e252fd2675bd627ad2231325633829775b003f14530b8435f8947731edd44eacd544a4cffd
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exeFilesize
5.4MB
MD50f47f15b540367ebed736228492bc907
SHA1b6ff07380e8401ff60f2f2bbbdd8e9ee4c7bbd72
SHA2560192d2d09a811fcae766c0ed11d72fa4b62b624a5482b87384d9b9d1e4bf1ff5
SHA512d0981d2c41b0ebae4225b7e1772c9258f0fde3c9d3495fb521da69828073d1be95f026caa5294f30a420683b25820b43752b6b2164f9e8c4834b7f5e661a3c0a
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exeFilesize
2.2MB
MD5c029c4ce0f512a82d31f520954038a92
SHA1567f2d2c5704103fd74318e7edf367be6ac3f325
SHA25691aca942c62e10da7dde8e8b32b8d83cb555236d5823e2f0764896471a41fd49
SHA5128161a7d531af8cb5327abbc3cbcbdbbcc1b416087b3f76d404f9aaa8eefe8a0a3fbf8d50a56580748ef490d35202e2f28ad42ba33a3f3d517584ca546973b8a0
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\85db7223-8b36-4780-8082-b24ea1bc8d92.tmpFilesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD5e646991f9b7863013f4543e5deea2d49
SHA17d3ab1c249b15c5bc5761baef819fa96b043539a
SHA2560cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA5128b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.icoFilesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD548b8e3979eb91d0e98c6665b22816349
SHA1a2bf1cd1f74e08a5b9c1e9889e457f2814c29c6b
SHA2568d8058bd12f742ba5906440bd8de8461c6ce67fc8f7bfae66873a025e08a1837
SHA512cd55972d6a1d978b2c414b110dd1c838553e974941221bc4e133ba2682c249e267711b25840dbfd6f15aca0ac2b1258b64f9d3242741ee3f622942a78ab1b172
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5ddfda34afbc3fcb58da468112cdef3c9
SHA1c60b87d9bf6386127bcbc93ec2f92a6d6090af07
SHA2568fbb7fc141d834c8dda1774ca771109920cc0f2ff4958dcc36a1cb9847745b4d
SHA5124a9b7c597c5cfc173f60103bfb61a06d7dfc5915e3a9a6230dc78fbcc2049a1aa9cb2b23cf0f1d423d34d877b83150f9f3780702eeafce51f04229f16b1131c8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD5eac6bdbe416b3feeb6b5c0c38fc65c7e
SHA187a2a254d9d80520a9e3614cf76e45d0c929d68b
SHA25661ecd360c60ba21e80e951633529af943c11e7b0f6b0d5096bee66f5f49a2762
SHA51211031515a7eecc03da718669102a9021cc55f1ca58b76fb70f73613a0f8aee9926dd32fe019fa8514ffe0330d1948404ae1c77161f57c8b31483e12310fb926c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe581102.TMPFilesize
2KB
MD5c4d12c24a85b7e1aaf85cad983fe7610
SHA100bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb
SHA2566568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337
SHA5120d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD588f35a3a031b3863e52261ff1ffb1791
SHA17aeed75ddc539394ce4e9246a7b58be80315346a
SHA256fc1508e02f4e97f53b919231d2ff62e13781f043c10f5bf8899b91ca203dbdaf
SHA51233eab42d23133fc4fa99d85667ad0495f7d666f5e9ef6901bb9301c7ad306fc452888fe1880993a5a47e217472b813c5cd8fbec42f52a64005a6bc493b21fea3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
260KB
MD576bed36ea245230addaa747ef78efd09
SHA17faf85d8d65d1490de66fd51e54d9497965819a0
SHA256aa1d9eac2da9c3618944db4ac09f83216abaf204ed1afd778f27db14a795a956
SHA512a61e4fef745f9ced4f2783d7cd73a1f8710396786f58e239f70f1e6c09d248c097c2d5ae4bc0319040f61e26a1363e2b12309b158b5830dbf8ccd0a8914d6dd7
