Malware Analysis Report

2025-08-10 12:33

Sample ID 240403-ptv4esdb7x
Target 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk
SHA256 11073d014e6030f3fd360f5fb86285a84f349f402cf2bea8c55f0da92791abc3
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

11073d014e6030f3fd360f5fb86285a84f349f402cf2bea8c55f0da92791abc3

Threat Level: Shows suspicious behavior

The file 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 12:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 12:37

Reported

2024-04-03 12:40

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe"

Network

N/A

Files

memory/2188-0-0x0000000140000000-0x0000000140592000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 12:37

Reported

2024-04-03 12:40

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\254ce263b3e2edcd.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\System32\alg.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000977568e1c385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eefd09e0c385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8687fe2c385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000301909e1c385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133566214890378035" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4857ee3c385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048398ce1c385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084507ddfc385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003ee5ee1c385da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe
PID 2360 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe
PID 2360 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2360 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 1092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 1092 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 2480 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 3468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2644 wrote to memory of 4928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x140462478

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa5179758,0x7fffa5179768,0x7fffa5179778

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:8

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4776 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:1

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7dc547688,0x7ff7dc547698,0x7ff7dc5476a8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7dc547688,0x7ff7dc547698,0x7ff7dc5476a8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5328 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:8

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5472 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:8

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5632 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:8

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3160 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5408 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2332 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:2

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.168.238:443 clients2.google.com tcp
NL 172.217.168.238:443 clients2.google.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 238.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
GB 172.217.16.228:443 www.google.com udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
ID 34.128.82.12:80 ssbzmoy.biz tcp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 34.174.61.199:80 npukfztj.biz tcp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
GB 23.44.234.16:80 tcp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 42.36.251.142.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
NL 172.217.168.195:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 195.168.217.172.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
US 8.8.8.8:53 saytjshyf.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 8.8.8.8:53 qaynky.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
SG 34.143.166.163:80 qaynky.biz tcp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp

Files

memory/2360-0-0x0000000000710000-0x0000000000770000-memory.dmp

memory/2360-2-0x0000000140000000-0x0000000140592000-memory.dmp

memory/2360-7-0x0000000000710000-0x0000000000770000-memory.dmp

memory/416-11-0x00000000020C0000-0x0000000002120000-memory.dmp

memory/416-13-0x0000000140000000-0x0000000140592000-memory.dmp

memory/416-18-0x00000000020C0000-0x0000000002120000-memory.dmp

memory/2360-22-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Windows\System32\alg.exe

MD5 25106ceff92da07d52c60ca6259ae34c
SHA1 01c824fcca8e995c3fea9620c964d368d6c513a4
SHA256 0cd7d44cc25706393113096a8ce39ddd935e30a1409a0970fe74e71eeae2ccef
SHA512 740b29fadc02cf38fe7638830909a60860407ccde19be2e123a68aea44001d95d2c1cef1fde134d2cdf36a350f62b3e06c9a45ddefcb2ee7171ce1b6298c9b4d

C:\Users\Admin\AppData\Roaming\254ce263b3e2edcd.bin

MD5 e723496210060ff0b08e9e3afa126552
SHA1 e659ac4b9e50d19446b79b25788fb40303be2b48
SHA256 96a5ebfc6f7d41fcbd618754004bce9324962bc3a9432fd08cad127b8a101d11
SHA512 0109523a4b0dacaac1c3a033d61d9cf2c0cdbf0ad5dcf100674be4018784934a43c15ed6a0242e4eee2079daaf676739ad872aca0ec0cd8216b340c6e9c9bdf4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 85cfc13b6779a099d53221876df3b9e0
SHA1 08becf601c986c2e9f979f9143bbbcb7b48540ed
SHA256 bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3
SHA512 b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48

memory/4640-24-0x0000000000510000-0x0000000000570000-memory.dmp

memory/2360-30-0x0000000140000000-0x0000000140592000-memory.dmp

memory/4640-25-0x0000000140000000-0x000000014018A000-memory.dmp

memory/4640-40-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 1eff1cac58fcad06bdb617346a5e0ebe
SHA1 6780be0fe29321e6090ce5a997da8a0de05f085d
SHA256 ffac0b40546a2a00bb21ac7b4fec0dc253900d736eae440066885d792b74539e
SHA512 0ff096d200f3ba1ffe8139ac84647541b5878ee71a4483e7a09fabfa5b449fbc27cc4396d840c040ce8aaf16e960ac3e836f396590fa5cf0022e28e880b0feca

