Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 18:06

General

  • Target

    2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe

  • Size

    5.5MB

  • MD5

    b9f84dfc85391aba7e487dabb54a724b

  • SHA1

    a098d42c1b156823404d05c4622ab2eea6734c11

  • SHA256

    f309b77c920b5a5fee1011c77c7540196f27b5b73745f23f5ee2b02db25cde31

  • SHA512

    b69684d796fbb93c9e830b5e233601e6b595ab62e7bf7e064503461f9ef4c0958faba8686b5e20738568c5b914f8666793862f4843a63a2a4d7b1e1ca3a5d617

  • SSDEEP

    49152:nEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfa:zAI5pAdVJn9tbnR1VgBVmE/iyB

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 26 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 24 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Users\Admin\AppData\Local\Temp\2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe
      C:\Users\Admin\AppData\Local\Temp\2024-06-11_b9f84dfc85391aba7e487dabb54a724b_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:848
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
      2⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e7e7ab58,0x7ff8e7e7ab68,0x7ff8e7e7ab78
        3⤵
          PID:708
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:2
          3⤵
            PID:4700
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:8
            3⤵
              PID:4180
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:8
              3⤵
                PID:2132
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:1
                3⤵
                  PID:3424
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:1
                  3⤵
                    PID:4196
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4344 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:1
                    3⤵
                      PID:5648
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:8
                      3⤵
                        PID:2536
                      • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
                        3⤵
                        • Executes dropped EXE
                        PID:5372
                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
                          4⤵
                          • Executes dropped EXE
                          PID:5548
                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
                          4⤵
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of FindShellTrayWindow
                          PID:5768
                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68
                            5⤵
                            • Executes dropped EXE
                            PID:5720
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:8
                        3⤵
                          PID:5588
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1908,i,6788484449345383161,7135989274943636801,131072 /prefetch:2
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:6132
                    • C:\Windows\System32\alg.exe
                      C:\Windows\System32\alg.exe
                      1⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      PID:1140
                    • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                      C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
                      1⤵
                      • Executes dropped EXE
                      PID:3852
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
                      1⤵
                        PID:4276
                      • C:\Windows\system32\fxssvc.exe
                        C:\Windows\system32\fxssvc.exe
                        1⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4864
                      • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                        1⤵
                        • Executes dropped EXE
                        PID:2024
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
                        1⤵
                        • Executes dropped EXE
                        PID:440
                      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                        1⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        PID:3664
                      • C:\Windows\System32\msdtc.exe
                        C:\Windows\System32\msdtc.exe
                        1⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Drops file in Windows directory
                        PID:2120
                      • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
                        "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
                        1⤵
                        • Executes dropped EXE
                        PID:4028
                      • C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                        C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                        1⤵
                        • Executes dropped EXE
                        PID:4748
                      • C:\Windows\SysWow64\perfhost.exe
                        C:\Windows\SysWow64\perfhost.exe
                        1⤵
                        • Executes dropped EXE
                        PID:3144
                      • C:\Windows\system32\locator.exe
                        C:\Windows\system32\locator.exe
                        1⤵
                        • Executes dropped EXE
                        PID:3952
                      • C:\Windows\System32\SensorDataService.exe
                        C:\Windows\System32\SensorDataService.exe
                        1⤵
                        • Executes dropped EXE
                        • Checks SCSI registry key(s)
                        PID:2100
                      • C:\Windows\System32\snmptrap.exe
                        C:\Windows\System32\snmptrap.exe
                        1⤵
                        • Executes dropped EXE
                        PID:3328
                      • C:\Windows\system32\spectrum.exe
                        C:\Windows\system32\spectrum.exe
                        1⤵
                        • Executes dropped EXE
                        • Checks SCSI registry key(s)
                        PID:3544
                      • C:\Windows\System32\OpenSSH\ssh-agent.exe
                        C:\Windows\System32\OpenSSH\ssh-agent.exe
                        1⤵
                        • Executes dropped EXE
                        PID:3040
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
                        1⤵
                          PID:1460
                        • C:\Windows\system32\TieringEngineService.exe
                          C:\Windows\system32\TieringEngineService.exe
                          1⤵
                          • Executes dropped EXE
                          • Checks processor information in registry
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3148
                        • C:\Windows\system32\AgentService.exe
                          C:\Windows\system32\AgentService.exe
                          1⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4868
                        • C:\Windows\System32\vds.exe
                          C:\Windows\System32\vds.exe
                          1⤵
                          • Executes dropped EXE
                          PID:3760
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3664
                        • C:\Windows\system32\wbengine.exe
                          "C:\Windows\system32\wbengine.exe"
                          1⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2748
                        • C:\Windows\system32\wbem\WmiApSrv.exe
                          C:\Windows\system32\wbem\WmiApSrv.exe
                          1⤵
                          • Executes dropped EXE
                          PID:4216
                        • C:\Windows\system32\SearchIndexer.exe
                          C:\Windows\system32\SearchIndexer.exe /Embedding
                          1⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2116
                          • C:\Windows\system32\SearchProtocolHost.exe
                            "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
                            2⤵
                            • Modifies data under HKEY_USERS
                            PID:4228
                          • C:\Windows\system32\SearchFilterHost.exe
                            "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
                            2⤵
                            • Modifies data under HKEY_USERS
                            PID:2672