-
C:\Users\Admin\AppData\Local\Temp\chrome_installer.logFilesize
7KB
MD5b0207e847987753647cc1e903cae4467
SHA1073de3be0700f1f7eb48f9d41971e3c160b0d9ee
SHA256d2ecf3ef593bfdf787a298d3df0f826e2c9dc5b8a5d61afa9efe285796ac7f6a
SHA5125afa840b0004ab7f35ade2417018c4077eb7108d83dcf66187835aa3e3614366f6933ddd32ead2a9cad5665eeea1a948cc9fe4887c461531d4dc660195114d44
-
C:\Users\Admin\AppData\Local\Temp\chrome_installer.logFilesize
8KB
MD5dcfee8ddf1b0a917c7cf6e5c3273edd7
SHA154196fbc7f6aee655bf5f15b35178461591a4a95
SHA256d73e193b4f4fe697a46a9132993ab658ff4566a0e155daf4e934c348322a031b
SHA51238fb600e17b361d76dca19a50ed26b24c17414ac045863b20824862349d448623558dd3061e6f33089dcd1f2f409fb59843c80991f2b8e09cf5e85203c2331a9
-
C:\Users\Admin\AppData\Roaming\69b1c69ac3a5208d.binFilesize
12KB
MD5c31837a3bf7c55ec8fdcec53a571e676
SHA195f4b965f7c05829b4b9c783e3966e894bb6adf3
SHA256b4240ffd8c403847aac180e3ac281cf4264242ab5f35d23ef96bfc4290e26cc3
SHA512d275781a830e714c8b5fac7c401552e8f74d3fbfcc01d5046b2a2560309fd5f617a665267a2f3c91bc208d883e4ba2d7f0dbfb56490c366c3c286513185eaa18
-
C:\Windows\SysWOW64\perfhost.exeFilesize
588KB
MD5034cea212d9c00b2a0c7a60f74989d22
SHA16ba2ee64a71eed1b11f2a12c654657316e7fc197
SHA2561fdb3a3f8856747ca1fcad235d54a24dcf71c198c408f1f2a037bfe93f1743e5
SHA512ebcb87a44cd22ddc91f5ee37b5ee45d3dd604bbdf27126ec71fb655984084dc369a9786b5464de716fd7670eae139103603449980a3d3e2359897f4d9fc169ef
-
C:\Windows\System32\AgentService.exeFilesize
1.7MB
MD535e29651f2007e2d0eddfb15187419ff
SHA15503730cab534328686862b23102c0a855131a7c
SHA256a7cf2116d69df1ae69f5ecec843c5495cd3e95c24565dff6eca565929b4654e0
SHA512bce2f5309bf400680234a63f81330cf6a7d533d1d85530c169312e9aeafe35a43367ba1a0f7c68d07167da342145cf3d24391b94fefd86ff6e64733d0cb839c6
-
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeFilesize
659KB
MD556bf6afa5e0bd2e74073e972823bbf73
SHA131093f0407f3989ee0da4cee7bf1f1eac2b0cd61
SHA25620e5e21be3396868cd11850b6bd165d3e88221ce00908b1cdc4116e7f326411f
SHA5128f1ed47e8f306c13ed29bd32560dcfedfbfdf1e28dd44abd9c1e2e2fd5f929413462fbd07f459284566ee9acff29e9c389be4d2c2c83676cf6efd3f7ca4d3084
-
C:\Windows\System32\FXSSVC.exeFilesize
1.2MB
MD530830b89ef8e80e1453909541adcdec4
SHA146a27cc6cc9493f00539b3f6c5de0938a4f06d1a
SHA2566ddc1b343f76881870dac911f1c1e571e5605291bdd0a33e39188a236b0d09a9
SHA512908d7f101d0a684c409184fb6be4ee5ab2b0a0a7b527f5ee65f024bc990724701aaca3591b65a84cc3e097c3b2d9b1fc86462f9eb3b290f2ee0c81b669aa5973
-
C:\Windows\System32\Locator.exeFilesize
578KB
MD5ee04635046f9330ed66750dafe44c682
SHA116289d1677929f879146cc08cd31f3272c72ea3c
SHA2565e2acdd973895925224c5e1def5f65ebfdca61c7bac9692b1ccc85028d9d82e0
SHA512bd24e34f233355271580e2aa2ba7d84a3f764285b09740b93c38920756c7dfdd3da672f7bc0652fcdb5426b65a9afdbf228bf414b329496209547e4a53d3d829
-
C:\Windows\System32\OpenSSH\ssh-agent.exeFilesize
940KB
MD50e643e08a3d3c4b07452043f0422c1cf
SHA1f64009ca6eb10f8918ba6fc718a0a0bb2ee31d00
SHA256c7eaca481518e8d2ed0e4b05bcbcf9dd4259935b14623fb14ef2fdbe443d9474
SHA512de2c803944574ae9d338debf1a7f19abed0b4704deb9090c622957e989ac4aa4b8f47dafc1f48097e7a13f032185b414f41b58235449c31428082ea658e32237
