Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 20:51
General
-
Target
2024-05-24_23f2a4182e6f087f1a4c47983e7ce50a_ryuk.exe
-
Size
5.5MB
-
MD5
23f2a4182e6f087f1a4c47983e7ce50a
-
SHA1
287bd10fe08cfcaf0d7bb9d000fe6980cc9e549b
-
SHA256
e8e425e60254c9b19985ea93e38dc397cdc6f0e7a63fbdda888d5551d99e7fbf
-
SHA512
180aced23a888523998ad42046ccf458294bb0e8f50aeda7c80ed0170d8a24a02c235e322ad4a6a00541b4f647f8dcbbba734779dea005dd1dc9d6f30f310f62
-
SSDEEP
49152:pEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1cn9tJEUxDG0BYYrLA50IHLGfD:9AI5pAdVen9tbnR1VgBVmpehgL5
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 24 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_23f2a4182e6f087f1a4c47983e7ce50a_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_23f2a4182e6f087f1a4c47983e7ce50a_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_23f2a4182e6f087f1a4c47983e7ce50a_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-05-24_23f2a4182e6f087f1a4c47983e7ce50a_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde10eab58,0x7ffde10eab68,0x7ffde10eab783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3684 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4548 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x26c,0x29c,0x14044ae48,0x14044ae58,0x14044ae684⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x278,0x298,0x14044ae48,0x14044ae58,0x14044ae685⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1884,i,8381653047287975175,2244928406980073649,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exeFilesize
2.1MB
MD564d45d3fbf298c85e764e12f62a41b48
SHA16f9f4607ce520120e7b2995b35d0d0ec8f29b3d2
SHA256fc6a02a1d35cd7e6bc5d430c866ecc092a8e3eba33ac9ebb066ea0a7d1c35e6c
SHA5122269811dc4d90dd1b617d556ad53107de17ad8521df7aea98f86eb45e47973672209353214be5f64fb4add5651437015e03b815d24eac89da9cc55ed38facf1c
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFilesize
1.7MB
MD5a80ae56550d45649f3e2c43c50adb87a
SHA1f79b85b4557c6e8c9d0ef7f8eb9da6494225a83d
SHA2565eab2bad5c1f6d07ac353c27d6ee32b35d518cfa8deba61b47838078000b33c2
SHA512f87bc61838a7401770fe73308ee365717db9703637879caada8e461e7e6b84b5dd3e4b81f89d45e46a627af04c515422f671dd965c65612056b54ab5d7be7c90
-
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
1.7MB
MD51ef526948f9b38517650a70d55d074d2
SHA184616d0ed1672d023d250bf5f4b2355769b1848b
SHA256aded941184a8f0358b2acac15eb8f79bc069ead3d325a0423005c0fb04999734
SHA512743e010dcb1ba857c40564cab1fe72f9f8b1446a0d9e12af5f253fac81d4de90fd7009df2871e3dc86cf46cbe14fff1517fce7fb34a784a8c8caa91b45f3930e
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exeFilesize
5.4MB
MD5ab085dbef9fe68849098aa2d954d7a0c
SHA1743c75e15f48db199c94a228f72e6d74065c06ab
SHA25649dc1a5aad8f9d48b19b10efe107c0ac5821e179845d45bc9e9afe8451931cdf
SHA512d8636b05a6fb47bab3a4338deaa2144d350594f8100227201897ae5f1c856f51b933966892bcb3bbfa699c64b22d6073f55ffcfa5e9d3823ef98a2ca226f55d3
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exeFilesize
2.2MB
MD55f8e2253d861e1d69b5308bfa1a8f556
SHA12e15ef41ef203ab25c2050e93fd555bcae39a0ea
SHA25657ad59606bdd8c87c218e9096ac95a32c1f5a99415ebb37d8cc87a67dd706f65
SHA5129289449f84cb124b1afb6168af211df2bd3813bf858312a36f002ab80098c313ebc7e7a0bcc37b3b1645c9231dc2250636b5c322a1c34f9e90b17006dbe730fa
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\5f68789e-52b2-4522-b0df-cbe2ee3dc710.tmpFilesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD56123155f7b8a202460ac1407e231fbf4
SHA113121f6000a380f6621bcb8dc7c83f9cd10ab626
SHA256dc3766fd1d9f14e305d5483a9e886548c3ff3ad2d8497e26a04c6d8c31e7be6c
SHA512ef2e48a3517f58cf068d2ed9e202ba4d2a54afdccd4937c74b5c84d5c4fd47d9b92ddcf3b842a102b426dccae53ab3bc9e571a5cf27cb315be4dc58bdaad34cf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.icoFilesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD580fb3d57b89fe26ec6206c27dee04e38
SHA17a1dd763c7dcbcd12446d4646c7697e91f8df652
SHA2560bcda03f48e545c650f9e0271e2480842c591f058bbd49844c2b498e1db9a56b
SHA512f99b4371cad5611c2ea34cc2322ef8db2f4ed93954344f81bbd74cdf54d2b26939bc23ecf912cc2e36306c6e0631263bf7e20ef509ebdeb626a101459981b05c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD54aaaea1c2cd4b2859dc7d34534381ec4
SHA195c0eb8ff8825462945b95d8a8b643651fc8ba8c
SHA25677a74eb9b089a27605b314990c18c0061482e4b0f3ad5b2cf12e81f1c0ee3e78
SHA512bf6cb6c6597241b76638c3839849db0fa0a377df59a59c3d9e9c69979b04aafb7c2d22c2751f23c7239d70b0d693c0c62b3f0349b475113309416ee22bd24d97
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD57ed9ce619a874014142f4baed1f4f4a2
SHA1692d3bc298372e18657e0d50ee14c5805e64b93c
SHA2562dd6f30b140128843d29a901df1e7134df5e34ed14bfb78737816c21b8a3d944
SHA5128c54942a1944fff40e3b8bfdfc61d649678a1a7490da2615e30ef5e98f4ccc71ca8e067e1eac61e5d3139258a37f41dc6abe1363cf177a1a8f65694efbc3dab3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe577232.TMPFilesize
2KB
MD580c9ece824708be3255fd46fed4fa84b
SHA16ab10396c88f4760224c2820d198207c54f01266
SHA2561f8af8464e8755fd26db7cc2bf44b59934126100a43b00a66da96ef4bac4e336
SHA512c8e8c5ce9c0607264264ceb4ccddc869543fc5b9d3929ad42904cefd147938d6523ee61e5ed2f6f46fba1e6c92f8b6dc14300f4c6c7cfb295fe3274677d9ae2d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5c266d9b0b9323b21d679e909a86438c0
SHA132ad3938c7f81377c5d2de8b21102aaf1804ff7f
SHA256018dbe9e7510a956cc6edf69ad16bdcc7566c8747041f204828232fa5bc77c00
SHA512f96f14c1a6fd2c47495cf946375730d1469774c7219cbc50168fa120a536f68ff0fc87030e6f446422a0dcf86f97702766acbe55996e064198b548bf66440f86
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
260KB
MD54c7937a18b0665e598da71d0c4dc9654
SHA166603ef648745728215285191fafaab250540a7f
SHA256e8ff337e9f20276f6f2c94cc344699d15ae516c07d840d1ca6045a1fb4544b92
SHA51259665ed90fe293436d5f2a042828cb8d4494e4320148a640f3b3b2f52d48a2487d6310d7cf51d29a7067caafdd06188bc25af89ea37948e840c926b0ed130406
-
C:\Users\Admin\AppData\Local\Temp\chrome_installer.logFilesize
7KB
MD59735835f2e119fb90a7fd81b433715e6
SHA160a04e3e33ce74cb67e4d51245cf84c19e31d83d
SHA2563caf688f0bd4a711288125c1d4cfc8502627929a9b8b1f51cfc7044d2f8f7dd2
SHA51230ee781338345e54fd99951d982eecef2a17f99ff668d69987d7fd6a71f982fa39733dee730b02a42202983616d6a1756786c99c55f6bdb1167d886d607cf117
-
C:\Users\Admin\AppData\Local\Temp\chrome_installer.logFilesize
8KB
MD5c0c08a02f7753dfcbbcdc56666e5aab6
SHA1b8203c4e20988c7a0fd2a022e1d4b7a1bbcee4c3
SHA2565419fee04f8357d824330d51d2dc02413a07822c21e370e9bb3d39bd653f33f2
SHA512737b172d6860bd03d85bcb5c7525943a0b6f6a11ee67ba4a3e5f2e322255f148d18c9219d4bd77c84e81380b92d6a469b6fa1b96a05613751e71f67ae9bf92ba
-
C:\Users\Admin\AppData\Roaming\9b399daf92be0f3e.binFilesize
12KB
MD583e48670e945163e9e4dae62744f5f37
SHA17d8aaeb2e053633a7d4fc87b7fb46621dbb0780b
SHA2567c8bffff439522b6b4ab7348056c8e2ac5deedc9afe2274604039e3bb1556ffb
SHA512be1bb91c944407a24a256cd25e8e7675373f880fcad28167eb76ca7dcfc4936cdd335e7343bd91d078c0de72cdf231fc9b1c54a87afa75e4075e59d3bec64144
-
C:\Windows\SysWOW64\perfhost.exeFilesize
1.4MB
MD5047226ad12eb4df0cc6e60482ac51dd2
SHA1c23b5e294ab94c233da41ac0a2693901bf9ad8c6
SHA25685becdc0877d38bfe137672aea3230ffad52c5ea1a84f38597b05138ae63215a
SHA512ac3c104f2f39281cd4902c38a537804d3cf6c6e3b585f11c6e6aeb48363ab04caa33184e691a61fdf1cfcd86f80a7da9e4a80a0bf1e9f43afec08ea32f83f30f
-
C:\Windows\System32\AgentService.exeFilesize
1.7MB
MD537fe979416124159c13ac9b8f0deaef2
SHA1b0f3bb0c726258c10e204e1788b90a1f02b1e35b
SHA256347624d5efb56f213efbdc0cece4649f396b5fe6b07efc35a3cc3707cc53bc58
SHA512bc34c3013ff18f919e90443b8d845cec27189815cb3c559db27968af017adcf721991c3a6c1287366bfffb0de63e2ed5e4871938d5a963821c07105215fe31e7
-
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeFilesize
1.5MB
MD5acd832d769a1871a71046e664830b1b5
SHA163a1affd6ecaf243a22b248b6839d6e2c7de36ad
SHA256afb07372574120ad0ad687e971c51f44fde645564ea1bce1f7e139a133906c9a
SHA512a17b5306bfcbc0b6e635c5285102538b248c33d2152a38a63db7ba532ca693ba4e7144afc541789656c495661a4e28fbe8aeb28566e49a15df6e1a223c8015df
-
C:\Windows\System32\FXSSVC.exeFilesize
1.2MB
MD55136c32796de165a1c78a0a2de5cbdf5
SHA1e634197d302a6c99f5559154f3d077416f32a1c5
SHA25658e53207403b5a498ffde969b48dd2458c0120af64e5b7704c74504df5932d7c
SHA51226bb9de34f9de5793b54d0bcf54102ddca2ed95faa6206110befb2682ce9dd7a5b77afdc06c005d4ee5320721c64bfba38a006de38b6f2b7c819fb06bb632226
-
C:\Windows\System32\Locator.exeFilesize
1.4MB
MD53b96dbed2a9998c990e1197e90e6b66e
SHA1ce515df1a0629cf56ac495559fbe3453080b0ead
SHA256b69a8b0c9377e5dca6261af0ab8fca259b4e51c493a05a2ff3a3a64758bfa120
SHA5124186391d00539caae8e10535c6881cdbb1be9b341d2d482f8346efa34e10c32677cabb5029a914b7265fba6d8572827534f9b018e0e0ba1eade6983ff3e7c166
-
C:\Windows\System32\OpenSSH\ssh-agent.exeFilesize
1.8MB
MD5af18be939e1d4a1a6b9b217b81af04a9
SHA1480dfc294d3a11a41d407dc5d39c06eab916a994
SHA2566d5ab5470673a493950170ed57abfba5a672828a30a76522795a904a1c792824
SHA5129928a6e51d80976a4846c1cbd28735f877a422af8c435ea89f5ade22f2ba8e9d6b68ec60e43bc5ad57428c46585e0395a178b1cd54be57d1177ac42507601fb6
-
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeFilesize
1.5MB
MD595841d4359e6ffd4e9e8acafd08587d6
SHA13b8afbf759e34add5433c13cd274ecd0cf0b86d3
SHA2566ab2a6a2f4285fd12757a356f10f71f79232c3dff843cff7bc5fca3dfcb9b27f
SHA51278d6ff58d39696430f197b548fd35543e6714fa09e83650bfcb663e3174ad606d205917cb987c103f325ecb654853f28f218fe8040d84765bcfbfdbb21427802
-
C:\Windows\System32\SearchIndexer.exeFilesize
1.4MB
MD5def1efe34f1c99e82daff91651560baa
SHA1abfa55b2b084d6cad54e73eae7444fa3f630810d
SHA2563f0c7b12ff6941a37be9dedf91b6dc020d9698a71dd91c3a81ce25c6b3332afb
SHA51216e10a08456f9fcb5a37735987b437551ad5108ad01a85f8626d781c7441adeb2caa704ffa151c01f11223dc2994e19ca9650d5a31460f5481ba3afa1fbf0cc6
-
C:\Windows\System32\SensorDataService.exeFilesize
1.8MB
MD5502fe5bb95e02b5c1c1b82ad90fb3785
SHA1fc488318fbc4cc74a33ede3714b38aaf7b4980fd
SHA2567b7ceee58d90c0ec4cf78c911b942130c17155b26a489bbda92b0f736c88bd70
SHA5120958fe3b36a022b8458666a52612b8a1065b1c273e59515f72b18e63662da9758162c0a24deecd3473c2aeac38581d05fd1acc8b3021e662463653a1159c9b4b
-
C:\Windows\System32\Spectrum.exeFilesize
1.4MB
MD5f5164c0ecd52c7e03701db290da478ff
SHA1d2377aafa43c35a80c63b309a87a0b873a7058fc
SHA256b7b5ff1a296320a8421aa08e640d7e6c8c8d5d2c59973dd84c767f6a9b3c4d7b
SHA5121e3add408af2c9a2f7708ae57765b4681916851951527473c038cbacafbcd081e32b7bea24b7f0bf601e20ef2cb7ee6e8cde412a661711df810c2ca4f68f93e6
-
C:\Windows\System32\TieringEngineService.exeFilesize
1.7MB
MD5e96a125a8fe142b7015852b7d2f1b1b0
SHA194d5fad67e688a2f3d2b7e6a80413865d9ead25b
SHA256ef41551564c18f6b2ea15c925594aecda68b6a80c51ce9f6f393df4ce28bea01
SHA512bab1e7df13f0631d3b40c2eb918750fb9251ccb68562120448688e84a9e1f1496b9f6b605e6c8df40766041207af11dfa9bb5e6321d571eecec61f815a37a5fc
-
C:\Windows\System32\VSSVC.exeFilesize
2.0MB
MD5509a4ee64736b09a8831268116497dfa
SHA1149724f05837938c99a43b31d16aae978f0870f7
SHA256987634c6524b370d3e03c62344687703d3fe9c171eb48a16eaf6754982ebb8c8
SHA5125614da53e46e1a8c3cec1c31b715f2ac653ce7adda9d87f48af4b5d15c1798cb9060c3bd582b326bbd51aef0e736dbc9bb8a68eef5b30ca8460633ce946c59e3
-
C:\Windows\System32\alg.exeFilesize
1.5MB
MD53ee3802b3ad87719f8849a410dc42f6e
SHA1fee7aa99bce2ff3cfa87f14c08fee589c3b489fd
SHA2560351371c83437f076f802ce9a116b86fab3bcd12cfa56f2d14df0f0c0c3e0ea1
SHA512088a9c6e69a6f8b7fdce5d536cfe59880997e50db9db41b237471ecf7b7c5864d9aa856d8cbe6a0d65db2a71238016af5f7059068e98f803aa2702a7b505853c
-
C:\Windows\System32\msdtc.exeFilesize
1.6MB
MD5620f1d794a020dec765181785be159b8
SHA1cf3486bba2b1a7d7d8d7ccc5810a1a6370c93ab8
SHA2568a3c6e3d207d5898af07a491d9e28487f37a8067072fddc175768e0240a4d826
SHA512cf60a31298782353d6a8561d8068da6596d5b12cd8f6a84f3815fe0306f9a4600337b8d872a1513290c22d13a2d20f33da523aeb0984ce0674ee34099ab0b574
-
C:\Windows\System32\snmptrap.exeFilesize
1.4MB
MD5306354d63fc3cbe2159417946f5e22de
SHA13d779690a0038f25b503d7f0f96167158bb1b46e
SHA256a8176329dae946954165b63827b1ef642bcffd69de1406c1d84789f0bd325c60
SHA512feea8a83d74190eb37f55459bf4f7de8a1246e6f249cc3dfab5e5a237c5e3c0dad7c67fefa76c2042ad6c8fde0d93169cd89cf935aac87a3c8914fe2f43f058e
-
C:\Windows\System32\vds.exeFilesize
1.3MB
MD5ae32597c9ff0f86a668df94b6c933627
SHA16353e9058cadb385a52cb6b5eba3fcadaa56276f
SHA256666f9071c9c1cdd44ce8c220c2f782b22463bc99a6f0a660903da7d058a9893f
SHA512be8b7a9f311ec0860adb996ec6f711d916db39c258dbf8d880821b740256e693bb2b30c26a982e0122e17230e5bd80150fba044503a2fd08589c937fecccf2c2
-
C:\Windows\System32\wbem\WmiApSrv.exeFilesize
1.6MB
MD5763ac8ca6462b9525af533e0aad8bcce
SHA1b0ff87ea6855c62b12f054c16c98fa437f0480af
SHA256ac5e820fc22d0aff3a4cb0ecb01837124c1c39879926b925f75cf8205b0592ac
SHA512b62b01ac7c947ec4ade2b4e69511f913d93ed5d088723285d6c4fe144736e2b10ef1d43e08510196ae1d1232404ab0176c7dfe0edcdcb018431faa4a9d0940d0
-
C:\Windows\System32\wbengine.exeFilesize
2.1MB
MD5bba905480058a03e610899304c3d44a7
SHA17c3b04510268e96e104f8435661b1b0fd7b50189
SHA25617803e45c163a65f553b8cd17fcc8ec2287b31d78ff406796a410d3237c3e12f
SHA5121f7c4336810b21d0c9bf9554fc380452d2dc9d8854be13b8b8476069dd5f235ded4240852d0fe447dfb6442fc8196118d8d2aed85b74d2b7c0cddb7a5b889c68
-
C:\Windows\TEMP\Crashpad\settings.datFilesize
40B
MD5f8da1e3912337378c0f722f616cf6aaf
SHA122482c3e69a3b76d24d4e88d30e345654afd0338
SHA256342768ee193e599905624366abf160660028ba384d57ae4da8734bc9473b010b
SHA512b72adac4dc3ef8cd0c1275eaf376da652f8aa271a162aac1a54571f6f93c0e5fe9fec69a9cf380f84fa3ce438f06e3c9c2493a1d422f5d1bf4c46d6962ca9f47
-
\??\pipe\crashpad_4116_DPGSIDZENUDBBWNJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/556-545-0x0000000140000000-0x00000001401A6000-memory.dmpFilesize
1.6MB
-
memory/556-225-0x0000000140000000-0x00000001401A6000-memory.dmpFilesize
1.6MB
-
memory/1640-456-0x0000000140000000-0x000000014018A000-memory.dmpFilesize
1.5MB
-
memory/1640-27-0x0000000140000000-0x000000014018A000-memory.dmpFilesize
1.5MB
-
memory/2116-228-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/2116-546-0x0000000140000000-0x0000000140179000-memory.dmpFilesize
1.5MB
-
memory/2364-210-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/2364-499-0x0000000140000000-0x00000001401D7000-memory.dmpFilesize
1.8MB
-
memory/2564-535-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/2564-71-0x0000000140000000-0x000000014022B000-memory.dmpFilesize
2.2MB
-
memory/2564-62-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/2564-68-0x00000000001A0000-0x0000000000200000-memory.dmpFilesize
384KB
-
memory/2692-91-0x00000000007B0000-0x0000000000810000-memory.dmpFilesize
384KB
-
memory/2692-97-0x00000000007B0000-0x0000000000810000-memory.dmpFilesize
384KB
-
memory/2692-206-0x0000000140000000-0x00000001401AF000-memory.dmpFilesize
1.7MB
-
memory/2732-207-0x0000000140000000-0x000000014018B000-memory.dmpFilesize
1.5MB
-
memory/2732-103-0x0000000000B40000-0x0000000000BA0000-memory.dmpFilesize
384KB
-
memory/2960-218-0x0000000140000000-0x00000001401E2000-memory.dmpFilesize
1.9MB
-
memory/3600-19-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/3600-415-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/3600-11-0x0000000000730000-0x0000000000790000-memory.dmpFilesize
384KB
-
memory/3600-17-0x0000000000730000-0x0000000000790000-memory.dmpFilesize
384KB
-
memory/3932-214-0x0000000140000000-0x0000000140169000-memory.dmpFilesize
1.4MB
-
memory/4064-213-0x0000000140000000-0x0000000140176000-memory.dmpFilesize
1.5MB
-
memory/4140-224-0x0000000140000000-0x0000000140216000-memory.dmpFilesize
2.1MB
-
memory/4168-209-0x0000000140000000-0x0000000140175000-memory.dmpFilesize
1.5MB
-
memory/4228-154-0x0000000140000000-0x00000001401C0000-memory.dmpFilesize
1.8MB
-
memory/4292-220-0x0000000140000000-0x0000000140147000-memory.dmpFilesize
1.3MB
-
memory/4380-58-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/4380-55-0x0000000000C70000-0x0000000000CD0000-memory.dmpFilesize
384KB
-
memory/4380-49-0x0000000000C70000-0x0000000000CD0000-memory.dmpFilesize
384KB
-
memory/4380-346-0x0000000140000000-0x000000014024B000-memory.dmpFilesize
2.3MB
-
memory/4452-219-0x0000000140000000-0x00000001401C2000-memory.dmpFilesize
1.8MB
-
memory/4484-221-0x0000000140000000-0x00000001401FC000-memory.dmpFilesize
2.0MB
-
memory/4504-205-0x0000000140000000-0x0000000140199000-memory.dmpFilesize
1.6MB
-
memory/4540-208-0x0000000000400000-0x0000000000577000-memory.dmpFilesize
1.5MB
-
memory/4768-57-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/4768-60-0x0000000140000000-0x0000000140135000-memory.dmpFilesize
1.2MB
-
memory/4836-0-0x00000000020D0000-0x0000000002130000-memory.dmpFilesize
384KB
-
memory/4836-6-0x00000000020D0000-0x0000000002130000-memory.dmpFilesize
384KB
-
memory/4836-10-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/4836-21-0x00000000020D0000-0x0000000002130000-memory.dmpFilesize
384KB
-
memory/4836-25-0x0000000140000000-0x0000000140592000-memory.dmpFilesize
5.6MB
-
memory/4852-80-0x0000000001A40000-0x0000000001AA0000-memory.dmpFilesize
384KB
-
memory/4852-86-0x0000000140000000-0x00000001401AF000-memory.dmpFilesize
1.7MB
-
memory/4852-74-0x0000000001A40000-0x0000000001AA0000-memory.dmpFilesize
384KB
-
memory/4852-84-0x0000000001A40000-0x0000000001AA0000-memory.dmpFilesize
384KB
-
memory/4852-73-0x0000000140000000-0x00000001401AF000-memory.dmpFilesize
1.7MB
-
memory/5060-33-0x00000000006B0000-0x0000000000710000-memory.dmpFilesize
384KB
-
memory/5060-32-0x0000000140000000-0x0000000140189000-memory.dmpFilesize
1.5MB
-
memory/5060-43-0x00000000006B0000-0x0000000000710000-memory.dmpFilesize
384KB
-
memory/5060-460-0x0000000140000000-0x0000000140189000-memory.dmpFilesize
1.5MB
-
memory/5236-547-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5236-442-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5316-492-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5316-431-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5632-481-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5632-458-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5688-469-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB
-
memory/5688-628-0x0000000140000000-0x000000014057B000-memory.dmpFilesize
5.5MB