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

                                Filesize

                                2.1MB

                                MD5

                                58dc8ccdc18b10c08ce8d4a59116358a

                                SHA1

                                d8facafd6af7d2549a458849ca3a88ddeb25a76b

                                SHA256

                                4ec96458299de5108ec44d150d3c2a62979138bb9688e36da329d0f246e83ec6

                                SHA512

                                6daffefaff10753d3d60a58022d789bfeaf597ec9fb4c4a6067c3e09d88c75c7ea40c23dbe73f3f48860f7b9c02e14e3bceb4fdcf096d46d988d11b5964cb0e3

                              • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                Filesize

                                797KB

                                MD5

                                500a64553c15aa9bbcf424b2476b1277

                                SHA1

                                0722ed76e8f28fa33055016ae6235e9196f692da

                                SHA256

                                04731a7881efe50907f7cf98b91f57f84edef935aac84758abcf784bb86be234

                                SHA512

                                986b87860e989ac55cdb508e166e99ba1b0df4354635c04f3c83e59b51442114ed8be448df0f18edb9d357f585f4e164ee1266d9a650da10187ae8c7c731a647

                              • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

                                Filesize

                                805KB

                                MD5

                                59dbd2354c6ebf2cd05faa52964a88a6

                                SHA1

                                e70da277126cdf48dee49929c72c95d4e96c0186

                                SHA256

                                dab6c70b095a496f71130c23f0f00f68d79d00ba3d2469f8c34c1bafe9bc358c

                                SHA512

                                2fec1170132b6e65227e60ca8b29985783a878948473aa404517820c703fe66bd71cacaea88237d85f1d879626c3999a2d164ee6202d2f9fc79e52d903cb8987

                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

                                Filesize

                                5.4MB

                                MD5

                                b6cbeb708743b55ac082a6d9f667760c

                                SHA1

                                e6cc17d5ac921aaa56ea60c658450f3158a17b59

                                SHA256

                                417391f22ab7a3599db23e652f9ba74a182de0da23e6d992460ca804dbcd779d

                                SHA512

                                f32ddd648a79ab6eb00bac61f6733d179f71ada680dbfddbed713cb3be0b33da05e0e3caffc82430a16c122177289af45cd76518308228896c89196b79574068

                              • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

                                Filesize

                                2.2MB

                                MD5

                                949ff97675cd52214d2fd6b67e0db716

                                SHA1

                                e4be5796148fe274c227fbb7182afc16f7d708c1

                                SHA256

                                b12fc039f09afb1287b61c4abf42e8291afa41490a795b42429762ee16e09e2f

                                SHA512

                                a8a388cbcfd190236f5ef14f2a2c01541b86ad07a83910b558ebe9ddec08812e91e1cae2860c24d8b5c99d98de4c11ece3a0f29d30d93541b2127e2d49fa6526