-
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeFilesize
671KB
MD5ef333efadb437300e8174863bf3b3908
SHA1ae82f09f607b8759c3cc9361e22df5e8fe682800
SHA256e4c320d5d7d7a1c02864047c7536435cec3b221d46a0b065350609a88d8592ec
SHA51232b7a81a5f81306ed60a471bd1ced09df9f3f15d1228efaf6aad0467c7adc802a0459f7a9ad9e52b52d48b51d14242ac3156c4c7d6062a07c85b22d6aaa4a32e
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.4MB
MD561f30c5087f32cdd29933a462867d0b0
SHA158c54973464db4a39b6d459cf9f71eb97880cdf8
SHA25699a351d023bd24ad85e5517a8ee68747fbe4760d7b587c8060cd098cebd2eab9
SHA5124a1aa61882359ccf3821834547e9f909e9ce57667f8074c09b719370868c7daf4b95d672430d2fc337c590012d45816ae84a5c9d478dc129eec605c692f2329e
-
C:\Windows\System32\SensorDataService.exeFilesize
1.8MB
MD5a8d730bcd0afa3d4c50513edcc10691e
SHA15d33453318646fc12ee52ee7c9880f970bda4207
SHA25617a8d14c76158411fd02c629a785fc4c5265ffdc68208adbd3d6b8e495878c85
SHA512ab9eeb7f14854a0fa4191f1ffff1f8d5143dc0e2904d8a878f95dbfcb06a5a658f57efafc608422f0772f0ce858be260a6877614d902d18151e578dad58373b8
-
C:\Windows\System32\Spectrum.exeFilesize
1.4MB
MD57839fd33a557aa9b968abd443964ef41
SHA1d5182a89fa6cb1b60192d90686c9d147660f8329
SHA2560fc00c20360b88e4dfbd1e1b1a7bcb404e1176a1b774ac74c1ea2ef80840bdb6
SHA512e04fae8ebb60d3d8c093560ece5344b30fe2ede5d4d5cd30492f05ca08ddc7c9f7e02a110f9821b01882b3037bee366bd32cf56b26e3ada8362eff38d46d24b5
-
C:\Windows\System32\TieringEngineService.exeFilesize
885KB
MD50b45b25b21cdb8d470d53871dab42203
SHA100af1243d3875ec74e193082e94d981250e01313
SHA25609dc9e374984734b21b3f9c453adfb4a0097f89f55b8c002f22f096b2b83f07a
SHA512a2f26493bf81ddedcf3bc44207da9e42161349d1d0b1f40e183f41a0bc6612edba2e0cfab4eb3564a2a264081c0faeba6e7b038d56d6d324afb238f74ba3f668
-
C:\Windows\System32\VSSVC.exeFilesize
2.0MB
MD5f397a1d44fce9ee09d7be5107d4a66b6
SHA1376f85015c057a1a981f2819727454ea81c8ea0b
SHA256b358ab3a7a9163460f6fb259c5235d7e162d3670762e3e813df736ccbead7b7a
SHA512f3e9d068a2de1dda9a3f025720bd41faf2d54078d143726b699583e2be7a4477d16517630e51edaddb3cc73641d6350d93029a2479fa31190e0f46308a3fe7de
-
C:\Windows\System32\alg.exeFilesize
661KB
MD5f7939c398c596b16675f599b43970b5c
SHA1a84adf17a70c3d17b97507de0b006986e1bedc54
SHA256805f2ece0ff9764e467fa0c3adf0af6fb5bb7c57140ae6074b784dd114b8c331
SHA512fc0d4430e595b4eaea2170dee0e8745010bb8c4f4b996840e933f141ad42f1cc97d06ffc22c933e3d7b309a2bad572616ba28daaa940399677be6aef0c3e18ce
-
C:\Windows\System32\msdtc.exeFilesize
712KB
MD52050c022d2f8d52cd56db8783f298af0
SHA1b77621ec3285010d39c7b4653b8ff255ada494f5
SHA256d32e757194fbe0b8b283948e7d70412614df15b0c6f090b8e2486af846024d07
SHA512a27810681074d98cfc45ed7cfae0c621de6bdcd286915fbe4f2d824e84533b188d2d7d581867ea3d9d3b246c4ad066266610a42044295f0dd4fb53a8f2daf124
-
C:\Windows\System32\snmptrap.exeFilesize
584KB
MD546d08c12c0d5e1eabc92ca507f19761a
SHA17e445d1c12b91134350cc7239f97dab2aaaad765
SHA25654981df266d0f54f4b1091392c58989081f07c06ef9b9ed76e345bb9e7f18c5c
SHA512cf949d638ddd1fb90b60e18ee4229b4ee1211386fa5d9a4711b185e26bf32ccb977c2873fb1a42cc4439ac38f03b0526944790784a01ffbfa0571ca0df9a9436