memory/4828-45-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/4828-44-0x0000000140000000-0x0000000140189000-memory.dmp

memory/4828-51-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 d773b6630e4eba15be00df01abc078de
SHA1 f6f0d8d868ec84a7fb5f115b4edc24d98f67d090
SHA256 570c215a79bf07888ccc8b57eacec08285b2b381edf3a13c9f7c206f4c05ceeb
SHA512 10abcf992893bdc00ee074ee0b32bd0fa56b22bef3587af7ed5b32b59d4d35fd50a67da6d5a07677d08243f50eb08e51d9aa7ece0eafafcb2c4158b3e584bae5

memory/1116-57-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1116-58-0x0000000000D80000-0x0000000000DE0000-memory.dmp

memory/1116-64-0x0000000000D80000-0x0000000000DE0000-memory.dmp

memory/5044-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

\??\pipe\crashpad_2644_IGKXNWXYTWOYVMPT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5044-78-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 6f82c9476215e4aeb85450d59b3630ba
SHA1 5bb46f5f4db57786226826dfca800836b2b6d102
SHA256 9cd500daba158198d8279d73fee4ffe01032b2a1e82e17bcfdde769535fb04dd
SHA512 37692aa7ccd64e3f189af83157d900b32f24a1f97dd7385d13811866633f815f03898e06efc9cfcf42a9658f8594d29f92b1c157da5788fdf0802463dfb67c62

memory/5044-84-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/5044-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/1116-88-0x0000000000D80000-0x0000000000DE0000-memory.dmp

memory/1116-94-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

memory/5044-98-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/2776-100-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

MD5 c9116c3a79df6281a6e8572f38d6245d
SHA1 eef59f266eabb7b81962b8350e43c36276abf9d2
SHA256 fc9413b06858ebe284b8b1418096d30d770e836d167968d306a84121ccd1205b
SHA512 4e4d43e32f8f58478e303ac58be23722c598d15340df9a3b018a190794053aeb6cc4fb611b5f2008993a38b80749b67e5279e0b1d96dc7308fca4e9c0f490f17

memory/5044-101-0x0000000140000000-0x0000000140237000-memory.dmp

memory/416-103-0x0000000140000000-0x0000000140592000-memory.dmp

memory/2776-106-0x0000000140000000-0x0000000140245000-memory.dmp

memory/2776-110-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 ae824ae1b7c6fd132248c9a43adb155d
SHA1 f516697681e3673822fe1d22bcb39a94c0efbdb8
SHA256 4ed5b9f1f21bd1838840c02c579246c11d1f1e5af41ddc57b50723a64604ffcd
SHA512 3cf0cf2e8cebde9c5b9975d35c7597bffa59735dc8490b44dead7662c092ab388d8607f3f96149fc7a2f329a62b569fe8913f03d3575a8d2a62b6205abe6e658

memory/4640-115-0x0000000140000000-0x000000014018A000-memory.dmp

memory/924-117-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/924-124-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/924-130-0x0000000140000000-0x00000001401AA000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 71dbc3a71781ff8437ec92dae93e6f75
SHA1 0acf49aedb8f1bc8f8e0c50765397537dddae7c4
SHA256 1b0b827ef2fc842383227150369e4b6966d3906903505b820d19029649c880d2
SHA512 b914d448bbc0dc75e8a43b19cebe3da14faca546bd0a149d4a3ea9e487cb0558d15225847a5e37aeacb8b5fbd5ecaf2f7619cf498fcb96cb7e7adcd3e754ca39