                              • C:\Program Files\Google\Chrome\Application\SetupMetrics\010508cc-0251-40d5-8e1b-4f5def01e826.tmp

                                Filesize

                                488B

                                MD5

                                6d971ce11af4a6a93a4311841da1a178

                                SHA1

                                cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                SHA256

                                338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                SHA512

                                c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                                Filesize

                                40B

                                MD5

                                0cd429098412849541cb95afaf497de7

                                SHA1

                                34fcdc8c1708981ab8e69a9ccc50ab898d7f7df3

                                SHA256

                                d987cb1f82d1cfa20deebd5947b3ce1b9ae9ca25cb7df736727c507a3a17700a

                                SHA512

                                955809ff9150048d9b739222dfe4c1cc7b4f330cab2858b74ba1b8af8514f1d97268812c0ef81a3d926c9928fab845515a0fbd834a8dd1d0db39359001ce5f03

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

                                Filesize

                                193KB

                                MD5

                                ef36a84ad2bc23f79d171c604b56de29

                                SHA1

                                38d6569cd30d096140e752db5d98d53cf304a8fc

                                SHA256

                                e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

                                SHA512

                                dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                d4caf9bc6793eafa4c3fab14a1f894e6

                                SHA1

                                d6d5e54be48681cbbb49c4405a399e362b30b252

                                SHA256

                                a21b7805a1c09e994e0b02cec1611027d51676027d5650e8eabeb0c18c10bac7

                                SHA512

                                c359599f9d4b394a1ad827ffb00d108df41d2952afddba705a2adae4426bcf1c2a7354b7622c8826ab9890c63f42ed3c1286af474d88b2587d471ba66be021be

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                cc0d68ba14563bc01a51cd9d022d6541

                                SHA1

                                53344264a22d28f6abd8024a03ebcf9a81566a7e

                                SHA256

                                21d102ed03906e8418ec8923e9d2575fc14e81cb6ff7e7cc33bd315b7d0b3927

                                SHA512

                                5526f03b5cfad87809446ad3837cdbfe8f6df8c8f29f5600b470c68bed2d2d5cfa244fc95b59b9e8e74fac556b01525be033dc1938db6d47de8a0a638e5fa9c1

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                eaeb58821efd67047b3f9c963aa74249

                                SHA1

                                d3b2f798d35c912320e6d6be835b9146f5352e56

                                SHA256

                                6afabde8d25227aa8bb003143aeb13fc0626b85ccb26765c8aed5b0d8bc6548c

                                SHA512

                                135034d009d6817452e0bc20236f46a7945b5e2324d4831c6c40357bccf70d8054cbcaa119950585ff1667f861d25ac953055b46013f4c5f887bb9175107bc17

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57760b.TMP

                                Filesize

                                2KB

                                MD5

                                411ac782e18a3f8947b5bbdc13773829

                                SHA1

                                d9a709bb6b79ade9df4024e8fb6e36190070bc21

                                SHA256

                                0217b1195d87db614149675e331d00b581206641c58f6c7cd8cadb92e718f8cb

                                SHA512

                                03cff6f4f72f375b34a35df614de1c0837ec423b3b232e5b863a2d85ccb2f2bc025d1954ae0ba9d117930a84e7fd1b44bc82b488e5acd58370c36e9c24717d5d

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                Filesize

                                129KB

                                MD5

                                f7fcb07c41d10744e01ef2fec998ba3a

                                SHA1

                                2d823fa267245bd38246556a991eb6b5e71dfe59

                                SHA256

                                e0a7f3056380089e69c45d9edfac8be1ec3c6ac3027a93ceb8bfddcc94b0ad8a

                                SHA512

                                452f3db8413daa91e9dc3867692e72debdb1aa7f0e051572c05829d9ec1144b4b1696d5d0982bf9bb44064c0e6a994ade58072728b9f6b78f0aebf7f0ebadc87

                              • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                Filesize

                                7KB

                                MD5

                                79b4acd8efcd9011ea765049c466d85f

                                SHA1

                                26563ce4b8721cd39c8ec2203d8c14551d6cd60b

                                SHA256

                                b15d312c564d5788a10ac59c9c0714f852440866aa2cfea6d5036a1786ea28d0

                                SHA512

                                f574ec2dc905284d7bd0cba6077454ce8c00939183cebbc9a1759381fc3355a79191aefe5405c9fe5468bb6d2668e779bfa0854a399e06687e7b123c736bd2a3

                              • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

                                Filesize

                                9KB

                                MD5

                                600d3ac91af811507b1e4f708f9c1b5f

                                SHA1

                                ce8c2ee1421a238ec763e5de2fb23b3665df5a31

                                SHA256

                                eb64d5e2280aa5a1f97a4e87057feed9fac849ba749deb7baa1a4ebcf70e0522

                                SHA512

                                6ada0d15dd0e06f834930ef949dd9ecd8ef82c3b39530f78d111c58c3cde724185cfbf21e95b90e94b0ca41b4e45de6471ab58458445ac436acb779081dcdaf6

                              • C:\Users\Admin\AppData\Roaming\7a3ef8fe1ed82f9f.bin

                                Filesize

                                12KB

                                MD5

                                0726ccdfddb6c334c98dfbf296be3877

                                SHA1

                                3d2e4e3d3a3df07984b201320ae07b65055d41c8

                                SHA256

                                03ddabbcd65bbb103111bdac2b742bf50817d0916a2a14848c2e00beef81a788

                                SHA512

                                3396541ab2ce63e65da8a3805e62f20b19648353d175d373298b3780b332d7eab7ad9a6dac6a70912da9a1d5144de1ae7793fbfcc835103b011cc33c32b586a6

                              • C:\Windows\SysWOW64\perfhost.exe

                                Filesize

                                588KB

                                MD5

                                75d61616089bb1b73b46eda353f21fd1

                                SHA1

                                f9983e291990592f485505abea3309afea8c81fd

                                SHA256

                                daba13268f0b0843b5e1e845c6cc5e10bb00ab6681eb00a0010e531500fe4657

                                SHA512

                                a38b509695c61e56de3a24b667fe09b8811d619a128a173a59f6c8ee4b5bd4e1e0724217ba5d26d8b21833dead81922fbb6aa98687054d46bf898f7d7365ed63

                              • C:\Windows\System32\AgentService.exe

                                Filesize

                                1.7MB

                                MD5

                                80a54d8e44e7325d096d8f7379a5d2f7

                                SHA1

                                f7330c486a48068a21570cf94c251282430fc473

                                SHA256

                                9e8dac8171d47ab7515b7f4145015734229f83209795a2b5f1efdc0487f5ff5c

                                SHA512

                                d2b075e8316221df23b084ce277612a3d5fb90ea147a19a88cfc05a02afdaefe11aa4dc07fa668c53bcde4cd0b5d5b768b500296bde78e8449314fb357ae289a

                              • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                Filesize

                                659KB

                                MD5

                                25cdecc6a3d80e8224b2613a4fed78a9

                                SHA1

                                941b82b9218d7f90fcd68c7b3b2ac6f5aa0fae90

                                SHA256

                                edb09e284f8d4d737cc3b71c673331931dc16866001bdb68f0b5c722823aaab3

                                SHA512

                                a49a5a65238f6c0aa69d0d107c42c4d0038ca32a518627ca07c3601cdfe9016c61015cdc0807140a37e8c23002816351a480bae86b134c37a828fefe46080fa2

                              • C:\Windows\System32\FXSSVC.exe

                                Filesize

                                1.2MB

                                MD5

                                1d8707ea99c8ca6d083d185e39beb853

                                SHA1

                                77b2e6ac4b3009a07865c80f0bb2ea0a70bbf229

                                SHA256

                                09ce99e571ff15702ae8a31f0a0d3aef96badc5d9a7ef795c8064798e3d2464f

                                SHA512

                                c938a6606fa8c97bf846707c0d2b16d1686d2f0e30806bbb196ea9c88ea6bea0e1c2db94cd76985061e1235bfd51b57bf2f7af82a09b0e909c31a84963117551

                              • C:\Windows\System32\Locator.exe

                                Filesize

                                578KB

                                MD5

                                b43937dc87568fed91c953bba2ae8bb8

                                SHA1

                                4419e11bfdf7a3b9a72ea147e4be632f54e99d7f

                                SHA256

                                1b8302f859a1f70ead146ccf6cbf14663cf8a62342ec61703696c46914bfe24b

                                SHA512

                                959e5ee1b2befcff9b97c03115bf89e8671e3b4613e954c425b5075562da92066424c647e6a319026f1512305f7467ddd4d3dd2a96fd3c5cbed7f29bb5c87c48

                              • C:\Windows\System32\OpenSSH\ssh-agent.exe

                                Filesize

                                940KB

                                MD5

                                da76129c65268bcac2fc62cb357ebfc5

                                SHA1

                                bb8b4bb630d1b1f77115486e38d33c7fbca6d094

                                SHA256

                                22cc1297ee5d73b83ec2e6db9ab2171effb6712a4e98df30d5c194dd8ecee5be

                                SHA512

                                953030d6da5ee736a600116a851cca68897f1434e90f030b566e085e7e6e744be0bd14d356b9c6490eff4ad8c43749af3dffdfa55c7126dfa2c5a324b0fec874

                              • C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                Filesize

                                671KB

                                MD5

                                51dcc5ae5533e9fb02b150c1823cc3c8

                                SHA1

                                3a3598780b059191912c8b026613bca60b444d48

                                SHA256

                                f4d4139c48dfd5fbece9afedca06ae6e29616a2cdb8f34c7f30ee1b5cbee5bbc

                                SHA512

                                ea6b3408070b8d773f9a16a4093d84a02ae30c40f64de0d9715bcc273cb77750e55fadd5a54b5826b182379e0490f22b95a336088af87871fa2ed976a887c9d0

                              • C:\Windows\System32\SearchIndexer.exe

                                Filesize

                                1.4MB

                                MD5

                                4d67e32ad4f4e7fae4a02eee6005dbf2

                                SHA1

                                cbdb6639d87bda5ac06b58503f75b7fc648c5bcb

                                SHA256

                                2f0d142a9bfa7545bb2b7e483cdd70ded6c93221ae04d312ca24f05b40e1c537

                                SHA512

                                3a08ad088976a76ff43dc1032f89597e02c93fddfd8614f245f065cf25f81548d56acba345815692365bd73ffebe61df2bd5bebebf835336b941bf1ee762847e

                              • C:\Windows\System32\SensorDataService.exe

                                Filesize

                                1.8MB

                                MD5

                                1dfa799c5345d5da2d893ba40ae36bef

                                SHA1

                                9c5a13faee0cbb65c7b6151d188f4e39deefec0e

                                SHA256

                                36e57035561ff7c5ce5000e940d995b33654a72c4d29869ef2d58b72b5ec3277

                                SHA512

                                897930126a1ce0b17809542c52e31c2a63a123f75225531c8773700f4f569aa4318a52fdb50c26ace5c89d582eebce092fa7c8e6b0f4c37e001bcae83f590666

                              • C:\Windows\System32\Spectrum.exe

                                Filesize

                                1.4MB

                                MD5

                                d8f4751123bbf2ba0532588e5f75649f

                                SHA1

                                5712db8bc12666892c84ee581892cf448fbd71e9

                                SHA256

                                490e73576f9beb359fd18dfc54fb191f6b6ae39c7381c22df23499351566879e

                                SHA512

                                df6cf0848abad24ded2b67f4084b828e9283de16d4b84a44caeb867f60d34dd898d8391134e826210ff7f6278cb46dbe9af64886acbb50d1d198148d7553f68f

                              • C:\Windows\System32\TieringEngineService.exe

                                Filesize

                                885KB

                                MD5

                                be3aecdae94843ac36d7ce99be90a95e

                                SHA1

                                5f47b14551710cb781ca7beb1b61e4e71fbee980

                                SHA256

                                cd2d3418f6ccc877600240b5cedbc0384f7a83487c997f9253785b6641ca6fa9

                                SHA512

                                c1747f45933366cf65d93c7fb5ab281a27431a86d948ee33d663944844775e2914f0b51a724de6916209877ae94f42930cf1f43232ca44e03536eb863ebb6a58

                              • C:\Windows\System32\VSSVC.exe

                                Filesize

                                2.0MB

                                MD5

                                fb4e8ab14646d3056644842af621a8aa

                                SHA1

                                db02740b586202c8016e8ac8cfdf197ff3b483a8

                                SHA256

                                21fa6abd4cd4d59c54db2ed0c7bcdbe66235dad550774a990d5c4e712ac5cd97

                                SHA512

                                bf24134489c5c642f0007d4cae3830fa98b7f2291826281b95b9608e04c5c538b191edfa3515133c635f19c4bbf9413f61deab9705bdab57dc3f5892afc6c156

                              • C:\Windows\System32\alg.exe

                                Filesize

                                661KB

                                MD5

                                5977d96d12489406596332ee8e80dba2

                                SHA1

                                4c6e47c51ed29116db59ed9f217d44e78a71ea72

                                SHA256

                                74bc515dadb37815c88027a15e7f46b927c3ba840e597b2d92e30e1ef461808f

                                SHA512

                                0b589fdd5628af9d998b7b425dbf4285d40e8d767ee41fe39af902340e802d3fb8c2f24d715e29019966553bbd305d936b4009bd45a3676b0d091378ad1f7b4a

                              • C:\Windows\System32\msdtc.exe

                                Filesize

                                712KB

                                MD5

                                1ab82c9becadbbdd6ab54adfa1ca7f8a

                                SHA1

                                a08aee56716a8be8cfa8d75ca86c9cba8c737a3a

                                SHA256

                                64a572d15c0de2da59638165520427f6a418d0fe44112465dad03caf1dbf4a45

                                SHA512

                                5ff09905ee3c53065ff782da4797666d1f7071d08b6cadc3c199d7a0107c753d36161528c66d4859b6c6aaf1508f3173de4aec5f4db5ebfff99c44af0bcd7035

                              • C:\Windows\System32\snmptrap.exe

                                Filesize

                                584KB

                                MD5

                                367c57aebd1eab502ad406627355b975

                                SHA1

                                306b9ea45fb2bf7a1dfe6dc6bdb5f5ec4a44f547

                                SHA256

                                b72677dfe3c5415e1555aba94e0536efc67e8ac778a7dd610638997885ac4be9

                                SHA512

                                f7789b8ad666bb8d9027582bf1435ee545ce70c1c9ab03204384c51bff0d442b62d2fc77e80f5ea4f44fb3574f3c65ab9a1f03256eab0d3b15a9ddc1f847c4d7

                              • C:\Windows\System32\vds.exe

                                Filesize

                                1.3MB

                                MD5

                                e66ef816a55778156d7d63f617445d2b

                                SHA1

                                1d9c08883b673992bc66446177430b807e219b34

                                SHA256

                                7821ad30ac1e891c5738e254f46347ec4c5bd892c43b4326f2755dd675dca6b0

                                SHA512

                                00ea77a76f9b907f632a5683d70f27993d08e555b5e088afdce5905fb9ec7573df586ab174dc3b0cfc46ff042b8e09abb9be2c9524b85fe17b84236245a6924b

                              • C:\Windows\System32\wbem\WmiApSrv.exe

                                Filesize

                                772KB

                                MD5

                                48b89ebf6d0bef5145dbf295d4d9949c

                                SHA1

                                8a7f20a142f503a832ab0871c6c65d30ab6824dc

                                SHA256

                                4060a233efba809badeb1c910dc805fbf0fab557fa0590bcf49bcc8af145ffc6

                                SHA512

                                d8f753778a9ee6a9e739bd0b4a70c261f7a121765d922baca96fb156133c88830504f0c6b532a285c85cb6686465000d48ddcf6aa36bc61cc272e87347941b4a

                              • C:\Windows\System32\wbengine.exe

                                Filesize

                                2.1MB

                                MD5

                                80defce893a068140d9577fc8605abcd

                                SHA1

                                b8bfb29538dfbd6736ce976463a9d41bd0397472

                                SHA256

                                659c0874a6139250af57d8f8b4103a4ab30284f20fae81ef1908f58affc4c74f

                                SHA512

                                bf35fb5c5eb1f32cbc374bb206d844752cdaf42da9e22d8398a342a629424aa197425bb90940f4deb69c52367620f26b595e4351ea4baa7d0ddc655c837342a1

                              • C:\Windows\TEMP\Crashpad\settings.dat

                                Filesize

                                40B

                                MD5

                                4d858969f9b63ec4e90b337affb40980

                                SHA1

                                c5f517b47ddc66cf8fe32495fe14e425f905c252

                                SHA256

                                d228412aca7296096c2db6c01dfe1e83ca0db6a7fc2512468473c94bbc3e50f9

                                SHA512

                                df058b39862395921f86ab56ac87eec0ed1adb201b988f3bae0fb037e14a1c33d842b7fac2354f0daabe15cf41c5b6757ed9971dc8237e7a5e9377314c6b972f

                              • memory/440-609-0x0000000140000000-0x000000014022B000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/440-78-0x00000000001A0000-0x0000000000200000-memory.dmp

                                Filesize

                                384KB

                              • memory/440-87-0x0000000140000000-0x000000014022B000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/440-84-0x00000000001A0000-0x0000000000200000-memory.dmp

                                Filesize

                                384KB

                              • memory/848-17-0x0000000002000000-0x0000000002060000-memory.dmp

                                Filesize

                                384KB

                              • memory/848-11-0x0000000002000000-0x0000000002060000-memory.dmp

                                Filesize

                                384KB

                              • memory/848-507-0x0000000140000000-0x0000000140592000-memory.dmp

                                Filesize

                                5.6MB

                              • memory/848-20-0x0000000140000000-0x0000000140592000-memory.dmp

                                Filesize

                                5.6MB

                              • memory/1140-30-0x00000000006E0000-0x0000000000740000-memory.dmp

                                Filesize

                                384KB

                              • memory/1140-39-0x00000000006E0000-0x0000000000740000-memory.dmp

                                Filesize

                                384KB

                              • memory/1140-539-0x0000000140000000-0x00000001400AA000-memory.dmp

                                Filesize

                                680KB

                              • memory/1140-38-0x0000000140000000-0x00000001400AA000-memory.dmp

                                Filesize

                                680KB

                              • memory/1316-6-0x0000000000510000-0x0000000000570000-memory.dmp

                                Filesize

                                384KB

                              • memory/1316-21-0x0000000000510000-0x0000000000570000-memory.dmp

                                Filesize

                                384KB

                              • memory/1316-0-0x0000000000510000-0x0000000000570000-memory.dmp

                                Filesize

                                384KB

                              • memory/1316-28-0x0000000140000000-0x0000000140592000-memory.dmp

                                Filesize

                                5.6MB

                              • memory/1316-8-0x0000000140000000-0x0000000140592000-memory.dmp

                                Filesize

                                5.6MB

                              • memory/2024-66-0x0000000000C60000-0x0000000000CC0000-memory.dmp

                                Filesize

                                384KB

                              • memory/2024-74-0x0000000140000000-0x000000014024B000-memory.dmp

                                Filesize

                                2.3MB

                              • memory/2024-72-0x0000000000C60000-0x0000000000CC0000-memory.dmp

                                Filesize

                                384KB

                              • memory/2024-404-0x0000000140000000-0x000000014024B000-memory.dmp

                                Filesize

                                2.3MB

                              • memory/2100-590-0x0000000140000000-0x00000001401D7000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2100-218-0x0000000140000000-0x00000001401D7000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2116-695-0x0000000140000000-0x0000000140179000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/2116-329-0x0000000140000000-0x0000000140179000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/2120-213-0x0000000140000000-0x00000001400B9000-memory.dmp

                                Filesize

                                740KB

                              • memory/2748-327-0x0000000140000000-0x0000000140216000-memory.dmp

                                Filesize

                                2.1MB

                              • memory/3040-221-0x0000000140000000-0x0000000140102000-memory.dmp

                                Filesize

                                1.0MB

                              • memory/3144-216-0x0000000000400000-0x0000000000497000-memory.dmp

                                Filesize

                                604KB

                              • memory/3148-222-0x0000000140000000-0x00000001400E2000-memory.dmp

                                Filesize

                                904KB

                              • memory/3328-219-0x0000000140000000-0x0000000140096000-memory.dmp

                                Filesize

                                600KB

                              • memory/3544-645-0x0000000140000000-0x0000000140169000-memory.dmp

                                Filesize

                                1.4MB

                              • memory/3544-220-0x0000000140000000-0x0000000140169000-memory.dmp

                                Filesize

                                1.4MB

                              • memory/3664-101-0x0000000140000000-0x00000001400CF000-memory.dmp

                                Filesize

                                828KB

                              • memory/3664-89-0x0000000001A40000-0x0000000001AA0000-memory.dmp

                                Filesize

                                384KB

                              • memory/3664-326-0x0000000140000000-0x00000001401FC000-memory.dmp

                                Filesize

                                2.0MB

                              • memory/3760-325-0x0000000140000000-0x0000000140147000-memory.dmp

                                Filesize

                                1.3MB

                              • memory/3852-50-0x00000000006B0000-0x0000000000710000-memory.dmp

                                Filesize

                                384KB

                              • memory/3852-52-0x0000000140000000-0x00000001400A9000-memory.dmp

                                Filesize

                                676KB

                              • memory/3852-44-0x00000000006B0000-0x0000000000710000-memory.dmp

                                Filesize

                                384KB

                              • memory/3952-217-0x0000000140000000-0x0000000140095000-memory.dmp

                                Filesize

                                596KB

                              • memory/4028-214-0x0000000140000000-0x00000001400CF000-memory.dmp

                                Filesize

                                828KB

                              • memory/4216-328-0x0000000140000000-0x00000001400C6000-memory.dmp

                                Filesize

                                792KB

                              • memory/4216-694-0x0000000140000000-0x00000001400C6000-memory.dmp

                                Filesize

                                792KB

                              • memory/4748-215-0x0000000140000000-0x00000001400AB000-memory.dmp

                                Filesize

                                684KB

                              • memory/4864-104-0x0000000140000000-0x0000000140135000-memory.dmp

                                Filesize

                                1.2MB

                              • memory/4864-64-0x0000000140000000-0x0000000140135000-memory.dmp

                                Filesize

                                1.2MB

                              • memory/4864-55-0x0000000000D60000-0x0000000000DC0000-memory.dmp

                                Filesize

                                384KB

                              • memory/4864-61-0x0000000000D60000-0x0000000000DC0000-memory.dmp

                                Filesize

                                384KB

                              • memory/4868-223-0x0000000140000000-0x00000001401C0000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/4868-226-0x0000000140000000-0x00000001401C0000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/5372-521-0x0000000140000000-0x000000014057B000-memory.dmp

                                Filesize

                                5.5MB

                              • memory/5372-585-0x0000000140000000-0x000000014057B000-memory.dmp

                                Filesize

                                5.5MB

                              • memory/5548-535-0x0000000140000000-0x000000014057B000-memory.dmp

                                Filesize

                                5.5MB

                              • memory/5548-701-0x0000000140000000-0x000000014057B000-memory.dmp

                                Filesize

                                5.5MB

                              • memory/5720-563-0x0000000140000000-0x000000014057B000-memory.dmp

                                Filesize

                                5.5MB

                              • memory/5720-702-0x0000000140000000-0x000000014057B000-memory.dmp

                                Filesize

                                5.5MB

                              • memory/5768-561-0x0000000140000000-0x000000014057B000-memory.dmp

                                Filesize

                                5.5MB

                              • memory/5768-572-0x0000000140000000-0x000000014057B000-memory.dmp

                                Filesize

                                5.5MB