-
C:\Windows\System32\vds.exeFilesize
1.3MB
MD59ed20642f1ff3e4b5d1e0a582b10331c
SHA1779aab2e3cc5d2c21d07eab8064a7cabe30c8eae
SHA256392ec157584a769864f455515ca0eec16e902dcdbdfb702646cc520e2f792e6f
SHA512c417f7d658dfb101a9d13f8bd2fd34eab775608de7282450cab92532a9953554499078835960c369cd99234227d897e89331ddea00ced0e2c24df8bf5aec7ebf
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
772KB
MD5aae79c986cea62865c7fea9b88d26af5
SHA1c26b0943f2da1f595591621c79268ff7502e03b8
SHA256e6ca02fd404f59f6c702a8d26c0c90101bb5a181441700a491ca9127e0cfe65d
SHA512f04045c3e095ba275045f13a59ba7837d41a7503be232d7156cd7981e2ba1cef40be8be1535c87ff2268b52149044372fa0a8578b875ec41abf08d28426d04cd
-
C:\Windows\System32\wbengine.exeFilesize
2.1MB
MD5192e5511c1b53edbc9b945903c9f23c2
SHA12d3a8c40161ea1a65ae1c5aaa2b6bd16e36873bc
SHA25617a75df89cd6775772531da6077ff5dd1a02fa845d4a68c697be712f5f5804b1
SHA512970ebf698f53f92d0a76c47badc74308a81af9d04290b019337d414ab0ddfbd21ceb1f60d822f596e8b990889b9f4ff96f5c1cba2fcdd7a79dd224a7df5c04db
-
C:\Windows\TEMP\Crashpad\settings.datFilesize
40B
MD5de12892063f81f60b11c0497ec332fa7
SHA1ccfa0530f55d277c3fe6d75260088ae08d5b7616
SHA256afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae
SHA512441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca
-
C:\Windows\system32\AppVClient.exeFilesize
1.3MB
MD5f7c53b3275ced8cfe13376490d1b1c6f
SHA1df827e57d43a91deaa77483bca03c50613b093eb
SHA25693e68ab29717526cae9a02a8c611fc7872cec534dd631945c3c78fc80c9927a7
SHA512556b2508fbc0a57952eac6a2473412e0b62d19840fcc7cdfbaacdc1bd3d289053f521935a7229c6c19459f463a761878a8129a670d6b95f4c6621a4d26730fe9
-
\??\pipe\crashpad_3316_QEPVZDARTVIKOGSMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/448-142-0x0000000140000000-0x0000000140095000-memory.dmpFilesize
596KB
-
memory/896-62-0x0000000000890000-0x00000000008F0000-memory.dmpFilesize
384KB
-
memory/896-68-0x0000000000890000-0x00000000008F0000-memory.dmpFilesize
384KB
-
memory/896-72-0x0000000140000000-0x0000000140267000-memory.dmpFilesize
2.4MB
-
memory/896-464-0x0000000140000000-0x0000000140267000-memory.dmpFilesize
2.4MB
-
memory/1172-497-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/1172-143-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/1792-138-0x0000000140000000-0x00000001400B9000-memory.dmpFilesize
740KB
-
memory/2060-632-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/2060-166-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/2096-145-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/2096-514-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/2220-58-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/2220-55-0x0000000000C90000-0x0000000000CF0000-memory.dmpFilesize
384KB
-
memory/2220-255-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/2220-49-0x0000000000C90000-0x0000000000CF0000-memory.dmpFilesize
384KB
-
memory/2316-73-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/2316-86-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/2316-84-0x0000000001A70000-0x0000000001AD0000-memory.dmpFilesize
384KB
-