memory/4828-133-0x0000000140000000-0x0000000140189000-memory.dmp

memory/5156-134-0x0000000140000000-0x0000000140199000-memory.dmp

memory/924-131-0x0000000000CD0000-0x0000000000D30000-memory.dmp

memory/5156-143-0x0000000000D10000-0x0000000000D70000-memory.dmp

memory/5280-148-0x0000000140000000-0x00000001401AF000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 ca4d8a85bbbb3b92b5d6ec4761f3bd5d
SHA1 88f11c5636fa1e071af5ca216f04132b13b2e22b
SHA256 c534bd87388366abb9b576313f738711066ef588e0961b5087689876134b341e
SHA512 c58f7fb2931af26cdb7864a764db3b539b1949fe185e617aa39a64c9e4420fa7130217560f137076598f7aed6657fc527e8710d9fd195722122c13e1c603c5a3

memory/5280-157-0x0000000000800000-0x0000000000860000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 5f04235c408aa8fd692527ee31c1a8f6
SHA1 499fa04f05304256aac26a9762609b05e8975992
SHA256 cc06c6ae41cf1db1f7e518e7a047dccfd1c83ca519eace0063b932a365f1f956
SHA512 9929057de688d91952a8eb4abcaaf2e686aad3da444f2ff215cbc3067d680bce1da5178b1599322f1be06ff7ded398b68a7c0e71900ef7227ba24f8838018551

memory/5400-163-0x0000000140000000-0x000000014018B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7e49e7925c3076178d9a169c97921afa
SHA1 63aa3c51a37d87c83f284eae3d81329ada45a131
SHA256 a759b9c70e06ebe2e5945bddbd02fa6c92a01b5cc646a0584ecc95bb4190583f
SHA512 0d8c9b91984b8a7965c0113e6365160c19283de6008f5dbbd389c5816501652c02c35ace49dc2d4707574a2184d0ca3ca28cc61a73e8882f916c06992b6380a5

memory/5400-175-0x0000000000600000-0x0000000000660000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8572434b540e6d904e5bef40577ae0b0
SHA1 dd06378f83c962de01e67391b9b6d886ff7a039a
SHA256 55d846cbb27bd54b2e2ad01245deddd0926bf97440e0a0aa4738d1028f924c9e
SHA512 e980de6d664b7406a5f3a9d9fe6dc5910c28c34c98530eb42d813f36829759204a44beb8aa8552322079f9b77371e5d1a7573ea2a6fa675bd9d20ba30d25c38c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe580fba.TMP

MD5 04695aadffdaf28b5be826d27d48721a
SHA1 ce79df7c80926a86b0e1a922a05bcab16c7620c4
SHA256 0bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51
SHA512 aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54

C:\Windows\SysWOW64\perfhost.exe

MD5 eca8f30709ba107bb19862ddd3ed844d
SHA1 80b9d069ec12de12d1d57dee99d26c48344769c0
SHA256 f7a128622d494a6777cd6111e41a548deef8ebf44a227a030c46955242672c7a
SHA512 1a5394dff6a163950b29ba6cd08a213baa2e9508c6c0c8af56f2cbb319cfec70565ddc7ee9955165a187890e17f6d71a2dc02151c8e67d021b6251362c9cc641

memory/2776-190-0x0000000140000000-0x0000000140245000-memory.dmp

memory/5560-191-0x0000000000400000-0x0000000000577000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir2644_1374066822\78980930-79e9-4e6d-871b-b2b591059468.tmp

MD5 2cc86b681f2cd1d9f095584fd3153a61
SHA1 2a0ac7262fb88908a453bc125c5c3fc72b8d490e
SHA256 d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c
SHA512 14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

memory/5560-216-0x0000000000600000-0x0000000000667000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 f3423ba4e6c3f509be72ec42dc374507
SHA1 7ea3348c87675ce09ba098cb68f6a4a8c315c920
SHA256 769a0b5bf09dbf5e76e438d1b187a18f12d5c54e56eb4a3ae5758d5376bc496e
SHA512 315011e88800c887d90d9cf98d9a6e1e2b6e6aed6a9a53a7f07ae06378ed225149bd7ac831bc7fe40905699d0f96349e0da4cb7ddba03f2aa2a87cbb218a90e5

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 7fdece46ce5aca750a7de643c1779718
SHA1 9e65a89258a39243f1a019a489239c4caad48c43
SHA256 8e146dd1b2c67f406ed4005d42e074af34fbc8db6aff32c0ac7926e4dfa8bb24
SHA512 c1143d272578d24b2786eb8b4cbedf0f76758efb9e3590db6b803bad0a8d06226c3a2c3e1f4ffc6a1b9b30df9346bf5ca39cf96573806581a36ee280c248ca3e

memory/6052-223-0x0000000140000000-0x0000000140175000-memory.dmp

memory/6052-232-0x0000000000730000-0x0000000000790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 5c8f6512bced49242dfdeb87e927db82
SHA1 5a256157c9bb0b03b923f5d33bc88abb95cbdbfb
SHA256 3ed7bf4a112509765aaf6d782cc92c4e821d1c5d0d9610e23600ed96342ebd26
SHA512 95b702c371ee3b51d4d6b51eb18945affc12503e1cc4e2a2b7e20d6dee2f2da276eb797fad0d58f893f94ae50e27a021ba8555208bfb4d963a34bac58bf87ea2

C:\Windows\TEMP\Crashpad\settings.dat

MD5 0e1a0df5323f02fa141b11070035f203
SHA1 4662c48107aebe02429f78dc0ab4328f88ea9e8f
SHA256 169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7
SHA512 5ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5

C:\Windows\System32\SensorDataService.exe

MD5 7222ee61b97ca656bf983505bebaa4ea
SHA1 82326d91115067083c48761e3b9581fdfb872a89
SHA256 6f3d83e90c95ba26f55252311a19d553ebf5e95ad59d6776f506b7350aa57217
SHA512 b0777f6f2215443103a60417e22ade5d044ad51b11e91b358cd3413bf50bb291274eb42c7716bd5b1be588da3aed4dc98e3e4e9b78cc353060f60d8a01906fb6

memory/5156-239-0x0000000140000000-0x0000000140199000-memory.dmp

memory/5304-240-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\f963222c-5a2b-46df-bf51-846ab08c4bb4.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

memory/5304-273-0x00000000005E0000-0x0000000000640000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 b85179d4ffff32dba0ce91aa153a6ca1
SHA1 f2cda5d5b701235b4849bc47cb02d6cbff7d6b6b
SHA256 c75acade629d1d67148d549dddad4a8972a95d157d6ceed257252f602d7e9689
SHA512 7f88c09814398a5ebedcd33edfc6876377fb6b86c715362dd2f02c8c1a0e38f75d6bce22c2fa94582371d08722a6e3f5aae8a69228093d4476f457e34db19e67

memory/5280-347-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1888-348-0x0000000140000000-0x0000000140176000-memory.dmp

memory/5280-356-0x0000000000800000-0x0000000000860000-memory.dmp

memory/1888-358-0x00000000007A0000-0x0000000000800000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 4c63e1c2ce83169d2430dcef498c3997
SHA1 f65d29c3a182daccd4faaf5954fe36971df6f02c
SHA256 a29c2e891b705fb6f5ce0469b157cccf6f1d78bd4fe28975ac25936305a20e81
SHA512 6ec8ded34a7d75d14386c8571a9c400d7204c857310b636f72f9b1d0aaa17a7bc005ed24c4ac3a7c9b813e0d6ad486648e4e32ae958a1bb86eafadbc5dfa4b02

memory/5400-361-0x0000000140000000-0x000000014018B000-memory.dmp

memory/5464-364-0x0000000140000000-0x0000000140169000-memory.dmp

memory/5464-372-0x0000000000660000-0x00000000006C0000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 aa75a793b45a1f2ab955c9ba653f31f5
SHA1 e0e70bcdf914c6f0f807e778d7bee1b64f290fd9
SHA256 950f54159b1ee0a2b97dc2000ae1dffdbfe1cbf2bf6bac3200e3cdd266a66673
SHA512 76762bbae396f9780e0a631c29e44da063f81ba85405525d13a718c562ef7547f36800b852a719087bfa834ac6950e97fb0353e6888f249560ce500f28d790eb

memory/5560-384-0x0000000000400000-0x0000000000577000-memory.dmp

memory/5860-385-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/5560-393-0x0000000000600000-0x0000000000667000-memory.dmp

memory/5860-395-0x0000000000D90000-0x0000000000DF0000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 d483bd3b73767f4203b0020d2406ca64
SHA1 802d7d3a2ab31c8274b1da5438fdfa9c14c1b2c3
SHA256 ef31cd7eed269058d43b97871a03502822bcce63d212683431a0f4bbef4af378
SHA512 f7239afbc992b29d5081f767a28d27c9afe99efa750790905025b785ffc9fa6b38bd39b55ebf9a9bdc06a226f68bd6b41dec6d66d3ae7968c503ffcb84666bed

memory/4648-401-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/6052-398-0x0000000140000000-0x0000000140175000-memory.dmp

memory/4648-408-0x0000000000830000-0x0000000000890000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 3891712cdb186bbfa1511a214d3a5a62
SHA1 d1a6a5619c2b53079b89a0a66e526b3e72858ba0
SHA256 aa219c64e77963a4d50e470aad88d325b8d0c714346404656a733d22476a03c9
SHA512 838da1264459f290d28450b1a0649eb99073baa76e31f5736e9ef488e41ebc8ff69e8bd5f47fd2eca8fa633a1852a85a3b8e7a5e18cd81f4cacdce4471997076

memory/5304-411-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/5368-412-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 d87f2d1c8c702d49878b32cb8e8af2bc
SHA1 84a4146ecab48b7be73a16fbbfd55385ac41a2e3
SHA256 116e4d05652538d695364ee611c7932dca3633b6087f8207f0b15e7fadce417c
SHA512 96c30c5b759ffa32e57ee1729c4ccb925fb6d5b00e61aaa2628b5c78812536791807050c0c4e4fdef1dcdd79cffd325a4435cd44196c9b1c23b1e463f5262150

memory/5368-425-0x0000000000BD0000-0x0000000000C30000-memory.dmp

memory/5368-430-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 b19622686f2a057780b7caa136d7eb9a
SHA1 dc989ccc0a612c6d414db583ccfff3145559644c
SHA256 f57e798c1e6657e6013d94c74fe2c6269f8346710c5588dbe5368ac24df0dc50
SHA512 d8e766b0ba27bb936878818bb6fb28e90a3ab26a44009d36867664302b229e69b5d03a0f338220aaf6ccac23b9b1bc9efc49922934a0afcdaae46ee07057f4eb

memory/5368-436-0x0000000000BD0000-0x0000000000C30000-memory.dmp

memory/1888-438-0x0000000140000000-0x0000000140176000-memory.dmp

C:\Windows\System32\vds.exe

MD5 4dce5b6ba7cc58aefbb132592b567c47
SHA1 544684813ce201f5782c8ddbc7161b4cdda5cc22
SHA256 5ce45e9ec1cb3aba8331eda64388c05b8baa386810c3c96995336f44232a6f92
SHA512 3beeab5b5d0470dc9219213007e7ecad039a34095e86f6e896d7dcae3e9bcc5a91280f80231957158c5f6be90755faa3018aeefc564dd2e8ca597fac6f8babec

memory/5708-439-0x0000000140000000-0x0000000140147000-memory.dmp

memory/5708-447-0x0000000000C60000-0x0000000000CC0000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 cc44ecc67c754fab40e47028d9679492
SHA1 619ae59ac42dd874e4eed693724340ea8c9eb6e1
SHA256 c8a32f9c8a8f4d303e9a7e8ebae95bc8f98a7716a893080e2833cf309d254c50
SHA512 2adaef049cdc50c065c12d17d5386dccf589c21d3f1a2c1d46db9575f60a5a404d0bd5335c2f5d0dad51d77a41e58fed9a5d0bd9fa9f7bf8173135ef82b9597a

memory/5464-451-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3192-452-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3192-459-0x0000000000500000-0x0000000000560000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 8b5bcc540a044c50ed1beefb718f5dd8
SHA1 d96e58a8746e9aaa421b8960d6dd8f65315dc91c
SHA256 93e6605e695501e3ce0a5880435d00327f69acc37d9dd0f2a8ac1fea78dbd7e9
SHA512 7a5d1f264febf8eb418746cb2b77cedabcea7d7564f907254ff831b7b80a3707c2037695d7e1f7a645790c1d05e2181b708c57e574ab031c6317d9a4b927893e

memory/5860-464-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/1812-465-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1812-474-0x0000000000C50000-0x0000000000CB0000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 5b89d34f4f7da6303c33d2a6b155ff4a
SHA1 6c64fbfd6454e669685712e897a54608009f3351
SHA256 1ca721f1eb01714bdc90359e3370af161a9864b3908f0109777fef941e14ff54
SHA512 1fb46a70f878418d90896168802eb37cd6535e38992db7cec224310626b18c0a5ef92ec41132f10ea1825401c26d631be34d160460d935d0dcba57647d1a4250

memory/4648-477-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/5792-479-0x0000000140000000-0x00000001401A6000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 bebbbfe23df01f5273827aac8dc31176
SHA1 628af151ad006bc4464d5565926ad9105556cfc9
SHA256 edfc0601642ca66b4414ec419e4961dc8edef34e9b84022b069eae58b6637bc1
SHA512 73c202ab834b519e5a2404e972913f916be8945901007f04466830bb287f73bc41132faf7bb9fff3633ba90155b0680b44af510f79dc6e8eac526605f53b8058

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fc1886e68b9d9abb1d630026d64b3f26
SHA1 7cf40ba35ff9f6b5d9104d92cc80d401d3edff38
SHA256 0c148a6c46f58564e0ade7654e2df2cd647e059a58e78a82bdc4624b8c7c2e1b
SHA512 df019ef23dcfa5eba3ddf1262f027b19ea9a9d3395ce168b082388b143f64b675664e017f0ca2c4749ed9e13424527c9211da952415cb0b8c8bf2a2c428a85fd

C:\Users\Admin\AppData\Local\Temp\scoped_dir2644_1374066822\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bd87672cb6547c76e21909f4b72ba4c5
SHA1 49a6ef2860af24c004a008939b35cff39a9cc3d4
SHA256 65b6cd8ba0beab137d94a9c4691ab210eb41096dff2f87b8fe7738ed8b0d0d34
SHA512 fa59f16dc67668446403bbf80ec196d82495c4a623735e663819b692d25adc93a3abbb29a5bb45c7f8a6de04959d99aeafa94b197c38814660103ca1b80f624d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 1cf28c8427d67b7f9abfed6faf79240a
SHA1 03d13ab35b1c8f647320c20ac0e32dfd49aa5139
SHA256 11c320bcb4ef48b15bb50b45f1ff8e4bd57e53f90d14c9699883612449fa7203
SHA512 cbb607e031137a01ce304d1c53d4034081cb818c6bcd13b50875f69b26411d1aa5a20f8ced09e281fde00fa7017491fc209a8c64bbf33e98bdd6be1f72549357

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5f3edff58b2a093ef86e04e27c021bb3
SHA1 9655e3c6d811915133598a1e47d37d7585d35959
SHA256 23429cc9bcbfc71fa99737236b1be870254bc38f1a4a0251623d77ebfc9f6001
SHA512 bb5a920331189eade3c51ee4e9965e9832885e2180492d6ba08dd1584ede2b265f0ce0af3619d2920c9591a3d4d3f830071c4adef9d98ddc8d0767236bf13de1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 333ddfaad13eaeb501f760ec075c1d83
SHA1 340805b541c46568737fcf7c78bc39b87a431a01
SHA256 88bcf14c3cb826a5722b25e7f34cf71e5b19944af36fad6287280a19d1d7ecac
SHA512 0cf461308fbc60ad2f7a8cd679b2ea1c4ab989a9c1b27781da201f82102f626706f98d6363f38d6d6407451dcde0789ac43d6d7f5dbd77b06969741184048d6c

C:\Windows\system32\AppVClient.exe

MD5 f4f3343faf4a77e6b5d3ceabc6689de8
SHA1 e392bf99ef55505ce6c1b0f8a5d2d6a6b0ca4996
SHA256 b928429149fcc630f6a28af98e752b3ad09d48e5fd51bc27784e5e0b4f67b117
SHA512 9985443d3afd4e7da03807883447524bb4c4164331cb2d60526c85caf9371a408e5badf74759356109bbf05063421eccfcd88f08d34a62b403d6f8c1f9bffe93

C:\Windows\system32\msiexec.exe

MD5 b7633b32af3ddd696c23cddf6efaa818
SHA1 a8f6fec011989b864f9ecd119c91d28f79649023
SHA256 9382ed84c591d27c29782d9162632a1a140a752c90546d4ef946c0a25934361e
SHA512 eeb2807d00a48b7151a0a4f4de904cd7bf5187f366d8f96cf129b231709af1583429353edc9c2995769064e4f04965b7688055fd83f68225418c2574db65c459

C:\Windows\system32\SgrmBroker.exe

MD5 d3ca9cb8803a75a820f9324da3cd94aa
SHA1 935729f98a66e6ce8ba06c3adff3fc5a40810393
SHA256 cfb871970d2c7e8cfcfb21d5dd073f01feca32f2f2bf6efa2422e828cbe59679
SHA512 65f92da40fe5c198f633194be6982768c2864bda54313a7401dadac3452ad3728b84a42b5cf0aa8f58c71dac4f82dc7bd063c5930991308797a404505ef220b7

C:\odt\office2016setup.exe

MD5 eddd991e454c08aa670d80d2994a8c4b
SHA1 7ee6b92429057410d56f988663c06808d5af0ccd
SHA256 3f23fb642bcdf46ffa13068b43c385df36264f1ee8514d6c795ea31c47bc06bf
SHA512 07f3be88de14cc8af0a15a6637bdf20dc8dfbd3169d7198d0f430f7ae34176df3ec899a5f03b0d8bc704e5d2ff5d0ffb326c6f3b0448864ae2438cf02c9c4469

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 67080f631e4d2a392e505b2ada768a81
SHA1 9a8ecf51c069828b91141194447430cd24ecda05
SHA256 083336c56bc502cab22f0f74a333efa004b0a545a0e7f9d11153d558e3e45ca5
SHA512 eb11fc7bfeffda1f51b88f510dfd0b4d427236037d409a00b4cf2bfb0ea0e3fff566197f15a67955dbc6698f952da373f1283bd7727f72dc9887be801f394585

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 35814c602d6311cc964b2d252052c55e
SHA1 8ab45f7978fb197c2f17e1d8081aa0f34dc4d035
SHA256 3c0895fc9465c015b3a96ddcfb4d8ed3ef9264639a9b24ffe58f96bf7e30b949
SHA512 7702c5afca77da607697a658ead54e2a2026603722666af7a275aded983359cea7bb32787ceb6132a8d6b0578ebc688177c846a5102ec7ad4db0f3eadc04b549

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 64b7dd0875e7c90f201cbaab80e9d154
SHA1 cbe210fe72b4d383c7a9a7dfbe789a722daaadeb
SHA256 d5510092c64a68cbd88e9bd3f08d69caf390fd9a46607b2087518ce7b5e1a02c
SHA512 ca5bde527160f5fc0fc8fb29f15f4499d282a66199c7a14fc707f9b9a2d6814817e5059fae7fad1604ba1a5d6c406fee5eee3ec3a3df29b2839ae3db83f8bf7e

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 5ecd843af5d94930b9530c2f0ce7da36
SHA1 b8187477c41cb6f97629a3aa3afafc4455dee629
SHA256 1cd1df2b026572f52895af6d6fc06ddada7e5e659c513b50a7588128a5dd7895
SHA512 c14581cc34f78e2e80462b9de1d6ee320b2a5edc998d1c7f1169b1643677628ec892f8cdccb3fcd49856e3cc43099adaf5cefdc0f9abf6b9e486846e9b89706d

C:\Program Files\7-Zip\Uninstall.exe

MD5 87aa212191976477b66491be194b6de4
SHA1 e1917db90c8319d91750f2d2a8430a454d891d9d
SHA256 823e4784be5be6a2b5628638991b3a553af6c8514edf6e19b87c60b6974853cd
SHA512 dfc025483157c1aea8654d515debbc3877aa09628f3617de52f2a22ed8ad4908581b79269bf30a7b0d0706a8583d5e9bd2d7405a75db68a1c50a476365d3cd28

C:\Program Files\7-Zip\7zG.exe

MD5 c52348b422d916119f32df33b6fbc3c6
SHA1 c46456a3c4d3d190386364d6d84ff6ab8a2d6db7
SHA256 671febebc73f06492a7a162478f398542338278516e49114b76c389795cc957b
SHA512 dd187910741ca5bb2bf0e3fbf8868aa428503fabf0403fe160e1d001a87716db93adfefceccfc654c07fe0c8e57bc7de557e09b2ef5c4f70e6924060a18d1354

C:\Program Files\7-Zip\7zFM.exe

MD5 c948f122d8271e857d7d63ba31b673a7
SHA1 e53f08d675bf0b423cef6df177a6763f2d155236
SHA256 56c08f18087007c1407d1b3e9e29cbf6e45f5ac534589a45af4e10ab510e552f
SHA512 998680e04c55e1a1f5795fae6316d7f88827c60093f5b8ac595210074087d99f18beeeabe498e6ca92cc4304af795ec5d7b1b94391b878aa059d5a0e64fb2cc3

C:\Program Files\7-Zip\7z.exe

MD5 9af303f9439def055925ad7cbed32f98
SHA1 d3b9a1ffb3dec7b772fe557c606656a3f559701e
SHA256 f60a0891d27095cc0f84644b87524a205d0d2963bccbe2147a5f3f77ed750536
SHA512 4a7f839773b20577056629780a51969316867cfc48aa849a8d767014cb11c00260c951565ac2b8b9126650e12c8e8ac132078caa4a00b7e37ac79be8730ea3c7

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 87f63a451d3de30841b164f801d19d68
SHA1 a6804604aded8eb9325f0167dc863a28fab8d7aa
SHA256 4a8ebe356fedf18fa26772a523e6ac2ad3105b326eb58d59022e54e17baffadc
SHA512 1345eb102aae7642f8cecdd46467a77d2d92b1e4c79192c52545e05a59c555d2012bf9d5f506aac8a67d9969ebf2716ab9c58a2b24eec894768389f2fb5e1008

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 56a2bf37e93746c049765a83fb945cf0
SHA1 f88a330d885ef85c517b5cab581a51d7c9de4828
SHA256 58890a1f198d33d3a1d58d2242f572e3e28e2a34f229400f7a52194d0899431a
SHA512 93f93e4f18d44d5400e50e79dc9676a5182ffebe5520f2dc0d67e61ecf628ae44254bcb36e7f1422c81565ad35d702e50c3cf0cd656253dbca5aec5c57b12eac

C:\Program Files\dotnet\dotnet.exe

MD5 33dee2ebeed77826c1eeceb89b452424
SHA1 0e6e1dc3cb4922062e025ac1d5ab52c87992653c
SHA256 fe4e0bd8faf70a19e58e276b208f367fb09b18bd684567aacd69212407958486
SHA512 36bb932bc70cc0527c52fc631e4a72f69b1222639939cd11f2ff7ce2af529d290ea9229b4180082b0bb3ca9c9b874ddf1143f6757d072e9b268cea1b61acabe7

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 411a49623aca8f42801f0ad706966abd
SHA1 d695162bacc7f97cd02c36fc057b93d71cc7d88d
SHA256 5f7065df621912baf316eadbdd9d2754e4430decb72a00802d332429fe535778
SHA512 d0e4dc9b447fc8688eca0660eed9e73d34b563399f3ae26c2732630f1dbae11d8430aebb1608194a6807ed11294d2c4d37f81fe232e395363de04826e07ebbe9

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 a0954507924ba0f79b2f2de0277ac150
SHA1 0869e94aa9a59913a0624b846b3d32ec16f963a6
SHA256 a2418edac5e6bc874fa804c6869ddfa7ed56abfac33757b64a1e20150bdde2c6
SHA512 356a253d07ad43c65dd220aca4590a6c589dec7ef9d83d2a413559f934f4136bc0d7458ff7c012b4ba79bb59db5e04c2e5e43364c56e82d0b44dd7da276b04ab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 368260c6fce84badcb88fba00cbc5f11
SHA1 176094cf25327ce9f1b6c1b8cec85a0126aca1e0
SHA256 0c54caf08eaeb3d89283c6fa4bbc6ebbd5d3ba7083bb9e6175da91a6b074f854
SHA512 96af7ec29cd651f65342f39dce21fdd231ab9bf16b017f1a39beb702aaea2ad804a60396b9b267b7fe1ef6a4d2e57029ed294e4a8105034e8d584289bf850227