memory/2316-74-0x0000000001A70000-0x0000000001AD0000-memory.dmpFilesize
384KB
-
memory/2316-80-0x0000000001A70000-0x0000000001AD0000-memory.dmpFilesize
384KB
-
memory/2536-165-0x0000000140000000-0x00000001400E2000-memory.dmpFilesize
904KB
-
memory/2564-413-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/2564-10-0x0000000001FF0000-0x0000000002050000-memory.dmpFilesize
384KB
-
memory/2564-19-0x0000000001FF0000-0x0000000002050000-memory.dmpFilesize
384KB
-
memory/2564-21-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/3140-191-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/3140-645-0x0000000140000000-0x00000001400C6000-memory.dmpFilesize
792KB
-
memory/3380-181-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/3380-639-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/3556-164-0x0000000140000000-0x0000000140102000-memory.dmpFilesize
1.0MB
-
memory/3860-141-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/4020-41-0x0000000000580000-0x00000000005E0000-memory.dmpFilesize
384KB
-
memory/4020-44-0x0000000140000000-0x00000001400A9000-memory.dmpFilesize
676KB
-
memory/4020-35-0x0000000000580000-0x00000000005E0000-memory.dmpFilesize
384KB
-
memory/4308-101-0x0000000000B40000-0x0000000000BA0000-memory.dmpFilesize
384KB
-
memory/4308-140-0x0000000140000000-0x00000001400AB000-memory.dmpFilesize
684KB
-
memory/4336-640-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/4336-182-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/4492-18-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/4492-6-0x0000000002100000-0x0000000002160000-memory.dmpFilesize
384KB
-
memory/4492-23-0x0000000002100000-0x0000000002160000-memory.dmpFilesize
384KB
-
memory/4492-28-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/4492-0-0x0000000002100000-0x0000000002160000-memory.dmpFilesize
384KB
-
memory/4512-144-0x0000000140000000-0x0000000140096000-memory.dmpFilesize
600KB
-
memory/4652-162-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/4680-24-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/4680-426-0x0000000140000000-0x00000001400AA000-memory.dmpFilesize
680KB
-
memory/4704-139-0x0000000140000000-0x00000001400CF000-memory.dmpFilesize
828KB
-
memory/4704-97-0x00000000004F0000-0x0000000000550000-memory.dmpFilesize
384KB
-
memory/4704-91-0x00000000004F0000-0x0000000000550000-memory.dmpFilesize
384KB
-
memory/4880-57-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/4880-60-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/5412-203-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/5412-646-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/5724-488-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5724-428-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5792-440-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5792-648-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/6292-477-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/6292-452-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/6368-465-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/6368-649-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB